ISMS/05-guidance/evidence-and-audit-readiness-guidance.md

# Evidence And Audit Readiness Guidance

## Purpose

This guidance note explains how to think about evidence quality for ISMS operation, internal audit, customer assurance, and management review.

## Evidence Principles

Good evidence should be:

- factual
- dated
- attributable to a person, team, or system
- traceable to a requirement or activity
- easy to retrieve during review

## Typical Evidence Types

Useful evidence may include:

- approved documents and revision history
- completed register entries
- access review outputs
- change and deployment records
- incident records and lessons learned
- supplier review records
- training completion records
- audit reports and corrective actions

## What Makes Evidence Weak

Evidence is weak when it:

- is undated
- cannot be linked to a control or process
- exists only as informal verbal confirmation
- contradicts the documented process
- shows intent but not execution

## Practical Readiness Checks

For important controls, BlackDice should be able to answer:

- what is the requirement
- who owns it
- what records show it operates
- how often it is reviewed
- what happens when it fails or is overdue

## Working Approach

Where possible, use the operational system of record rather than duplicating evidence manually. If the record sits outside this repository, the related ISMS document should make that clear.

For recurring controls, consistent evidence matters more than polished presentation. A complete and repeatable record is usually more useful than a manually curated summary.

## Related Documents

- `../../00-governance/document-and-records-control-standard.md`
- `../../03-procedures/internal-audit-procedure.md`
- `../../03-procedures/management-review-procedure.md`
- `../../04-registers/internal-audit-plan-template.md`