Module 8: The Certification Battle

Evidence Preparation

Template
25 min
+100 XP

Evidence Preparation Template

Proper evidence organization can make or break your audit. This template helps you prepare, organize, and present evidence effectively.

Evidence Principles

What is Audit Evidence?

Evidence is any information that demonstrates:

  • A requirement is met
  • A control is implemented
  • A process is operating
  • An outcome is achieved
  • A claim is supported

Types of Evidence:

  • Documents: Policies, procedures, plans
  • Records: Logs, reports, tickets, approvals
  • Observations: Physical controls, system configurations
  • Demonstrations: Live system operations
  • Interviews: Staff knowledge and practice

Characteristics of Good Evidence

1. Relevant

  • Directly addresses the requirement
  • Proves what you claim
  • Not tangential or indirect

2. Sufficient

  • Enough to demonstrate compliance
  • Covers appropriate sample size
  • Shows consistency over time

3. Reliable

  • From trustworthy sources
  • Authentic and unaltered
  • Verified and accurate

4. Timely

  • Current and up-to-date
  • Shows recent operation
  • Historical where needed

5. Accessible

  • Easy to retrieve
  • Well-organized
  • Quickly presentable

Evidence Organization System

Master Evidence Index

Create a master index linking requirements to evidence:

ISO 27001 EVIDENCE INDEX

Clause/ControlRequirementEvidence TypeEvidence LocationFile NameNotes
4.1Understanding organization contextDocumentSharePoint/ISMS/Context_Analysis_v1.0.pdfUpdated Q4 2024
4.2Interested partiesDocumentSharePoint/ISMS/Interested_Parties_v1.0.pdf
4.3ISMS scopeDocumentSharePoint/ISMS/ISMS_Scope_v2.0.pdfApproved by CEO
5.1Leadership commitmentMinutesSharePoint/Management/Mgmt_Meeting_2024-11-15.pdfCEO approval
5.2Information security policyPolicySharePoint/Policies/Info_Sec_Policy_v1.0.pdf
6.1.2Risk assessmentReportSharePoint/Risk/Risk_Assessment_2025-01.xlsxIncludes methodology
6.1.3Risk treatmentPlanSharePoint/Risk/Risk_Treatment_Plan_2025-01.pdf
6.1.3(d)Statement of ApplicabilityDocumentSharePoint/ISMS/SoA_v3.0.xlsxAll 93 controls
6.2Information security objectivesDocumentSharePoint/ISMS/ISMS_Objectives_2025.pdfWith KPIs
7.2CompetenceMatrix, RecordsSharePoint/HR/Competence_Matrix.xlsx, Training_Records/
7.3AwarenessTraining recordsSharePoint/Training/Awareness_Training_Completion.xlsx
7.5Documented informationProcedureSharePoint/Procedures/Document_Control_Proc_v1.0.pdf
8.1Operational planningPlansSharePoint/Operations/ISMS_Operational_Plan_2025.pdf
9.1Monitoring and measurementReportsSharePoint/Reports/KPI_Dashboard_Jan2025.xlsxMonthly reports
9.2Internal auditReport, PlanSharePoint/Audits/Internal_Audit_2024-12.pdf, IA_Plan_2025.pdf
9.3Management reviewMinutesSharePoint/Management/Management_Review_2024-Q4.pdf
10.1NonconformityProcedure, RecordsSharePoint/Procedures/, SharePoint/NC/NC_Procedure_v1.0.pdf, NC_Register.xlsx

Evidence Folders Structure

Recommended Folder Hierarchy:

SharePoint (or File Server) ├── 00_ISMS_Core/ │ ├── Scope/ │ ├── Context_Analysis/ │ ├── Policies/ │ ├── Objectives/ │ └── Organization_Charts/ ├── 01_Risk_Management/ │ ├── Methodology/ │ ├── Risk_Assessments/ │ ├── Risk_Treatment_Plans/ │ └── Asset_Registers/ ├── 02_Statement_of_Applicability/ │ └── SoA_Current/ ├── 03_Policies_Procedures/ │ ├── Information_Security_Policy/ │ ├── Access_Control/ │ ├── Physical_Security/ │ ├── Operations/ │ └── [etc by Annex A category]/ ├── 04_Evidence_by_Control/ │ ├── A.5_Organizational/ │ ├── A.6_People/ │ ├── A.7_Physical/ │ └── A.8_Technological/ ├── 05_Operations/ │ ├── Change_Management/ │ ├── Incident_Management/ │ ├── Backup_Logs/ │ ├── Access_Logs/ │ └── Vulnerability_Scans/ ├── 06_Performance_Evaluation/ │ ├── Internal_Audits/ │ ├── Management_Reviews/ │ └── KPI_Reports/ ├── 07_Improvement/ │ ├── Nonconformities/ │ ├── Corrective_Actions/ │ └── Continual_Improvement/ ├── 08_HR_Competence/ │ ├── Training_Records/ │ ├── Competence_Assessments/ │ └── Awareness_Materials/ └── 09_Audit_Evidence_Packages/ ├── Stage1_Submission/ ├── Stage2_Prepared/ └── Surveillance_Archives/

Evidence Naming Convention

Use consistent naming:

[Document Type][Subject][Version]_[Date].extension

Examples:

  • POL_Information_Security_v1.0_2025-01-15.pdf
  • PROC_Access_Control_v2.1_2024-12-01.pdf
  • RPT_Risk_Assessment_v1.0_2025-01-10.xlsx
  • MIN_Management_Review_2024-Q4_2024-12-15.pdf
  • LOG_Backup_Jan2025_2025-01-31.xlsx

Evidence by ISO Clause

Clause 4: Context of the Organization

4.1 Understanding the Organization and its Context

What to Prepare:

  • Context analysis document
  • SWOT or PESTLE analysis
  • Business environment assessment
  • Technology landscape document

Evidence Package:

  • Document: "Context_Analysis_v1.0.pdf"
  • Shows: Internal issues, external issues, how they impact ISMS
  • Updated: At least annually
  • Format: Narrative document or structured analysis

Sample Evidence: File: Context_Analysis_2025.pdf Contains:

  • Internal factors (structure, culture, resources, systems)
  • External factors (legal, competitive, economic, technological)
  • How these influenced ISMS scope and design
  • Date prepared: January 2025
  • Prepared by: ISMS Team
  • Reviewed by: Management

4.2 Understanding Needs of Interested Parties

What to Prepare:

  • Interested parties register
  • Their requirements documented
  • How requirements are addressed

Evidence Package:

Interested PartyRequirementsHow AddressedEvidence
CustomersISO 27001 certificationImplement ISMSThis certification
EmployeesSecure work environmentSecurity policies, trainingPOL-001, Training records
RegulatorsGDPR complianceData protection controlsA.8.11, A.8.10 implementation
ShareholdersProtect business valueRisk managementRisk assessment
SuppliersSecure data exchangeSupplier agreementsNDA templates

4.3 ISMS Scope

What to Prepare:

  • ISMS scope document
  • Approval evidence
  • Consistency check with other documents

Evidence Package:

  • Document: "ISMS_Scope_v2.0.pdf"
  • Approved by: CEO (signature)
  • Date: 2025-01-05
  • Published: Company intranet
  • Cross-reference: Matches certificate application

Clause 5: Leadership

5.1 Leadership and Commitment

What to Prepare:

  • Management meeting minutes showing ISMS discussion
  • Budget approvals
  • Resource allocation decisions
  • Executive communications about security
  • Policy approvals

Evidence Package:

  1. Management_Meeting_Minutes_2024-11-15.pdf

    • Agenda item: ISMS implementation
    • Discussion of security risks
    • Budget approval: $200K for security program
    • Assignment of ISMS Manager role

  2. Email_CEO_ISMS_Announcement_2024-11-20.pdf

    • CEO email to all staff
    • Announces ISMS initiative
    • Commits to security culture

  3. Info_Sec_Policy_v1.0_Signed.pdf

    • Policy signed by CEO
    • Date: 2024-12-01

5.2 Policy

What to Prepare:

  • Information security policy
  • Approval evidence (signature)
  • Communication evidence
  • Publication evidence
  • Acknowledgment records

Evidence Package:

  1. Information_Security_Policy_v1.0.pdf (Signed by CEO)
  2. Policy_Communication_Email_2024-12-05.pdf
  3. Intranet_Screenshot_Policy_Published.png
  4. Policy_Acknowledgments.xlsx (All staff signatures)

5.3 Roles and Responsibilities

What to Prepare:

  • ISMS roles and responsibilities document
  • Organization chart showing ISMS roles
  • Job descriptions with security responsibilities
  • RACI matrix

Evidence Package:

  1. ISMS_Roles_Responsibilities_v1.0.pdf
  2. Organization_Chart_with_ISMS_Roles.pdf
  3. Job_Description_ISMS_Manager.pdf
  4. RACI_Matrix_ISMS_Processes.xlsx

Clause 6: Planning

6.1 Actions to Address Risks

6.1.2 Information Security Risk Assessment

What to Prepare:

  • Risk assessment methodology
  • Asset register
  • Risk register with all assessments
  • Risk criteria definitions
  • Assessment approvals

Evidence Package:

  1. Risk_Assessment_Methodology_v1.0.pdf

    • Defines how risks are assessed
    • Likelihood and impact scales
    • Risk acceptance criteria

  2. Asset_Register_2025-01.xlsx

    • All in-scope assets
    • Asset owners
    • CIA ratings

  3. Risk_Register_2025-01.xlsx

    • All identified risks
    • Likelihood and impact scores
    • Existing controls
    • Residual risk levels
    • Risk owners
    • Treatment decisions

  4. Risk_Assessment_Approval_2025-01-10.pdf

    • Signed by top management
    • Date of assessment
    • Approval of methodology and results

6.1.3 Information Security Risk Treatment

What to Prepare:

  • Risk treatment plan
  • Justifications for treatment decisions
  • Control implementation plans
  • Resource allocation
  • Residual risk acceptance

Evidence Package:

  1. Risk_Treatment_Plan_2025-01.pdf

    • For each risk: treatment option (treat/accept/transfer/avoid)
    • Controls to implement
    • Implementation timeline
    • Responsible parties
    • Budget

  2. Residual_Risk_Acceptance_2025-01.pdf

    • Signed acceptance of residual risks
    • By risk owners and management

6.1.3(d) Statement of Applicability

What to Prepare:

  • Complete SoA with all 93 controls
  • Justifications for inclusions and exclusions
  • Links to risks
  • Implementation status
  • Control owners

Evidence Package:

  1. Statement_of_Applicability_v3.0.xlsx

    • All Annex A controls listed
    • Applicable: Yes/No
    • Justification for each
    • Related risks
    • Implementation status
    • Evidence references
    • Control owners

  2. SoA_Approval_2025-01-12.pdf

    • Management approval
    • Date

6.2 Information Security Objectives

What to Prepare:

  • ISMS objectives document
  • Measurement criteria
  • Action plans
  • Progress tracking

Evidence Package:

  1. ISMS_Objectives_2025.pdf

    • 5 SMART objectives
    • Each with: what, resources, who, when, how evaluated
    • Aligned with policy

  2. KPI_Dashboard_Jan2025.xlsx

    • Current measurements
    • Progress vs targets
    • Trends

Clause 7: Support

7.2 Competence

What to Prepare:

  • Competence requirements for roles
  • Competence matrix
  • Training records
  • Qualifications/certifications
  • Competence assessments

Evidence Package:

  1. Competence_Requirements_Matrix.xlsx

    • Each role: required skills, knowledge, experience

  2. Training_Records_2024-2025.xlsx

    • All training completed
    • Dates, attendees, topics

  3. Certifications_ISMS_Team/

    • CISSP certificate - John Smith
    • CISM certificate - Jane Doe
    • ISO 27001 Lead Implementer - John Smith

7.3 Awareness

What to Prepare:

  • Awareness program description
  • Training materials
  • Completion records
  • Phishing simulation results
  • Communications

Evidence Package:

  1. Security_Awareness_Program_Plan.pdf
  2. Training_Completion_Report_2024.xlsx (95% completion)
  3. Phishing_Simulation_Results_Q4_2024.pdf
  4. Security_Newsletter_Archive/
  5. Intranet_Security_Tips_Screenshots/

7.4 Communication

What to Prepare:

  • Communication plan
  • Examples of communications
  • Evidence of key communications

Evidence Package:

  1. ISMS_Communication_Plan.pdf
  2. Examples:
    • Policy announcements
    • Security updates
    • Incident notifications
    • Training reminders
    • Management reports

7.5 Documented Information

What to Prepare:

  • Document control procedure
  • Document register
  • Version control evidence
  • Access control evidence
  • Approval evidence

Evidence Package:

  1. Document_Control_Procedure_v1.0.pdf
  2. Document_Register.xlsx (All controlled documents listed)
  3. Examples showing version control in practice
  4. SharePoint access controls screenshot

Evidence by Annex A Control

(Due to space, showing key examples - repeat pattern for all 93)

A.5.1 Policies for Information Security

Evidence:

  • Information Security Policy (signed)
  • Topic-specific policies
  • Management approval records
  • Communication evidence
  • Acknowledgment records
  • Review schedule/records

Files:

  • Information_Security_Policy_v1.0_Signed.pdf
  • Access_Control_Policy_v1.0.pdf
  • Acceptable_Use_Policy_v1.0.pdf
  • Policy_Communication_Email.pdf
  • Policy_Acknowledgments.xlsx

A.5.15 Access Control

Evidence:

  • Access control policy
  • Access rights provisioning procedure
  • User access lists
  • Access request/approval records
  • Access review records

Files:

  • Access_Control_Policy_v1.0.pdf
  • Access_Provisioning_Procedure_v1.0.pdf
  • User_Access_List_Jan2025.xlsx
  • Access_Request_Tickets/ (sample 10)
  • Quarterly_Access_Review_2024-Q4.xlsx

A.5.17 Authentication Information

Evidence:

  • Password policy
  • Password configuration screenshots
  • MFA implementation evidence
  • MFA enrollment report
  • Privileged account management

Files:

  • Password_Policy_v1.0.pdf
  • AD_Password_Policy_Screenshot.png
  • MFA_Configuration_Okta.png
  • MFA_Enrollment_Report_Jan2025.xlsx (100% coverage)
  • Privileged_Account_List.xlsx

A.8.7 Protection Against Malware

Evidence:

  • Malware protection policy
  • Antivirus deployment evidence
  • Coverage report
  • Update status
  • Detection/response logs

Files:

  • Malware_Protection_Procedure_v1.0.pdf
  • Endpoint_Protection_Coverage_Jan2025.xlsx (100%)
  • AV_Update_Status_Report.pdf
  • Malware_Detections_Q4_2024.xlsx
  • Malware_Response_Tickets/ (samples)

A.8.8 Management of Technical Vulnerabilities

Evidence:

  • Vulnerability management procedure
  • Vulnerability scan reports
  • Patch management process
  • Patching compliance reports
  • Remediation tracking

Files:

  • Vulnerability_Management_Procedure_v1.0.pdf
  • Qualys_Scan_Report_Jan2025.pdf
  • Patch_Compliance_Report_Jan2025.xlsx
  • Critical_Vuln_Remediation_Tracker.xlsx
  • Patch_Management_Schedule.pdf

A.8.13 Information Backup

Evidence:

  • Backup policy/procedure
  • Backup schedule
  • Backup logs
  • Backup test records
  • Restoration tests

Files:

  • Backup_Procedure_v1.0.pdf
  • Backup_Schedule.xlsx
  • Backup_Logs_Jan2025/ (daily logs)
  • Backup_Test_Report_2024-12.pdf
  • Restoration_Test_2024-11-20.pdf (successful)

A.8.16 Monitoring Activities

Evidence:

  • Monitoring policy
  • SIEM implementation
  • Log collection evidence
  • Alert rules
  • Review logs

Files:

  • Logging_Monitoring_Procedure_v1.0.pdf
  • SIEM_Implementation_Doc.pdf
  • Log_Sources_Inventory.xlsx
  • SIEM_Alert_Rules_Export.pdf
  • Log_Review_Reports_Q4_2024/

Evidence Presentation Tips

During the Audit

1. Use Evidence Tracker

Create a real-time tracker during audit:

TimeAuditor RequestEvidence ProvidedFile NameStatus
10:30MFA enrollment reportShown on screenMFA_Report_Jan2025.xlsxAccepted
11:15Backup test resultsEmailed PDFBackup_Test_Dec2024.pdfAccepted
14:00Change management samplesShowed 5 ticketsServiceNow screenshotsReviewing

2. Evidence Presentation Methods

Screen Sharing (Remote):

  • Have evidence open in tabs
  • Screen share specific window
  • Walk through the evidence
  • Allow auditor to read
  • Screenshot if requested

Physical Presentation (On-site):

  • Have laptop with evidence ready
  • Bring printouts of key evidence
  • Use second monitor for auditor
  • Have USB with evidence copy

Portal Upload:

  • Some CBs use evidence portals
  • Upload organized by control
  • Clear file naming
  • Index document

3. Handle Missing Evidence

If you don't have something:

Don't:

  • Panic
  • Make excuses
  • Create fake evidence
  • Lie about it

Do:

  • Acknowledge: "I don't have that specific evidence"
  • Explain: "Here's why..."
  • Offer alternative: "I can show you X instead"
  • Commit to provide: "I can get that by end of day"
  • Ask: "Would this alternative evidence suffice?"

After the Audit

Archive Everything:

  • Create audit archive folder
  • Copy all evidence shown
  • Include audit report
  • Include correspondence
  • Date and version clearly
  • Keep for 3+ years

Next Lesson: Master auditor Q&A tactics to confidently answer challenging questions.

Complete this lesson

Earn +100 XP and progress to the next lesson

Previous

Stage 2: The Final Battle

Next

Auditor Q&A Tactics