Audit Evidence for ISO 27001 Annex A Compliance

Information security links of chain


What kinds of audit evidence will your Certification Body be seeking to confirm your compliance with the requirements of Annex A?

Using ISO 27001 controls outlined on Annex A alone to address security vulnerabilities is never enough!

What is ISO 27001 Annex A About?

Let’s begin with what ISO 27001 Annex A is about. The purpose of Annex A is to ensure that a comprehensive set of controls are in place to manage information security risks.

As the vulnerabilities and threats to information security vary from one organization to another, the vulnerabilities included in Annex A should be treated as a 'fallback' position. 

External auditors will not be satisfied with information security controls that address Annex A vulnerabilities alone.  Without additional vulnerabilities particular to your organization (and consideration having been taken of the several sectoral Codes of Practice that may apply, e.g. ISO 27018 regarding personally identifiable information), external auditors will likely believe that no real risk assessment was done.

This may give them the impression that you've gone through the motions of preparing information security management system documentation to give the appearance of meeting requirements.

In this circumstance, you've little chance of being recommended for Certification to ISO 27001.

Sample of Evidence to Prove ISO 27001 Annex A Compliance

The external auditors will look for a variety of evidence of effective implementation of controls and precautions related to applicable ISO 27001 Annex A vulnerabilities. They would also look for other vulnerabilities specific to, and identified by, the organization.

Examples of such evidence types include:


Gap Analysis Tool ISO 27001






This is the best quality of audit evidence. Verifying and recording in Audit Workbook that:

  • a locked door is locked,
  • people do sign confidentiality agreements,
  • the asset register exists and contains assets observed,
  • system settings are adequate, etc.).

Records of Performance

Evidence can be gathered from seeing the results of performance of a control.  Having sight of and recording in Audit Workbook:

  • printouts of access rights given to people signed by the correct authorizing official,
  • records of incident resolution,
  • processing authorities signed by the correct authorizing official,
  • minutes of management (or other) meetings.

Direct Testing

Evidence can be the result of direct testing (or re-performance) of controls by the auditor.  For example:

  • attempts to perform tasks said to be prohibited by the controls,
  • determination whether software to protect against malicious code is installed and up-to-date on machines,
  • access rights granted (with the permission of management/authorities).


You can implement and maintain your own ISMS (Information Security Management System)



This is arguably the most important form of evidence.  Many organizations operate on the basis that, if IT vulnerabilities are controlled, the organization is protected.  This is folly.  We're not talking cyber security.  It's more than that.  We're talking information security!

We know that all the technological precautions in the world are essentially useless unless the people involved fully play their part.  People are always the weakest link in the chain; just read about major information security breaches and you will see that time after time it is the failure of the people involved (actively or passively) that permitted the incident to occur. 

Interview type evidence can be gathered by:

  • interviewing staff at all levels and functions about applicable processes and controls
  • and then determining whether this is factually correct.
  • interviewing persons doing work under the organization’s control about applicable processes (especially outsourced processes) and controls
  • and then determining whether this is factually correct.
  • interviewing contractors and sub-contractors (both management and staff) about applicable processes and controls
  • And then determining whether this is factually correct.

How Annex A of ISO 27001 Affects Your Internal Audit Programme

Too often, Audit Programmes for organizations seeking certification to ISO 27001 ignore Annex A or schedule a cursory audit of the requirements here. 

Remember Annex A is not ‘Informative’; it is ‘Normative’, that is, a mandatory part of the Standard.

It is essential that a sufficient number of internal audits be planned to cover all applicable vulnerabilities (upward of a hundred are common), and evidence of the types given above be collected and documented.  Otherwise, you have little chance of a successful Certification Audit.  Good luck.

(From Annex D ISO 27006:2015)

Choose from five ISO 27001 Courses

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. He spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates


Recent Posts

Posts by Topic