When you’re working to achieve an information security standard like ISO 27001, SOC 2 or PCI DSS, you’re required to collect evidence. Evidence provides a record of your organisation's security efforts, validates compliance with regulations and standards, supports risk management, and facilitates communication, verification, and improvement.
Our customer success team has pulled together a list of examples of evidence you may need to record. However, it’s important to note that the below evidence suggestions may not all be applicable to your organisation or the standard you are obtaining.
Information security evidence examples
Access review
You must periodically evaluate and validate the access rights and permissions granted to users for all systems, applications, data, and resources. This is to ensure that users have the appropriate level of access based on their roles and responsibilities, and to mitigate the risk of unauthorised access that could lead to security breaches or data leaks.
Uptime report
A summary of the availability and reliability of a system, service, or application over a specific period of time. It should communicate percentage of time that a system has been operational and accessible to users, as well as any instances of downtime or interruptions that occurred during that time frame.
Infosec industry newsletters
These could be newsletters sent from your infosec training provider or your own organisation’s internal newsletters. You should also encourage employees to sign up to relevant third party industry newsletters.
Cloud monitoring reports
How does your organisation track and manage the performance, availability, and health of any services hosted in a cloud?
Business continuity/disaster recovery test
A controlled and planned activity conducted by your organisation to assess your readiness to handle and recover from various types of disruptions or disasters that could potentially impact your operations. You should validate the effectiveness of your continuity and disaster recovery plans, as well as identifying areas for improvement.
BYOD software version audit
Conduct regular audits of software versions on employee devices. This could involve checking specific applications or using tools to scan devices for software versions.
Database capacity planning/monitoring
How do you manage and maintain the performance, scalability, and efficiency of your database system? Should include assessing the current and future resource requirements of your database, ensuring that it has the necessary resources to handle its workload, and continuously monitoring its usage and performance to make informed decisions.
Data backup/recovery summary
Do you use a backup and recovery solution to protect your data stored in cloud-based applications and services? This will help your organisation safeguard critical information from accidental deletions, data corruption, cyberattacks, and other potential data loss events.
Cryptographic controls
Which encryption options does your organisation use to send e-mails securely, in line with policy?
Customer support metrics
A KPI report.
Vulnerability management
How does your organisation proactively locate and address security weaknesses that could be exploited by attackers to compromise the confidentiality, integrity, or availability of digital assets and systems?
Data subject access requests
Report for each data subject access request (DSAR) and overall DSAR log.
Joiner/Leaver requests and access requests
How are these raised, managed and approved in your organisation?
ISMS awareness
How do you ensure that your employees have a general understanding of your ISMS and certifications?
Infosec awareness/training
Do you have an annual infosec training plan, and have your employees completed their required training modules?
Reading completion
The correct employees should have read, accepted and have easy access to the latest versions of all relevant policies and procedures.
Information security objectives
You can either have a set for each standard that you are working towards, or a combined set.
Internal audit plan/schedule
Your internal audit plan for your certification lifecycle.
Endpoint management and security
How does your organisation periodically evaluate managed devices against the defined compliance policies? A regular compliance control test checks whether devices adhere to the required security settings and configurations.
Information security management - Forum
Should be at least quarterly. Meeting agendas, meeting minutes and any actions should be recorded in your ISMS.
Information security management - Top management review
Should be six monthly. Meeting agendas, meeting minutes and any actions should be recorded in your ISMS.
Managed device wipes
Report to show managed device wipes.
Logging and monitoring
How does your organisation capture and analyse data related to various activities and events occurring within your system or application?
Logging could include: Event recording, timestamps, severity levels, source identification, data capturing
Monitoring could include: Real-time observation, alerting, performance monitoring, anomaly detection, incident response, reporting and analysis.
Office emergency procedure and response plan
Predefined actions, protocols, and guidelines designed to ensure the safety of employees, visitors, and assets during various types of emergencies that might occur within an office or workplace environment.
Organisation chart
Your organisation chart defines roles and responsibilities, shows clear accountability and delegation of authority, supports communication and collaboration, access control and segregation of duties, incident response, change management, policy enforcement, compliance and auditing, succession planning and third-party relationships.
Penetration testing
Identify vulnerabilities and weaknesses in your organisation's information systems, applications, networks, and infrastructure, then take proactive measures to strengthen your defences and protect sensitive data.
Infosec in project management
Information security must be considered in any projects that involve the handling, sharing, and storage of sensitive information, or require the use of technology systems and networks that can be vulnerable to various security threats. Start each project with an InfoSec checklist to ensure any risks and mitigating actions are considered and planned.
Incident management
How are incidents logged and managed?
Major incident reviews
Actions from incidents and how they are managed.
Fire evacuation procedure
Predefined actions, protocols, and guidelines designed to ensure the safety of employees, visitors, and assets during a fire that might occur within an office or workplace environment.
Flood risk assessment
To ensure the safety of employees, protect assets, and maintain business continuity.
Supplier agreements
Manage and mitigate cybersecurity risks associated with third-party vendors, suppliers, and partners. Incorporating supplier agreements into your ISMS helps ensure that the security of your organisation's information and data is maintained even when involving external parties.
Password protection settings
Configuration options that dictate how passwords are managed, enforced, and secured within a system, application, or digital environment to help prevent unauthorized access, data breaches, and unauthorised changes to sensitive information. Settings should ensure that passwords are strong, properly managed, and used in a secure manner.
Audit findings and remediation
By effectively remediating audit findings, your organisation strengthens their information security practices, enhances compliance, and contributes to a secure and resilient digital environment.
Supplier review
Suppliers have a significant impact on the security and integrity of your organisation's information and data. Integrating supplier reviews into your ISMS helps ensure that the security measures of external entities align with your organisation's information security requirements.
Third-party licenses
Third-party software licenses refer to legal agreements that outline the terms and conditions under which a software or technology developed by a third-party vendor or provider can be used, distributed, and integrated into your own applications, products, or services. These licenses are essential for ensuring compliance with intellectual property rights, usage restrictions, and other legal obligations associated with using software components created by external parties.
Voice of the customer insight (QMS)
How do you gather and use valuable insights into customer preferences, expectations, satisfaction levels, and areas for improvement? VoC data helps organisations align their products, services, and processes with customer needs and preferences, ultimately leading to enhanced quality and customer satisfaction.
Final thought
There is a range of evidence that you may choose to include (or not include) on the basis of applicability to your organisation or standard. Whatever the case, ensuring you record the relevant evidence is crucial for successfully proving your organisation’s security stance when it comes to your external audit.
