Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Back to Knowledge & Insights

Infosec evidence suggestions from Hicomply's digital ISMS experts

When you’re working to achieve an information security standard like ISO 27001, SOC 2 or PCI DSS, you’re required to collect evidence. Evidence provides a record of your organisation's security efforts, validates compliance with regulations and standards, supports risk management, and facilitates communication, verification, and improvement.

Our customer success team has pulled together a list of examples of evidence you may need to record. However, it’s important to note that the below evidence suggestions may not all be applicable to your organisation or the standard you are obtaining.

Information security evidence examples

Access review

You must periodically evaluate and validate the access rights and permissions granted to users for all systems, applications, data, and resources. This is to ensure that users have the appropriate level of access based on their roles and responsibilities, and to mitigate the risk of unauthorised access that could lead to security breaches or data leaks.

Uptime report

A summary of the availability and reliability of a system, service, or application over a specific period of time. It should communicate percentage of time that a system has been operational and accessible to users, as well as any instances of downtime or interruptions that occurred during that time frame.

Infosec industry newsletters

These could be newsletters sent from your infosec training provider or your own organisation’s internal newsletters. You should also encourage employees to sign up to relevant third party industry newsletters.

Cloud monitoring reports

How does your organisation track and manage the performance, availability, and health of any services hosted in a cloud?

Business continuity/disaster recovery test

A controlled and planned activity conducted by your organisation to assess your readiness to handle and recover from various types of disruptions or disasters that could potentially impact your operations. You should validate the effectiveness of your continuity and disaster recovery plans, as well as identifying areas for improvement.

BYOD software version audit

Conduct regular audits of software versions on employee devices. This could involve checking specific applications or using tools to scan devices for software versions.

Database capacity planning/monitoring

How do you manage and maintain the performance, scalability, and efficiency of your database system? Should include assessing the current and future resource requirements of your database, ensuring that it has the necessary resources to handle its workload, and continuously monitoring its usage and performance to make informed decisions.

Data backup/recovery summary

Do you use a backup and recovery solution to protect your data stored in cloud-based applications and services? This will help your organisation safeguard critical information from accidental deletions, data corruption, cyberattacks, and other potential data loss events.

Cryptographic controls

Which encryption options does your organisation use to send e-mails securely, in line with policy?

Customer support metrics

A KPI report.

Vulnerability management

How does your organisation proactively locate and address security weaknesses that could be exploited by attackers to compromise the confidentiality, integrity, or availability of digital assets and systems?

Data subject access requests

Report for each data subject access request (DSAR) and overall DSAR log.

Joiner/Leaver requests and access requests

How are these raised, managed and approved in your organisation?

ISMS awareness

How do you ensure that your employees have a general understanding of your ISMS and certifications?

Infosec awareness/training

Do you have an annual infosec training plan, and have your employees completed their required training modules?

Reading completion

The correct employees should have read, accepted and have easy access to the latest versions of all relevant policies and procedures.

Information security objectives

You can either have a set for each standard that you are working towards, or a combined set.

Internal audit plan/schedule

Your internal audit plan for your certification lifecycle.

Endpoint management and security

How does your organisation periodically evaluate managed devices against the defined compliance policies? A regular compliance control test checks whether devices adhere to the required security settings and configurations.

Information security management - Forum

Should be at least quarterly. Meeting agendas, meeting minutes and any actions should be recorded in your ISMS.

Information security management - Top management review

Should be six monthly. Meeting agendas, meeting minutes and any actions should be recorded in your ISMS.

Managed device wipes

Report to show managed device wipes.

Logging and monitoring

How does your organisation capture and analyse data related to various activities and events occurring within your system or application?

Logging could include: Event recording, timestamps, severity levels, source identification, data capturing

Monitoring could include: Real-time observation, alerting, performance monitoring, anomaly detection, incident response, reporting and analysis.

Office emergency procedure and response plan

Predefined actions, protocols, and guidelines designed to ensure the safety of employees, visitors, and assets during various types of emergencies that might occur within an office or workplace environment.

Organisation chart

Your organisation chart defines roles and responsibilities, shows clear accountability and delegation of authority, supports communication and collaboration, access control and segregation of duties, incident response, change management, policy enforcement, compliance and auditing, succession planning and third-party relationships.

Penetration testing

Identify vulnerabilities and weaknesses in your organisation's information systems, applications, networks, and infrastructure, then take proactive measures to strengthen your defences and protect sensitive data.

Infosec in project management

Information security must be considered in any projects that involve the handling, sharing, and storage of sensitive information, or require the use of technology systems and networks that can be vulnerable to various security threats. Start each project with an InfoSec checklist to ensure any risks and mitigating actions are considered and planned.

Incident management

How are incidents logged and managed?

Major incident reviews

Actions from incidents and how they are managed.

Fire evacuation procedure

Predefined actions, protocols, and guidelines designed to ensure the safety of employees, visitors, and assets during a fire that might occur within an office or workplace environment.

Flood risk assessment

To ensure the safety of employees, protect assets, and maintain business continuity.

Supplier agreements

Manage and mitigate cybersecurity risks associated with third-party vendors, suppliers, and partners. Incorporating supplier agreements into your ISMS helps ensure that the security of your organisation's information and data is maintained even when involving external parties.

Password protection settings

Configuration options that dictate how passwords are managed, enforced, and secured within a system, application, or digital environment to help prevent unauthorized access, data breaches, and unauthorised changes to sensitive information. Settings should ensure that passwords are strong, properly managed, and used in a secure manner.

Audit findings and remediation

By effectively remediating audit findings, your organisation strengthens their information security practices, enhances compliance, and contributes to a secure and resilient digital environment.

Supplier review

Suppliers have a significant impact on the security and integrity of your organisation's information and data. Integrating supplier reviews into your ISMS helps ensure that the security measures of external entities align with your organisation's information security requirements.

Third-party licenses

Third-party software licenses refer to legal agreements that outline the terms and conditions under which a software or technology developed by a third-party vendor or provider can be used, distributed, and integrated into your own applications, products, or services. These licenses are essential for ensuring compliance with intellectual property rights, usage restrictions, and other legal obligations associated with using software components created by external parties.

Voice of the customer insight (QMS)

How do you gather and use valuable insights into customer preferences, expectations, satisfaction levels, and areas for improvement? VoC data helps organisations align their products, services, and processes with customer needs and preferences, ultimately leading to enhanced quality and customer satisfaction.

Final thought

There is a range of evidence that you may choose to include (or not include) on the basis of applicability to your organisation or standard. Whatever the case, ensuring you record the relevant evidence is crucial for successfully proving your organisation’s security stance when it comes to your external audit.

More Insights

ISO27001
How to solve a problem like third-party vendors
ISO27001
Spread your ISMS audit over three years
ISO27001
Understanding e-commerce requirements for PCI DSS

Automate your evidence collection

Discover Hicomply: Compliance as you work