Ga naar inhoud

Evidence and documentation for ISO 27001

Practical guidance for ISO 27001: scope, risk, controls, and evidence that matches how your organisation really works. Use the takeaways and FAQ below as a checklist; then deep-link into your registers and change records.

Book an informal conversation

ISO Ready helps you align policy, risk, and evidence — without endless document churn.

Run the ISO 27001 readiness scan

Evidence and documentation under ISO 27001 are the observable trails showing your ISMS exists in operation — auditors follow policy to configuration, ticket, and log. Documentation is the means; evidence is what wins stage 2.

Mature teams build an evidence map: per risk and SoA control you know which example to show — access review export, change record, tabletop minutes — with dates and owners.

What does this mean?

ISO 27001 requires documented information where stated — scope, risk treatment, SoA, core policies — but auditors seek operational proof controls run. Evidence includes exports, tickets, minutes, SIEM queries if traceable and current.

Documentation translates decisions into workable rules; evidence shows execution last month or Monday. Retention and versioning matter — stale access review breaks credibility.

Evidence mapping links SoA rows to folders or tool locations. GRC platforms or structured drives both work with clear owners and cadence.

Internal audits practice evidence gathering — same discipline as external audit.

Who is this for?

Compliance coordinates; process owners supply samples; engineering provides deploy and change logs; HR provides onboarding/offboarding proof.

SMEs: hard evidence on top-20 controls beats document volume. Scale-ups automate via IAM and CI/CD exports for surveillance.

What steps or requirements apply?

Evidence index linked to SoA: control ID, evidence type, location, owner, refresh frequency. Start with identity, logging, change, backup, incidents.

Define minimum documentation set and calendar rhythm for reviews and tests. Dry-run audit: ten samples, measure time to complete.

Automate where possible — document exceptions with tickets.

Common mistakes

Folder dump without index. Evidence older than policy requires. Screenshots without date context.

Policy version A in ISMS, B on intranet. Planned measures documented but not completed. Offboarding proof missing.

Practical action plan

SoA + evidence template; owners; first collection round; internal sample. Link SoA and audit preparation.

Pack evidence by SoA cluster for audit week. Archive with audit reference after stage 2.

Relationship with ISO 27001, NIS2, GDPR or ISMS

Evidence supports ISMS and certification. NIS2 chain and incident proof overlaps logging and IR evidence.

GDPR DPIAs and processor agreements are privacy evidence in the same index. Costs fall when evidence is routine.

Backup restore test evidence: ticket, date, success/fail, remediation — annual test is Annex A expectation auditors sample.

Privileged access review evidence separate from general access — admins are higher risk sample.

Incident evidence: timeline, classification, lessons learned ticket — even minor incidents show process works.

Vendor SOC report review notes — you cannot just file PDF; show review date and exceptions tracked.

Document control procedure: how policies get version bumps and who approves — meta-evidence auditors request.

Secure deletion evidence where retention policy requires — proves lifecycle not just backup.

MFA enrollment report with date — percentage enrolled beats policy saying MFA required.

Vulnerability scan export with remediation tickets — close the loop on A.8.8.

Tabletop exercise attendance and after-action items — BC and IR evidence combined.

Evidence naming convention — auditors find samples faster; ISO-CONTROL-DATE format works.

Privileged access review evidence separate from general user reviews — admins sampled first in stage 2.

Document control meta-procedure: version, approver, distribution list — auditors request how policy v3.2 superseded v3.1.

Vulnerability management loop: scan export, triage ticket, remediation proof with date — closes A.8.8 sample in one chain.

Tabletop exercise minutes with named attendees and tracked after-actions — BC and IR evidence in a single artefact auditors recognise.

Naming convention for evidence files — ISO-CONTROL-YYYY-MM-DD — saves audit week search time and signals maturity to certification bodies.

Evidence index columns: control ID, evidence type, system source, owner, collection frequency, last collected date, storage path. Missing last-collected date is how access reviews expire silently until audit week.

Sampling strategy document explains how internal audit chooses risks — auditors compare your method to theirs. Random plus risk-based hybrid is defensible; purely ad-hoc selection is not.

Retention schedule ties log types to SoA controls and legal holds — GDPR erasure requests get an exception workflow documented with legal sign-off, not informal Slack approval.

Secure development evidence bundle: pull request template, security checklist completion, dependency scan result — one release sampled end-to-end convinces auditors faster than policy alone.

Evidence stored in one logical tree mirrored in SoA links — auditors refuse to search personal drives or orphaned SharePoint sites.

Watermark or footer on evidence exports with generation timestamp — proves freshness when auditor questions age of screenshot.

Define what evidence customers may receive versus internal-only — full internal audit reports are rarely appropriate; certificate plus summary usually suffices in due diligence.

Automate where possible: IAM access reports, dependency scans and CI/CD deployment logs beat manual screenshots that age within a week.

Evidence dry-run: ask a non-security colleague to find proof for five random SoA controls within 60 minutes — failure means fix the index before external audit.

Keep approval trails on policies: who approved which version, when, and what triggered review — version control without approval log is half evidence.

Align log retention with audit sample windows — if auditors look back six months but logs rotate at 90 days, you have a gap regardless of SIEM quality.

Structure evidence folders mirroring SoA chapters — auditors navigate faster than a flat SharePoint dump without index.

Internal audit reports are evidence of clause 9.2 — include scope, criteria, findings and follow-up status; external auditors review your internal audit quality.

Supplier review records: contract, tier, last assessment date and open actions — chain evidence is stage 2 favourite for SaaS vendors.

Backup restore test logs with date and owner — A.8.13 samples fail when policy exists but last successful restore is older than 12 months.

Change records as evidence: link deployment ID to SoA secure development control — auditors sample releases after incidents or pentest findings.

Incident tickets with timeline, classification and post-mortem link satisfy both clause 5.24 and evidence expectations — closed without lessons learned is weak.

Access review exports with approver name and timestamp beat policy statements alone — A.5.18 samples almost always ask for last quarter’s review file.

Tabletop exercise minutes with attendees, scenario and actions assigned — business continuity evidence without named owners is cosmetic.

Vendor SOC 2 reports indexed by subprocessors named in SoA — expiry dates flagged 90 days ahead.

Privileged access list snapshot dated within sample window — generic admin policy without export fails A.8.2 checks.

Encryption key management evidence: who can access KMS, rotation cadence, break-glass procedure — cloud teams often have policy but no export.

Offboarding checklist signed by manager and IT with deprovisioning ticket ID — HR-only offboarding without IAM ticket is a recurring major.

Vulnerability scan reports with remediation tickets for highs — scan PDF without ticket linkage looks like checkbox compliance.

Document retention schedule aligned to legal, contractual and audit needs — auditors ask how long records live and who approves destruction.

Central evidence index owner named in ISMS manual — auditors ask who maintains the map when the CISO is on holiday during stage 2.

Key takeaways

  • Link controls to risk treatment and your Statement of Applicability — avoid policy-only boxes.
  • Assign owners, review cadence, and measurable acceptance criteria for every material action.
  • Use sampling and KPIs to show controls work in operations — not only that they were planned.
  • Align incidents and vendor changes with privacy/legal where personal data or chain risk is involved.

Veelgestelde vragen

Where should I start this week?
Confirm scope and owners, capture current practice with light evidence, then schedule an internal audit sample on the highest-risk area.
How much documentation is enough?
Enough to demonstrate decisions, operation, and monitoring. Auditors look for consistency between records and reality.
Does this relate to NIS2?
Often, for governance, logging, incidents, and supply chain assurance — map overlaps to avoid duplicate registers.
How does ISO Ready help?
ISO Ready centralises actions, evidence, risks, and audit prep — use the on-page CTA with the correct campaign tag.

Check audit readiness

Keep evidence, actions and open items aligned for stage 1 and stage 2.

View audit readiness