What is audit evidence?
How do you prove controls work? proves your ISMS exists in operations, not only on paper. Auditors sample policy → operation → monitoring. Evidence includes versions, tickets, log extracts, approvals and minutes with decisions.
Control owner vs evidence owner
The control owner designs and maintains the measure; the evidence owner delivers proof on time. Without separation, security drowns in ad-hoc searches. ISO Ready links actions, uploads and deadlines to controls or risks.
Internal audit and CAPs
Internal audit is your dress rehearsal. Corrective action plans need root cause, owner, deadline and verification. Close major non-conformities before the external audit.
Common mistakes
Folder dumps without narrative; evidence older than policy; no link between risk and control; management review without decisions; evidence only in email.
Checklist
- Evidence map per control/risk
- Owners and review cadence
- Internal audit with sampling
- Track CAPs to verification
- Management review with decisions
Practical next step
For prove controls work, ISO Ready keeps actions, evidence, risks and vendors aligned toward audit or supervision. Run the readiness scan on iso-ready.nl.
No certification guarantee — you retain ownership of scope, risks and decisions.
More in this cluster
- Control Owner Vs Evidence Owner
- Audit Trail Iso
- Controleplan Iso 27001
- Iso 27001 Interne Audit
- Business Continuity Iso
- Iso 27701 Privacy Management