ISO 27001 Evidence Checklist: What Auditors Usually Ask For

Preparing for an ISO 27001 certification audit is largely about evidence — demonstrating that controls are not just documented but operating in practice. Auditors don't just read your policies; they want to see logs, reports, records, and artefacts that prove your Information Security Management System (ISMS) is running day to day.

This checklist covers the evidence items that come up most often across stage 1 and stage 2 audits. It isn't exhaustive — every auditor is different — but it's a solid starting point for scoping your evidence collection programme.

1. ISMS scope and context (Clauses 4–6)

Auditors typically open by verifying the scope of your ISMS.

• ISMS scope statement — a written, version-controlled document defining the boundaries of the ISMS (which systems, teams, locations, and services are in scope).
• Interested parties register — a list of internal and external stakeholders, their requirements, and how those requirements were considered.
• Risk assessment methodology — your documented approach for identifying, analysing, and evaluating information security risks.
• Statement of Applicability (SoA) — all 93 Annex A controls listed with applicability decisions and justifications for any exclusions.
• Risk treatment plan — accepted risks, owners, planned mitigations, and target timescales.

2. Leadership and policy evidence (Clause 5)

• Information Security Policy — signed, dated, and communicated to all staff. Auditors often ask to see the distribution evidence (e.g. email records, intranet acknowledgement).
• Management review minutes — records of at least one formal management review per year, covering performance metrics, audit results, and decisions.
• Security roles and responsibilities — org chart or RACI showing who owns information security, and documented appointment of the ISMS owner or CISO equivalent.

3. Human resources security (A.6)

• Onboarding and offboarding checklists — records of access provisioning and revocation tied to HR events.
• Security awareness training records — completion logs, dates, and training materials. Auditors often sample 5–10 individual employee records.
• Confidentiality agreement (NDA) register — signed NDAs for employees and relevant contractors.

4. Access control evidence (A.5, A.8)

Access control is usually the area with the most findings. Be ready with:

• User access reviews — documented quarterly or annual reviews showing who has access to what and that orphaned accounts were revoked.
• Privileged access logs — records of admin accounts, MFA enforcement, and any use of privileged access management (PAM) tools.
• Microsoft 365 Conditional Access policy exports — screenshots or API exports showing policies enforcing MFA, device compliance, and location restrictions.
• Entra ID (Azure AD) sign-in logs — sample exports showing successful and failed logins, MFA challenges, and risky sign-in remediations.
• Password policy configuration — evidence of complexity and rotation requirements configured in your identity provider.

5. Asset and data management (A.5, A.8)

• Asset register — a list of information assets, classification level, owner, and location. For Microsoft 365 environments, this typically includes SharePoint sites, OneDrive, Exchange, and Teams.
• Data classification policy — documented rules for labelling data as Public, Internal, Confidential, or Restricted.
• Sensitivity label configuration — evidence that Microsoft Purview or equivalent labelling is deployed and in use.

6. Incident management (A.5.24–A.5.28)

• Incident log — a register of security events and incidents with dates, severity, impact, and resolution notes. Even if you had no reportable incidents in the audit period, you need evidence the process was active.
• Incident response procedure — the documented playbook for detecting, reporting, and responding to incidents.
• Post-incident review records — at least one documented post-incident review or lessons-learned exercise.

7. Supplier and third-party management (A.5.19–A.5.23)

• Supplier register — all suppliers with access to your systems or data, their risk classification, and review dates.
• Supplier contracts with security clauses — or a vendor security questionnaire programme with completed assessments.
• Annual supplier reviews — evidence that high-risk suppliers were reviewed in the audit period.

8. Business continuity and availability (A.8.14)

• Business continuity and disaster recovery plan (BCP/DRP) — documented and version-controlled.
• BCP test records — evidence that the plan was tested (tabletop exercise, failover test) within the audit period.
• Backup configuration and restore logs — confirmation that backups exist, are offsite or replicated, and that restores have been tested.

9. Internal audit and continual improvement (Clauses 9–10)

• Internal audit schedule and plan — showing the audit covered all relevant clauses and Annex A controls in scope.
• Internal audit report — with findings, nonconformities, and recommendations.
• Corrective action records — evidence that nonconformities from internal audits, management reviews, or previous external audits were tracked to closure.
• KPIs and metrics — at least some performance data showing the ISMS is being monitored (e.g. MFA coverage %, overdue access reviews, open vulnerabilities).

How Certvik helps with evidence collection

Manually gathering this evidence from Microsoft 365 is time-consuming. Certvik connects to your Microsoft 365 tenant and automatically collects configuration evidence — MFA status across all users, Conditional Access policy exports, privileged account reports, device compliance summaries, and more — mapped to the relevant ISO 27001 controls.

Instead of exporting screenshots for every audit, you get a continuously updated evidence library that you can hand to your auditor on demand. The gap analysis view shows exactly which controls still need manual evidence so you know where to focus.