# ISO 27001 Annex A Evidence Pack

A working evidence pack for the **ISO/IEC 27001:2022 Annex A** controls. Lists every one of the 93 controls grouped into the four themes (Organisational, People, Physical, Technological), with the evidence an external auditor expects, the common gaps, and where VantagePoint material can accelerate each. MIT licensed. Authored by VantagePoint Networks.

**Audience:** Information Security Managers, Compliance Leads, IT Managers, Internal Auditors
**Use this when:** preparing for Stage 1 / Stage 2 certification, preparing for surveillance audit, running a gap analysis, or building an internal evidence library.

---

## 1. About the 2022 revision

ISO/IEC 27001:2022 reorganised Annex A into 4 themes containing **93 controls** (down from 114 in 2013). 11 controls are new (e.g. threat intelligence, ICT readiness for business continuity, data leakage prevention). Existing certificates must transition by 31 October 2025.

This pack uses the 2022 control set.

## 2. Theme A.5 - Organisational controls (37)

| # | Control | Evidence to collect |
|---|---|---|
| 5.1 | Policies for information security | Approved policy document, communications log, attestation tracker |
| 5.2 | Information security roles and responsibilities | Role descriptions, RACI, org chart with security roles |
| 5.3 | Segregation of duties | SoD matrix per critical system; access review showing no SoD violations |
| 5.4 | Management responsibilities | Management review minutes, board reporting |
| 5.5 | Contact with authorities | Contact list (regulators, CERT-UK, NCA, ICO), last-tested annually |
| 5.6 | Contact with special interest groups | Memberships, attendance records |
| 5.7 | Threat intelligence (NEW) | TI provider contracts, ingestion evidence (e.g. into SIEM), action evidence |
| 5.8 | Information security in project management | Project security checklist, project gates evidence |
| 5.9 | Inventory of information and other assets | Asset register (devices, software, data), update cadence |
| 5.10 | Acceptable use of information and other associated assets | AUP, signed acknowledgements, joiner records |
| 5.11 | Return of assets | Leaver checklist, asset returns log |
| 5.12 | Classification of information | Classification scheme, labelling examples, policy |
| 5.13 | Labelling of information | Sample labelled documents, MIP / Purview rules |
| 5.14 | Information transfer | Transfer agreements, TLS evidence, secure file transfer logs |
| 5.15 | Access control | Access control policy, RBAC matrix, joiner/mover/leaver |
| 5.16 | Identity management | Entra ID / Okta config, identity lifecycle docs |
| 5.17 | Authentication information | Password policy, MFA enrolment report, secret-vault inventory |
| 5.18 | Access rights | Access review records, recertification evidence |
| 5.19 | Information security in supplier relationships | Supplier register, contract security clauses, tier-1 supplier review |
| 5.20 | Addressing information security within supplier agreements | Sample contract with security schedule |
| 5.21 | Managing information security in the ICT supply chain | SBOM where applicable, vendor patch policy review |
| 5.22 | Monitoring, review and change management of supplier services | Supplier review minutes (use `/supplier-review-meeting` skill) |
| 5.23 | Information security for use of cloud services (NEW) | Cloud usage policy, sanctioned cloud services list, DPA evidence |
| 5.24 | Information security incident management planning and preparation | Incident management policy, runbook (see `incident-response-runbook.md`) |
| 5.25 | Assessment and decision on information security events | Triage process, severity definitions |
| 5.26 | Response to information security incidents | Incident records, evidence of executed runbooks |
| 5.27 | Learning from information security incidents | Post-incident reviews (use `/post-mortem-facilitator` skill) |
| 5.28 | Collection of evidence | Chain-of-custody process, sample records |
| 5.29 | Information security during disruption | BCP / DR documents, BIA |
| 5.30 | ICT readiness for business continuity (NEW) | DR test records (use `/dr-test-planner` skill) |
| 5.31 | Legal, statutory, regulatory and contractual requirements | Legal register, mapping per control |
| 5.32 | Intellectual property rights | IP policy, software licence audit, training records |
| 5.33 | Protection of records | Records retention schedule, evidence of immutability where required |
| 5.34 | Privacy and protection of PII | DPIA library, ROPA (record of processing activities) |
| 5.35 | Independent review of information security | External audit reports, internal audit schedule |
| 5.36 | Compliance with policies, rules and standards for information security | Compliance checks, exception register |
| 5.37 | Documented operating procedures | Runbook library (see `runbooks/` folder) |

## 3. Theme A.6 - People controls (8)

| # | Control | Evidence to collect |
|---|---|---|
| 6.1 | Screening | Background-check policy, sample evidence (with PII redacted) |
| 6.2 | Terms and conditions of employment | Employment contract security clauses |
| 6.3 | Information security awareness, education and training | Training programme, completion stats, refresher schedule |
| 6.4 | Disciplinary process | Documented process, integration with HR |
| 6.5 | Responsibilities after termination or change of employment | Leaver checklist showing access revocation evidence |
| 6.6 | Confidentiality or non-disclosure agreements | Signed NDAs (sample), staff and supplier coverage |
| 6.7 | Remote working | Remote working policy (use `/security-policy-drafter` skill) |
| 6.8 | Information security event reporting | Reporting channels, evidence of reports received and triaged |

## 4. Theme A.7 - Physical controls (14)

| # | Control | Evidence to collect |
|---|---|---|
| 7.1 | Physical security perimeters | Site survey, perimeter description, access points |
| 7.2 | Physical entry | Badge system records, visitor log |
| 7.3 | Securing offices, rooms and facilities | Server room access policy + log, lock review |
| 7.4 | Physical security monitoring (NEW) | CCTV coverage map, retention period, sample footage |
| 7.5 | Protecting against physical and environmental threats | Fire suppression, flood detection, BCP environmental controls |
| 7.6 | Working in secure areas | Clean-desk policy, secure area procedures |
| 7.7 | Clear desk and clear screen | Policy + spot-check evidence |
| 7.8 | Equipment siting and protection | Server / network room siting (UPS, cooling) |
| 7.9 | Security of assets off-premises | Off-site asset register, mobile asset policy |
| 7.10 | Storage media | Removable media policy, encryption requirements, media inventory |
| 7.11 | Supporting utilities | UPS test records, generator service records |
| 7.12 | Cabling security | Cable plan, segregation evidence (data vs power) |
| 7.13 | Equipment maintenance | Maintenance log, vendor SLAs |
| 7.14 | Secure disposal or re-use of equipment | Disposal records (certified destruction certificates), wipe logs |

## 5. Theme A.8 - Technological controls (34)

| # | Control | Evidence to collect |
|---|---|---|
| 8.1 | User end point devices | MDM compliance report, encryption + AV evidence |
| 8.2 | Privileged access rights | Admin account inventory, PIM activation logs, just-in-time evidence |
| 8.3 | Information access restriction | RBAC matrix, NTFS / share permissions snapshot |
| 8.4 | Access to source code | Repo permissions, review evidence |
| 8.5 | Secure authentication | MFA enforcement evidence, password policy |
| 8.6 | Capacity management | Capacity reports (use `/capacity-review` skill) |
| 8.7 | Protection against malware | EDR coverage, signature compliance, blocked-threat report |
| 8.8 | Management of technical vulnerabilities | Vulnerability scan output, patch SLA compliance |
| 8.9 | Configuration management | Baseline configs (see `configs/` folder), drift detection |
| 8.10 | Information deletion | Deletion procedures, evidence of execution |
| 8.11 | Data masking | Masking rules in non-prod environments, sample evidence |
| 8.12 | Data leakage prevention (NEW) | DLP rules (Purview / equivalent), incident triage records |
| 8.13 | Information backup | Backup policy, test restore records |
| 8.14 | Redundancy of information processing facilities | HA architecture diagrams (see `diagrams/`), failover test records |
| 8.15 | Logging | Logging policy, central log destination, retention |
| 8.16 | Monitoring activities (NEW phrasing) | SIEM coverage, alert tuning evidence (see `sentinel-kql-detection-pack.md`) |
| 8.17 | Clock synchronisation | NTP policy + sample device check |
| 8.18 | Use of privileged utility programs | Privileged tool inventory, usage logging |
| 8.19 | Installation of software on operational systems | Software-install policy, allow-list evidence |
| 8.20 | Networks security | Network policies, NSG / firewall rules (see `configs/`) |
| 8.21 | Security of network services | Service-level evidence, monitoring |
| 8.22 | Segregation of networks | VLAN design (see `runbooks/` and `/vlan-designer` skill) |
| 8.23 | Web filtering (NEW) | Web filter policy, blocked-category evidence |
| 8.24 | Use of cryptography | Crypto policy, key inventory, KMS / HSM evidence |
| 8.25 | Secure development life cycle | SDL policy, gate evidence per release |
| 8.26 | Application security requirements | Threat models, security requirements per app |
| 8.27 | Secure system architecture and engineering principles | Architecture review records, ADRs |
| 8.28 | Secure coding (NEW) | Coding standards, SAST scan output, training records |
| 8.29 | Security testing in development and acceptance | Penetration test reports, DAST results |
| 8.30 | Outsourced development | Vendor security clauses, code review evidence |
| 8.31 | Separation of development, test and production environments | Environment topology, access boundaries |
| 8.32 | Change management | Change records (see `runbooks/change-management-runbook.md` and `/change-request-writer` skill) |
| 8.33 | Test information | Anonymised test data, masking evidence |
| 8.34 | Protection of information systems during audit testing | Read-only audit access, timing controls |

## 6. Statement of Applicability (SoA) starter

| Control | Applicability | Status | Evidence ref |
|---|---|---|---|
| 5.1 | Applicable | Implemented | Policy v1.2, Approval 2026-01-10 |
| 5.7 | Applicable (NEW) | Partial | TI feed live, action triggers in build |
| 5.23 | Applicable (NEW) | Implemented | Cloud usage policy v1, sanctioned-services list |
| 5.30 | Applicable (NEW) | Implemented | DR test 2026-Q1 evidence |
| 7.4 | Applicable (NEW) | Implemented | CCTV map, 30-day retention |
| 8.12 | Applicable (NEW) | In progress | Purview DLP rule pack v1 in pilot |
| 8.16 | Applicable | Implemented | Sentinel rule pack live |
| 8.23 | Applicable (NEW) | Implemented | DNS filter + Defender SmartScreen |
| 8.28 | Applicable (NEW) | Partial | SAST in CI, secure-coding training rolling out |

(Repeat for each Annex A control. SoA is the document the auditor reads first.)

## 7. Audit preparation timeline (12 weeks pre-Stage-1)

| Week | Activity |
|---|---|
| -12 | SoA draft, gap analysis against 93 controls |
| -10 | Remediation plan owner per gap |
| -8 | Internal audit pass 1 (organisational + people themes) |
| -6 | Internal audit pass 2 (physical + technological themes) |
| -4 | Management review meeting + corrective actions |
| -2 | Final pre-audit dry run |
| -1 | Auditor pre-meet, scope confirmation |
| 0 | Stage 1 audit (documentation review) |
| +4 | Address Stage 1 findings |
| +6 | Stage 2 audit (implementation review, on-site) |
| +8 | Address Stage 2 findings (typically minor non-conformities) |
| +12 | Certification issued |

## 8. Most common audit findings (across UK / EU SMBs)

1. **Risk register hasn't been reviewed in 6+ months** (control 6.1.2 in 2013, integrated across 5.x in 2022).
2. **Asset inventory incomplete** — usually missing cloud SaaS apps, BYOD, dev environments. (5.9)
3. **Access reviews not happening at the documented cadence**. (5.18)
4. **Supplier reviews missing or rubber-stamped**. (5.22)
5. **Cryptographic key lifecycle not documented**. (8.24)
6. **DR test not happening** or test scope so narrow it doesn't prove RTO/RPO. (5.30)
7. **Threat intelligence consumed but not actioned**. (5.7) — auditors specifically look for this in 2022 revision.
8. **Logging without monitoring** — logs collected but no alert review evidence. (8.15 + 8.16)
9. **No DLP for new control 8.12** — auditors expect a defined posture even if "we have accepted the residual risk", documented.
10. **Documented policies that staff have never seen** — attestation tracker missing. (5.1 + 6.3)

## 9. How VantagePoint material maps in

| Annex A area | Skill / template |
|---|---|
| Policies (5.1) | `/security-policy-drafter` |
| Asset register (5.9) | `network-inventory-tracker.csv` (extend) |
| Access review (5.18) | `/access-review` |
| Supplier review (5.22) | `/supplier-review-meeting` |
| Cloud (5.23) | `aws-landing-zone-reference.md`, `azure-landing-zone-reference.md` |
| Incident response (5.24-27) | `incident-response-runbook.md`, `/incident-responder`, `/post-mortem-facilitator` |
| DR (5.30) | `disaster-recovery-runbook.md`, `/dr-test-planner` |
| End-point (8.1) | Configuration baselines + `/config-auditor` |
| Vulnerability mgmt (8.8) | `network-security-audit-checklist.md` |
| Configuration mgmt (8.9) | `configs/` folder + `/config-auditor` |
| Logging / monitoring (8.15-16) | `sentinel-kql-detection-pack.md` |
| Network security (8.20-22) | `configs/`, `diagrams/`, `/vlan-designer` |
| Change mgmt (8.32) | `change-management-runbook.md`, `/change-request-writer`, `/cab-minute-taker` |

## 10. References

- ISO/IEC 27001:2022 — Information Security Management Systems
- ISO/IEC 27002:2022 — Information Security Controls (the implementation guidance)
- BSI website (UK certification body): https://www.bsigroup.com
- IASME (alternative UK CB): https://iasme.co.uk

---

**Authored by:** VantagePoint Networks (Hak, Senior Engineer & Author)
**Licence:** MIT — use, adapt for client engagements, certifications, internal evidence libraries.