Audit evidence is documentation that demonstrates the implementation of a control or process to an auditor. Evidence can include documents, records, screenshots, configuration exports, or interview protocols.
ISO 27001 Clause 9.2 (Internal Audit) requires that audits are based on objective evidence. The quality of evidence determines whether an auditor considers a control effectively implemented. Good audit evidence is dated, clearly attributable, and reflects the actual state at the time of review. Typical examples: an export of access rights from Active Directory, a timestamped screenshot of firewall rules, or the minutes of a management review. Collect evidence continuously rather than compiling it shortly before the audit.