The three options that would not be valid audit trails are:

•

Collect more evidence on how the organisation manages the Point of Contact (PoC) which

monitors vulnerabilities. (Relevant to clause 8.1)

•

Collect more evidence on whether terms and definitions are contained in the information

security policy. (Relevant to control 5.32)

•

Collect more evidence to determine if ISO 27035 (Information security incident

management) is used as internal audit criteria. (Relevant to clause 8.13)

These options are not valid audit trails because they are not directly related to the information

security incident management process, which is the focus of the audit. The audit trails should be

relevant to the objectives, scope, and criteria of the audit, and should provide sufficient and reliable

evidence to support the audit findings and conclusions1.

Option E is not valid because the PoC is not a part of the information security incident management

process, but rather a role that is responsible for reporting and escalating information security

incidents to the appropriate authorities2. The audit trail should focus on how the PoC performs this

function, not how the organisation manages the PoC.

Option G is not valid because the terms and definitions are not a part of the information security

incident management process, but rather a part of the information security policy, which is a high-

level document that defines the organisation’s information security objectives, principles, and

responsibilities3. The audit trail should focus on how the information security policy is

communicated, implemented, and reviewed, not whether it contains terms and definitions.

Option H is not valid because ISO 27035 is not a part of the information security incident

management process, but rather a guidance document that provides best practices for managing

information security incidents4. The audit trail should focus on how the organisation follows the

requirements of ISO/IEC 27001:2022 for information security incident management, not whether it

uses ISO 27035 as an internal audit criteria.

The other options are valid audit trails because they are related to the information security incident

management process, and they can provide useful evidence to evaluate the conformity and

effectiveness of the process. For example:

•

Option A is valid because it relates to control A.5.29, which requires the organisation to

establish procedures to isolate and quarantine areas subject to information security incidents, in

order to prevent further damage and preserve evidence5. The audit trail should collect evidence on

how the organisation implements and tests these procedures, and how they ensure the continuity of

information security during disruption.

•

Option B is valid because it relates to control A.6.8, which requires the organisation to

establish mechanisms for reporting information security events and weaknesses, and to ensure that

they are communicated in a timely manner to the appropriate levels within the organisation6. The

audit trail should collect evidence on how the organisation defines and uses these mechanisms, and

how they monitor and review the reporting process.

•

Option C is valid because it relates to clause 7.2, which requires the organisation to provide

information security awareness, education, and training to all persons under its control, and to

evaluate the effectiveness of these activities7. The audit trail should collect evidence on how the

organisation identifies the information security training needs, how they deliver and record the

training, and how they measure the learning outcomes and feedback.

•

Option D is valid because it relates to control A.5.27, which requires the organisation to learn

from information security incidents and to implement corrective actions to prevent recurrence or

reduce impact8. The audit trail should collect evidence on how the organisation analyses and

documents the root causes and consequences of information security incidents, how they identify

and implement corrective actions, and how they verify the effectiveness of these actions.

•

Option F is valid because it relates to control A.5.30, which requires the organisation to

establish and maintain a business continuity plan to ensure the availability of information and

information processing facilities in the event of a severe information security incident9. The audit

trail should collect evidence on how the organisation develops and updates the business continuity

plan, how they test and review the plan, and how they communicate and train the relevant

personnel on the plan.

Reference: 1: ISO 19011:2018, 6.2; 2: ISO/IEC 27001:2022, A.6.8.1; 3: ISO/IEC 27001:2022, 5.2; 4:

ISO/IEC 27035:2016, Introduction; 5: ISO/IEC 27001:2022, A.5.29; 6: ISO/IEC 27001:2022, A.6.8; 7:

ISO/IEC 27001:2022, 7.2; 8: ISO/IEC 27001:2022, A.5.27; 9: ISO/IEC 27001:2022, A.5.30; : ISO

19011:2018; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27035:2016; : ISO/IEC

27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022