Skip to content

ISO 27001:2022 — EVIDENCE MAP

OWNER: amber
UPDATED: 2026-03-24
SCOPE: master evidence matrix — every Annex A control mapped to evidence producer, format, schedule, and auditor
PURPOSE: amber uses this as the definitive checklist for internal audits and certification preparation

HOW_TO_USE_THIS_MAP

  1. For each control, identify the EVIDENCE_PRODUCER (the agent or system that generates the evidence)
  2. Verify evidence EXISTS in the specified FORMAT at the specified LOCATION
  3. Check evidence is CURRENT per the REVIEW_SCHEDULE
  4. Flag any GAPS for remediation before external audit
  5. Log findings in audit report per audit-procedures.md

RULE: evidence MUST be generated as a byproduct of normal operations — not created for audits
RULE: if evidence requires manual creation, flag for automation (compliance-automation.md)

A.5 — ORGANIZATIONAL CONTROLS — EVIDENCE

A.5.1 — Policies for information security

EVIDENCE_PRODUCER: julian
FORMAT: markdown documents in wiki
LOCATION: ge-ops/wiki/docs/ (various domain pages)
EVIDENCE_ITEMS:
- Information security policy (signed, dated)
- Topic-specific policies (access control, crypto, remote working, etc.)
- Policy review records (git history showing annual review)
- Policy communication records (agent boot injection logs)
REVIEW_SCHEDULE: annual policy review, quarterly check that all policies current
AUDITOR: amber

A.5.2 — Information security roles and responsibilities

EVIDENCE_PRODUCER: julian
FORMAT: JSON (registry), markdown (RACI)
LOCATION: ge-ops/master/AGENT-REGISTRY.json, wiki RACI matrix
EVIDENCE_ITEMS:
- AGENT-REGISTRY.json with role assignments
- RACI matrix for ISMS activities
- Job descriptions / agent profiles with security responsibilities
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.5.3 — Segregation of duties

EVIDENCE_PRODUCER: julian, faye
FORMAT: DAG configuration, pipeline definitions
LOCATION: config/dolly-routing.yaml, work package DAG definitions
EVIDENCE_ITEMS:
- Pipeline configuration showing separation (dev ≠ reviewer ≠ tester ≠ deployer)
- DAG enforcement logs showing swimming lane compliance
- Work package assignments showing no self-review
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.5.4 — Management responsibilities

EVIDENCE_PRODUCER: dirk-jan (human)
FORMAT: meeting minutes, policy sign-off
LOCATION: wiki management review records
EVIDENCE_ITEMS:
- Management review minutes showing security discussion
- Policy approval records
- Resource allocation decisions for security
REVIEW_SCHEDULE: quarterly (management review cycle)
AUDITOR: amber

A.5.5 — Contact with authorities

EVIDENCE_PRODUCER: julian
FORMAT: markdown register
LOCATION: wiki compliance domain
EVIDENCE_ITEMS:
- Authority contact register (AP, NCSC-NL, cert body)
- Contact procedures for breach notification
- Annual verification that contacts are current
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.5.6 — Contact with special interest groups

EVIDENCE_PRODUCER: julian
FORMAT: membership records, participation logs
LOCATION: wiki compliance domain
EVIDENCE_ITEMS:
- Membership records (ISACA, IAPP, CSA)
- Conference attendance / webinar participation
- Relevant information received and actioned
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.5.7 — Threat intelligence

EVIDENCE_PRODUCER: victoria
FORMAT: reports, advisory logs
LOCATION: wiki security domain, scan databases
EVIDENCE_ITEMS:
- Threat intelligence sources list (CVE feeds, vendor advisories)
- Advisory review log (date, advisory, assessment, action)
- Trivy DB update logs (showing current threat data)
- Threat landscape assessment (annual)
REVIEW_SCHEDULE: continuous (advisories), annual (landscape)
AUDITOR: amber

A.5.8 — Information security in project management

EVIDENCE_PRODUCER: faye, anna
FORMAT: work package specifications
LOCATION: PostgreSQL work_packages table, wiki
EVIDENCE_ITEMS:
- Work package templates showing security requirements section
- Completed work packages with security requirements filled
- Security review gate evidence (pre-deployment checks)
REVIEW_SCHEDULE: per project, quarterly sample review
AUDITOR: amber

A.5.9 — Inventory of information and other associated assets

EVIDENCE_PRODUCER: julian, arjan
FORMAT: JSON, YAML, markdown
LOCATION: AGENT-REGISTRY.json, k8s manifests, wiki
EVIDENCE_ITEMS:
- Information asset inventory (data types, classification, owner)
- Infrastructure asset inventory (k8s resources, network, storage)
- Software asset inventory (applications, libraries, versions)
- Asset ownership assignments
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.5.10 — Acceptable use

EVIDENCE_PRODUCER: julian
FORMAT: markdown policy
LOCATION: constitution.md, wiki
EVIDENCE_ITEMS:
- Acceptable use policy
- Constitution (agent behavioral rules)
- Capability restriction configurations
- Violation records (if any)
REVIEW_SCHEDULE: annual policy review
AUDITOR: amber

A.5.11 — Return of assets

EVIDENCE_PRODUCER: hilrieke
FORMAT: checklists, logs
LOCATION: wiki HR domain
EVIDENCE_ITEMS:
- Offboarding checklist template
- Completed offboarding records
- Credential revocation confirmations
- Agent decommissioning records
REVIEW_SCHEDULE: per event, annual procedure review
AUDITOR: amber

A.5.12 — Classification of information

EVIDENCE_PRODUCER: julian
FORMAT: classification scheme document, labeled assets
LOCATION: wiki compliance domain
EVIDENCE_ITEMS:
- Classification policy (PUBLIC/INTERNAL/CONFIDENTIAL/RESTRICTED)
- Classification implementation evidence (labeled data stores, headers)
- Handling procedures per classification level
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.5.13 — Labelling of information

EVIDENCE_PRODUCER: julian
FORMAT: labeling procedure, samples
LOCATION: wiki, codebase headers
EVIDENCE_ITEMS:
- Labeling procedure document
- Sample labeled assets (database columns, files, wiki pages)
- Labeling compliance check results
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.5.14 — Information transfer

EVIDENCE_PRODUCER: julian, stef
FORMAT: policy, TLS configuration
LOCATION: wiki, k8s manifests, network config
EVIDENCE_ITEMS:
- Information transfer policy
- TLS configuration evidence (certificate details, minimum version)
- Transfer agreement templates (for external parties)
- Encryption verification scan results
REVIEW_SCHEDULE: semi-annual
AUDITOR: amber

A.5.15 — Access control

EVIDENCE_PRODUCER: julian (policy), piotr (implementation)
FORMAT: policy document, RBAC configs
LOCATION: wiki, k8s RBAC manifests, Vault policies
EVIDENCE_ITEMS:
- Access control policy
- k8s RBAC role definitions
- Vault policy definitions
- Admin-ui access configuration (WebAuthn)
- Access request/approval records
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.5.16 — Identity management

EVIDENCE_PRODUCER: hugo
FORMAT: identity register, lifecycle records
LOCATION: AGENT-REGISTRY.json, k8s ServiceAccounts
EVIDENCE_ITEMS:
- Identity register (all human + agent identities)
- Identity lifecycle records (creation, modification, deactivation)
- Unique identifier verification (no shared accounts)
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.5.17 — Authentication information

EVIDENCE_PRODUCER: piotr
FORMAT: Vault audit logs, rotation logs
LOCATION: Vault, k8s secrets
EVIDENCE_ITEMS:
- Authentication policy (complexity, rotation, storage)
- Vault audit logs showing secret management
- Secret rotation records
- WebAuthn configuration evidence
- No default/shared credentials verification
REVIEW_SCHEDULE: monthly (rotation), quarterly (policy review)
AUDITOR: amber

A.5.18 — Access rights

EVIDENCE_PRODUCER: piotr (provisioning), amber (review)
FORMAT: access records, review reports
LOCATION: k8s RBAC, Vault, PostgreSQL roles
EVIDENCE_ITEMS:
- Access provisioning records (who got what, when, why)
- Quarterly access review reports
- Access modification/revocation records
- Orphaned access detection results
REVIEW_SCHEDULE: quarterly access review
AUDITOR: amber

A.5.19 — Supplier relationships

EVIDENCE_PRODUCER: julian
FORMAT: supplier register, assessment documents
LOCATION: wiki compliance domain
EVIDENCE_ITEMS:
- Supplier register (Anthropic, OpenAI, Google, Hetzner)
- Security assessment per supplier
- Contract security clauses
- DPA where applicable
- Incident notification procedures per supplier
REVIEW_SCHEDULE: annual per supplier
AUDITOR: amber

A.5.20 — Supplier agreements

EVIDENCE_PRODUCER: julian
FORMAT: signed agreements
LOCATION: secure document storage
EVIDENCE_ITEMS:
- Signed contracts with security clauses
- DPAs (Data Processing Agreements)
- SLAs with security provisions
- Right-to-audit clauses
REVIEW_SCHEDULE: annual review, on renewal
AUDITOR: amber

A.5.21 — ICT supply chain security

EVIDENCE_PRODUCER: alex/tjitte, victoria
FORMAT: SBOM, scan reports
LOCATION: CI/CD artifacts, scan results
EVIDENCE_ITEMS:
- SBOM (Software Bill of Materials) per release
- Dependency vulnerability scan results (trivy)
- Container image scan results
- Lock file integrity verification
- Open source license compliance report
REVIEW_SCHEDULE: per release (continuous), quarterly review
AUDITOR: amber

A.5.22 — Supplier monitoring

EVIDENCE_PRODUCER: julian
FORMAT: review logs, change assessments
LOCATION: wiki compliance domain
EVIDENCE_ITEMS:
- Supplier service monitoring log
- Change impact assessments (API changes, model updates)
- Status page monitoring evidence
- Annual supplier security review
REVIEW_SCHEDULE: continuous monitoring, annual formal review
AUDITOR: amber

A.5.23 — Cloud services security

EVIDENCE_PRODUCER: arjan, julian
FORMAT: cloud security policy, configuration evidence
LOCATION: wiki, k8s manifests
EVIDENCE_ITEMS:
- Cloud security policy
- Shared responsibility model documentation
- Pod Security Standards configuration
- Network policy manifests
- Cloud service inventory with security classification
REVIEW_SCHEDULE: semi-annual
AUDITOR: amber

A.5.24 — Incident management planning

EVIDENCE_PRODUCER: mira
FORMAT: incident response plan, playbooks
LOCATION: wiki incident-response domain
EVIDENCE_ITEMS:
- Incident response plan
- Incident classification criteria
- Escalation matrix
- Communication templates
- Tabletop exercise records
REVIEW_SCHEDULE: annual plan review, semi-annual exercise
AUDITOR: amber
SEE_ALSO: domains/incident-response/index.md

A.5.25 — Event assessment

EVIDENCE_PRODUCER: mira, victoria
FORMAT: classification procedures, triage logs
LOCATION: wiki, monitoring system
EVIDENCE_ITEMS:
- Event classification procedure
- Triage criteria documentation
- Sample triage records
REVIEW_SCHEDULE: annual procedure review
AUDITOR: amber

A.5.26 — Incident response

EVIDENCE_PRODUCER: mira
FORMAT: incident records, response logs
LOCATION: PostgreSQL incident table, wiki
EVIDENCE_ITEMS:
- Incident response records (chronological)
- Containment action logs
- Communication records (internal and external)
- Resolution confirmation
REVIEW_SCHEDULE: per incident, quarterly summary
AUDITOR: amber

A.5.27 — Learning from incidents

EVIDENCE_PRODUCER: mira, eltjo
FORMAT: post-incident reviews, wiki learnings
LOCATION: wiki, session_learnings table
EVIDENCE_ITEMS:
- Post-incident review reports
- Lessons learned documents
- Control improvements implemented post-incident
- Wiki updates from incident learnings
REVIEW_SCHEDULE: per incident
AUDITOR: amber

A.5.28 — Evidence collection

EVIDENCE_PRODUCER: mira, julian
FORMAT: evidence handling procedure
LOCATION: wiki
EVIDENCE_ITEMS:
- Evidence handling procedure
- Chain of custody documentation template
- Log preservation configuration
- Immutable logging evidence
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.5.29 — Security during disruption

EVIDENCE_PRODUCER: julian, otto
FORMAT: BCP with security provisions
LOCATION: wiki
EVIDENCE_ITEMS:
- Business continuity plan with security sections
- Recovery procedures including security validation steps
- Disruption scenario security assessment
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.5.30 — ICT readiness for business continuity

EVIDENCE_PRODUCER: otto, arjan
FORMAT: ICT continuity plan, test results
LOCATION: wiki, test records
EVIDENCE_ITEMS:
- ICT continuity plan (RTO, RPO per system)
- Backup schedule and verification
- Recovery test results (monthly restore test)
- k3s recovery procedure
REVIEW_SCHEDULE: monthly (backup tests), annual (plan review)
AUDITOR: amber

EVIDENCE_PRODUCER: julian
FORMAT: regulatory register
LOCATION: wiki eu-regulation domain
EVIDENCE_ITEMS:
- Regulatory register (GDPR, AI Act, NIS2, CRA, etc.)
- Compliance status per requirement
- Legal counsel records for complex requirements
- Regulatory change monitoring evidence
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.5.32 — Intellectual property rights

EVIDENCE_PRODUCER: julian
FORMAT: IP policy, license inventory
LOCATION: wiki, CI/CD scan results
EVIDENCE_ITEMS:
- IP protection policy
- Open source license inventory
- License compliance scan results
- Client contract IP clauses
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.5.33 — Protection of records

EVIDENCE_PRODUCER: boris, julian
FORMAT: records policy, backup evidence
LOCATION: wiki, PostgreSQL, backup logs
EVIDENCE_ITEMS:
- Records management policy
- Retention schedule per record type
- Backup verification logs
- Access control on records
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.5.34 — Privacy and PII protection

EVIDENCE_PRODUCER: julian
FORMAT: privacy framework documents
LOCATION: wiki compliance and privacy domains
EVIDENCE_ITEMS:
- Privacy policy
- ROPA (Records of Processing Activities)
- DPIAs (Data Protection Impact Assessments)
- DPAs (Data Processing Agreements)
- Data subject rights procedure
- Breach notification procedure
REVIEW_SCHEDULE: annual, on new processing activity
AUDITOR: amber
SEE_ALSO: gdpr-implementation.md

A.5.35 — Independent review

EVIDENCE_PRODUCER: amber (internal), external auditor
FORMAT: audit reports
LOCATION: wiki, secure document storage
EVIDENCE_ITEMS:
- Internal audit programme (annual)
- Internal audit reports
- External audit reports (certification)
- Management review of audit results
REVIEW_SCHEDULE: per audit programme
AUDITOR: external auditor (for amber's own work)

A.5.36 — Compliance with policies

EVIDENCE_PRODUCER: amber
FORMAT: compliance review reports
LOCATION: wiki, audit records
EVIDENCE_ITEMS:
- Compliance review reports
- Automated compliance check results
- Constitution adherence monitoring data
- Non-compliance findings and corrective actions
REVIEW_SCHEDULE: quarterly
AUDITOR: amber (with independent review per A.5.35)

A.5.37 — Documented operating procedures

EVIDENCE_PRODUCER: all domain owners
FORMAT: markdown procedures in wiki
LOCATION: ge-ops/wiki/docs/
EVIDENCE_ITEMS:
- Procedure index (all documented procedures with owners and dates)
- Version history (git log)
- Procedure review records
- JIT injection logs (showing procedures delivered to agents)
REVIEW_SCHEDULE: annual per procedure
AUDITOR: amber

A.6 — PEOPLE CONTROLS — EVIDENCE

A.6.1 — Screening

EVIDENCE_PRODUCER: hilrieke
EVIDENCE_ITEMS: screening policy, background check records (humans), agent validation records
REVIEW_SCHEDULE: per hire, annual policy review
AUDITOR: amber

A.6.2 — Terms and conditions

EVIDENCE_PRODUCER: hilrieke
EVIDENCE_ITEMS: employment contract templates with security clauses, signed contracts, constitution binding records
REVIEW_SCHEDULE: per hire, annual template review
AUDITOR: amber

A.6.3 — Awareness and training

EVIDENCE_PRODUCER: julian (programme), hilrieke (delivery)
EVIDENCE_ITEMS: training programme document, training records, constitution injection logs, wiki access logs
REVIEW_SCHEDULE: annual programme review, quarterly completion check
AUDITOR: amber

A.6.4 — Disciplinary process

EVIDENCE_PRODUCER: hilrieke
EVIDENCE_ITEMS: disciplinary policy, violation records, corrective action records, agent suspension logs
REVIEW_SCHEDULE: annual policy review, per event
AUDITOR: amber

A.6.5 — Post-termination responsibilities

EVIDENCE_PRODUCER: hilrieke
EVIDENCE_ITEMS: post-termination clauses in contracts, NDA survival clauses, offboarding records
REVIEW_SCHEDULE: annual policy review
AUDITOR: amber

A.6.6 — Confidentiality agreements

EVIDENCE_PRODUCER: julian
EVIDENCE_ITEMS: NDA register, signed NDAs, annual NDA review records
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.6.7 — Remote working

EVIDENCE_PRODUCER: julian
EVIDENCE_ITEMS: remote working policy, security requirements checklist, VPN/SSH configuration
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.6.8 — Security event reporting

EVIDENCE_PRODUCER: mira
EVIDENCE_ITEMS: reporting procedure, reporting mechanism evidence, reported events log, response records
REVIEW_SCHEDULE: annual procedure review, continuous event monitoring
AUDITOR: amber

A.7 — PHYSICAL CONTROLS — EVIDENCE

NOTE: most physical controls are Hetzner's responsibility. Evidence = Hetzner certifications + GE remote working controls.

A.7.1-A.7.6 — Datacenter physical security

EVIDENCE_PRODUCER: arjan (Hetzner liaison)
EVIDENCE_ITEMS: Hetzner ISO 27001 certificate, Hetzner security documentation, SLA with physical security provisions
REVIEW_SCHEDULE: annual (Hetzner certificate renewal check)
AUDITOR: amber

A.7.7 — Clear desk and clear screen

EVIDENCE_PRODUCER: julian
EVIDENCE_ITEMS: policy document, awareness training including clear desk/screen
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.7.8-A.7.14 — Equipment and infrastructure

EVIDENCE_PRODUCER: arjan, gerco
EVIDENCE_ITEMS: Hetzner datacenter documentation, device encryption verification (humans), maintenance records, disposal procedures
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.8 — TECHNOLOGICAL CONTROLS — EVIDENCE

A.8.1 — User endpoint devices

EVIDENCE_PRODUCER: gerco
EVIDENCE_ITEMS: endpoint policy, device inventory, encryption verification, patch compliance report
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.2 — Privileged access rights

EVIDENCE_PRODUCER: piotr
EVIDENCE_ITEMS: privileged account inventory, RBAC configuration, Vault admin policy, access review records
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.3 — Information access restriction

EVIDENCE_PRODUCER: piotr
EVIDENCE_ITEMS: k8s RBAC manifests, network policies, database role configuration, Vault path policies
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.4 — Source code access

EVIDENCE_PRODUCER: marta
EVIDENCE_ITEMS: git access configuration, branch protection rules, PR requirement evidence, access audit log
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.5 — Secure authentication

EVIDENCE_PRODUCER: piotr, hugo
EVIDENCE_ITEMS: authentication configuration, WebAuthn setup evidence, MFA enforcement, token management procedure
REVIEW_SCHEDULE: semi-annual
AUDITOR: amber

A.8.6 — Capacity management

EVIDENCE_PRODUCER: nessa
EVIDENCE_ITEMS: resource limit configurations, HPA settings, capacity monitoring dashboards, capacity planning records
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.7 — Malware protection

EVIDENCE_PRODUCER: victoria
EVIDENCE_ITEMS: container image scan reports (trivy), minimal base image evidence, PSS configuration, runtime monitoring (Falco)
REVIEW_SCHEDULE: continuous (scans), quarterly (review)
AUDITOR: amber

A.8.8 — Technical vulnerability management

EVIDENCE_PRODUCER: victoria
EVIDENCE_ITEMS: vulnerability scan reports, CVE tracking register, patch records with SLA compliance, remediation evidence
REVIEW_SCHEDULE: weekly (scans), monthly (SLA report)
AUDITOR: amber

A.8.9 — Configuration management

EVIDENCE_PRODUCER: arjan, alex/tjitte
EVIDENCE_ITEMS: GitOps configuration (all config in git), kube-bench reports, configuration baseline, drift detection results
REVIEW_SCHEDULE: continuous (GitOps), quarterly (kube-bench)
AUDITOR: amber

A.8.10 — Information deletion

EVIDENCE_PRODUCER: boris
EVIDENCE_ITEMS: retention policy, automated deletion job configurations, deletion execution logs, verification records
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.11 — Data masking

EVIDENCE_PRODUCER: boris
EVIDENCE_ITEMS: masking policy, masking rules configuration, log samples showing masked PII, test data anonymization evidence
REVIEW_SCHEDULE: semi-annual
AUDITOR: amber

A.8.12 — Data leakage prevention

EVIDENCE_PRODUCER: victoria
EVIDENCE_ITEMS: DLP policy, secrets scanning configuration, egress policy, blocked leak attempt logs
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.13 — Information backup

EVIDENCE_PRODUCER: otto
EVIDENCE_ITEMS: backup policy, backup job execution logs, monthly restore test results, RTO/RPO verification
REVIEW_SCHEDULE: monthly (restore test), annual (policy)
AUDITOR: amber

A.8.14 — Redundancy

EVIDENCE_PRODUCER: arjan
EVIDENCE_ITEMS: architecture documentation, redundancy configuration, availability monitoring records, risk acceptance (single-node)
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.8.15 — Logging

EVIDENCE_PRODUCER: victoria, gerco
EVIDENCE_ITEMS: logging configuration, k8s audit policy, log retention verification, log access controls, sample log integrity checks
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.16 — Monitoring activities

EVIDENCE_PRODUCER: victoria, annegreet, ron, mira
EVIDENCE_ITEMS: monitoring configuration, Falco rules, alert rules, monitoring agent reports, anomaly detection results
REVIEW_SCHEDULE: continuous (monitoring), quarterly (configuration review)
AUDITOR: amber

A.8.17 — Clock synchronization

EVIDENCE_PRODUCER: gerco
EVIDENCE_ITEMS: NTP configuration, time sync verification across systems
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.8.18 — Privileged utility programs

EVIDENCE_PRODUCER: gerco
EVIDENCE_ITEMS: sudo configuration, k8s exec RBAC, utility usage logging
REVIEW_SCHEDULE: semi-annual
AUDITOR: amber

A.8.19 — Software installation

EVIDENCE_PRODUCER: arjan, gerco
EVIDENCE_ITEMS: immutable container image evidence, Dockerfile-only install policy, CI/CD pipeline logs, no kubectl cp verification
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.20 — Network security

EVIDENCE_PRODUCER: stef
EVIDENCE_ITEMS: network policy manifests, firewall rules, port scan results, TLS enforcement evidence
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.21 — Network service security

EVIDENCE_PRODUCER: stef, jette
EVIDENCE_ITEMS: TLS configuration, certificate inventory with expiry dates, service security assessments
REVIEW_SCHEDULE: monthly (certificate check), quarterly (service review)
AUDITOR: amber

A.8.22 — Network segregation

EVIDENCE_PRODUCER: stef
EVIDENCE_ITEMS: k8s namespace configuration, inter-namespace network policies, network architecture diagram
REVIEW_SCHEDULE: semi-annual
AUDITOR: amber

A.8.23 — Web filtering

EVIDENCE_PRODUCER: stef
EVIDENCE_ITEMS: egress network policies, allowed/blocked destination lists, agent outbound restriction configuration
REVIEW_SCHEDULE: quarterly
AUDITOR: amber

A.8.24 — Use of cryptography

EVIDENCE_PRODUCER: piotr, jette
EVIDENCE_ITEMS: crypto policy, TLS version/cipher configuration, key management procedure, certificate inventory, encryption-at-rest configuration
REVIEW_SCHEDULE: semi-annual
AUDITOR: amber

A.8.25 — Secure development lifecycle

EVIDENCE_PRODUCER: julian (policy), koen/eric (implementation)
EVIDENCE_ITEMS: secure SDLC policy (CODEBASE-STANDARDS.md), code review records, security test results, semgrep configuration
REVIEW_SCHEDULE: annual (policy), continuous (reviews/tests)
AUDITOR: amber

A.8.26 — Application security requirements

EVIDENCE_PRODUCER: anna
EVIDENCE_ITEMS: formal specifications with security requirements section, requirement traceability matrix
REVIEW_SCHEDULE: per work package
AUDITOR: amber

A.8.27 — Secure engineering principles

EVIDENCE_PRODUCER: julian
EVIDENCE_ITEMS: security architecture document, design principles (wiki), architecture review records
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.8.28 — Secure coding

EVIDENCE_PRODUCER: koen/eric
EVIDENCE_ITEMS: secure coding standard, semgrep rule set, code review checklists, review completion records
REVIEW_SCHEDULE: continuous (reviews), annual (standard update)
AUDITOR: amber

A.8.29 — Security testing

EVIDENCE_PRODUCER: ashley, marije/judith
EVIDENCE_ITEMS: security test plans, SAST results (semgrep), dependency scan results (trivy), adversarial test results, penetration test reports (pol)
REVIEW_SCHEDULE: per release (SAST/scanning), annual (penetration test)
AUDITOR: amber

A.8.30 — Outsourced development

EVIDENCE_PRODUCER: julian
EVIDENCE_ITEMS: LLM provider security assessments, API usage monitoring reports, output validation evidence
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.8.31 — Environment separation

EVIDENCE_PRODUCER: arjan, alex/tjitte
EVIDENCE_ITEMS: namespace configuration, environment-specific secret management, data separation verification, no-production-data-in-dev evidence
REVIEW_SCHEDULE: semi-annual
AUDITOR: amber

A.8.32 — Change management

EVIDENCE_PRODUCER: marta, leon
EVIDENCE_ITEMS: change management procedure, PR history, code review records, deployment logs, rollback records
REVIEW_SCHEDULE: continuous (per change), quarterly (process review)
AUDITOR: amber

A.8.33 — Test information

EVIDENCE_PRODUCER: marije/judith, antje
EVIDENCE_ITEMS: test data management procedure, generated test data evidence, anonymization records if production data used
REVIEW_SCHEDULE: annual
AUDITOR: amber

A.8.34 — Audit testing protection

EVIDENCE_PRODUCER: amber, julian
EVIDENCE_ITEMS: audit test plans, scope agreements, read-only access evidence, penetration test scoping documents
REVIEW_SCHEDULE: per audit
AUDITOR: external oversight

EVIDENCE_REVIEW_CALENDAR

MONTHLY

  • Backup restore test results (A.8.13) — otto
  • Certificate expiry check (A.8.21) — jette
  • Secret rotation compliance (A.5.17) — piotr
  • Vulnerability SLA compliance (A.8.8) — victoria

QUARTERLY

  • Access review (A.5.18) — amber + piotr
  • Asset inventory update (A.5.9) — julian + arjan
  • Risk register update (clause 6.1) — julian
  • Compliance review (A.5.36) — amber
  • Network policy review (A.8.20) — stef
  • Monitoring configuration review (A.8.16) — victoria
  • Management review input preparation — julian

SEMI-ANNUAL

  • Incident response exercise (A.5.24) — mira
  • Cryptography review (A.8.24) — piotr + jette
  • Environment separation verification (A.8.31) — arjan
  • Supplier monitoring review (A.5.22) — julian

ANNUAL

  • Full policy review cycle (A.5.1) — julian
  • Threat landscape assessment (A.5.7) — victoria
  • Training programme review (A.6.3) — julian
  • Regulatory register update (A.5.31) — julian
  • ICT continuity plan review (A.5.30) — otto
  • Secure SDLC review (A.8.25) — julian
  • Penetration test (A.8.29) — pol
  • Full internal audit cycle (A.5.35) — amber

GAP_TRACKING_TEMPLATE

CONTROL: [A.x.x — control name]
STATUS: [compliant / partial / non-compliant / not-applicable]
GAP_DESCRIPTION: [what is missing]
RISK_LEVEL: [high / medium / low]
REMEDIATION_OWNER: [agent name]
REMEDIATION_DEADLINE: [date]
EVIDENCE_NEEDED: [what evidence will demonstrate compliance]
NOTES: [additional context]

RULE: all gaps tracked in remediation register
RULE: high-risk gaps escalated to management review
RULE: gap status updated at each internal audit

SEE_ALSO: iso27001-overview.md, iso27001-annex-a.md, compliance-automation.md, audit-procedures.md