Skip to content
Kellwick
← All articles
Evidence & Audit Prep

What ISO 27001 evidence actually means

Policies describe intent. Evidence proves operation. Auditors and enterprise buyers care about the second one. Here is what strong evidence looks like, control by control.

By Kellwick Team · June 17, 2026 · 3 min read

Ask a team preparing for ISO 27001 whether they have a control, and they will show you a policy. Ask an auditor to accept that policy as proof, and they will ask a different question: show me it happening.

That gap - between a documented intention and demonstrable operation - is where most audit findings live. Understanding what counts as evidence is the single highest-leverage thing a SaaS or fintech team can get right.

Evidence is a record that a control operated

A policy says what should happen. Evidence is the artifact proving it did happen, on a date, produced by a real process. The test an auditor applies is simple: can you show me, without preparing anything special, that this control operated during the period?

Good evidence is:

  • Dated. It happened at a specific time, ideally on a predictable cadence.
  • Attributable. A named owner produced or approved it.
  • Complete. It covers the period, not one convenient sample.
  • Consequential. Something actually resulted - access was removed, a risk was re-scored, a supplier was flagged.

A screenshot of a settings page is weak evidence. A quarterly access review that shows accounts examined, decisions made, and access actually revoked - with a record of who did it - is strong evidence.

What it looks like, control by control

  • Access reviews. Weak: "we review access quarterly" in a policy. Strong: a Q2 review export showing every privileged account, the reviewer's decision, and tickets for the three accounts that were removed.
  • Supplier risk. Weak: a vendor list. Strong: a dated assessment for each critical supplier, the risk rating assigned, and a record of what you did about the ones that scored poorly.
  • Incident management. Weak: an incident policy. Strong: real incident records with timeline, impact, root cause and corrective actions - including the small ones, not just the crisis.
  • Change / release governance. Weak: "changes are reviewed." Strong: a sample of releases showing approval, testing evidence and rollback consideration, traceable to your actual pipeline.
  • Management review. Weak: a calendar invite. Strong: minutes showing what management actually reviewed, what they decided, and who owns the follow-ups.
  • Internal audit. Weak: a one-page "no issues found." Strong: an independent audit with scope, sampling, findings and tracked corrective actions.

Why enterprise buyers care too

Evidence is not only an audit concern. When an enterprise security team sends a questionnaire, they are asking for the same thing in a different format: prove your controls operate. "We have a policy" answers nothing. "Here is our access review cadence, our incident history and our supplier assessment process" moves the deal forward.

Weak evidence therefore shows up twice - as audit nonconformities and as stalled enterprise deals. Strong evidence pays off in both places.

How to build an evidence habit

  1. Assign an owner to every control. Evidence that is nobody's job does not get produced.
  2. Set a cadence and hold it. Quarterly means Q1, Q2, Q3, Q4 - with records for each.
  3. Make the output a record, not a vibe. Every recurring control should produce a dated artifact by default.
  4. Store it where it is findable. Evidence scattered across DMs and memories is, for audit purposes, evidence that does not exist.
  5. Sample yourself. Once a quarter, pick a control at random and try to produce the evidence cold. If you cannot, the auditor will not be able to either.

The bottom line

Certification does not test your library of policies. It tests whether your controls operate and whether you can prove it. Build the evidence habit early, and both your audit and your enterprise sales conversations get dramatically easier. Leave it to the last month, and no amount of documentation will paper over the gap.

Need a second pair of eyes before the auditor does?

A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.