How can an auditor verify conformity to control A.9.2.6 Removal or adjustment of access rights of ISO/IEC 27001 by using analytical evidence?

Analyzing the results of the access rights removal procedure on a sample of users upon the termination of their contracts provides direct and practical evidence of conformity to control A.9.2.6 within ISO/IEC 27001. This control focuses on ensuring that access rights are appropriately modified or revoked when an employee or contractor ceases to be associated with the organization, thus protecting sensitive information and systems from unauthorized access.

By selecting a sample of users who have had their access rights removed due to the termination of their contracts, the auditor can directly observe and evaluate whether the procedures established for removing access are being effectively executed. This approach allows for an assessment of the timeliness and completeness of access rights removal, which are critical factors in maintaining the security of information systems.

This method of verification ensures that the controls are not just theoretical or documented procedures but are actively implemented and functioning as intended in practical situations. It also highlights the auditor's ability to assess the operational effectiveness of controls in real-world scenarios, which is a fundamental aspect of the auditing process in the context of information security management.