What is essential for an auditor to collect to ensure the relevance of an audit procedure?

For an auditor, collecting evidence is essential to ensure the relevance of an audit procedure. Evidence serves as the foundation upon which the auditor evaluates the effectiveness of the management system being audited. In the context of ISO/IEC 27001, this could include documentation like logs, records, and other data that demonstrate how the information security management system (ISMS) is functioning and whether it complies with the established standards and policies.

The relevance of evidence lies in its ability to provide objective information that supports findings and conclusions drawn during the audit. Without adequate evidence, any conclusions made about the effectiveness of controls or the overall compliance of the ISMS would be subjective and potentially flawed. Therefore, gathering sufficient and appropriate evidence is a critical component of the audit process, enabling the auditor to assess not just compliance but also the actual performance of security controls against defined criteria.

Other elements such as reports, testimonials, and policies might provide context or supplementary insights, but they do not serve the core function of providing objective proof required for a thorough audit. Hence, evidence is central to conducting an effective and relevant audit.