I have asked for documentation to review if they have the correct label of confidential or restricted, the documentation sent did not have any labeling and I put an observation there, but the audited answered me this:
"Information requested for audit is defined as confidential by principles and definition. it can't be used to mark as evidence related to information classification and labeling. The correct evidence is if the auditor find evidence of restricted and confidential information is shared between the scope without correct labeling."
Is this correct? I took it as a non conformity because the record and reports did not have the apropriate labeling.