Answer: You can write one or more of the following types of evidences to support the decision that the audited area is compliant or not with the requirement covered by the question:
- Presence or absence of records, procedures, policies, or any other documentation defined by the ISMS;
- Auditor's observation of a compliant or non compliant situation; or
- Declaration by a person with authority to do so (e.g., a manager or process owner).
For example, for the question "Is the risk treatment process documented, including the risk treatment options?" if the audited area is compliant, you should write in the evidence column the identification of the procedure used by the audited area.
2- Do you have list on that evidence?
Answer: To answer this question, you must first understand that some questions are pretty straightforward, requiring only the existence of a specific doc ument or record (like my previous example), but others require more analysis to ensure conformity. For example, simply having a documented scope cannot answer the question "Are the general ISMS objectives compatible with the strategic direction?". For verifying compliance you should understand the process that lead to that scope and see how strategic direction influenced its creation. In fact, most part of an internal audit that adds value to the business is not about documentation, but about whether the processes and activities are capable to consistently meet the requirements.
That said, for a list of documents and records, you can consult this article to see not only mandatory documents (that for sure you can relate to the questions on the checklist), but also the most commonly used documents for ISO 27001 implementation (that may or may not cover the questions on the checklist, depending upon the context of the organization and audited area):