ETSI EN 319 401 Audit Evidence Pack

Start with clause 7.10 because it requires the TSP to record and keep accessible relevant information concerning data issued and received by the TSP, including after the TSP has ceased activities, for legal evidence and service continuity purposes. That makes the evidence pack broader than a folder of audit logs: it needs to show what was issued or received, how operation records were protected, and how records remain available for the stated retention period.

Use the trust service practice statement, terms and conditions, information security policy, risk assessment, audit logs, incident records, backup tests, termination plan, legal-requirement evidence, and supplier register as the core index. Those artifacts are tied to separate EN 319 401 clauses, but together they explain whether the record set is complete, confidential, integrity-protected, and aligned with disclosed business practices.

Do not organize the pack only by department. Organize it around the control areas that prove the TSP can operate and preserve evidence: risk assessment, published practices, terms and conditions, security policy, personnel and trusted roles, asset inventory, access and configuration control, incident management, continuity, termination, compliance, and supply chain.

The pack should let a reviewer move from claim to proof without private context. For example, a claim that logs are reviewable should point to the logging control, a sample review record, the alerting or monitoring process, the person or trusted role responsible, and the retention rule that protects the log after the review.

The most sensitive part of the pack is usually the operational record set. EN 319 401 calls out confidentiality and integrity for current and archived service-operation records, complete and confidential archiving, availability of records for evidence of correct operation, and audit-log time synchronized with UTC at least once a day.

Treat logs as evidence, not background telemetry. The pack should show which logs exist, why they matter to the trust service, how they are reviewed, how alerts are escalated, how deletion is prevented during the required period, and how records can be retrieved without exposing sensitive material unnecessarily.

Use this checklist before giving the pack to an assessor, customer, supervisory contact, or independent review board. It focuses on traceability: every claim should have a clause, a record, a retention rule, an owner, and a way to verify that the evidence still represents the current trust service.

Do not claim that EN 319 401 itself defines the independent assessment method. The standard states general policy requirements for TSP operation and management; it points readers to ETSI EN 319 403-1 for requirements about conformity assessment bodies assessing TSPs.

Weak packs usually fail because they are polished but not traceable. A clean narrative is not enough if records cannot be tied to the trust service boundary, disclosed practices, retention commitments, incident procedures, continuity assumptions, or supplier obligations.

The safest approach is to remove broad claims that the available evidence cannot prove. Keep each claim narrow: what service it covers, what period it covers, which source requires or explains it, and which artifact shows the control actually operated.