ETSI EN 319 401 Audit Evidence Pack Workflow

EN 319 401 applies to trust service providers regardless of the specific trust service type and defines policy requirements for TSP operation and management practices. Start the pack by naming the trust service, the operating boundary, the relevant policies, the practice statement owner, and the evidence owner for each requirement area.

Do not treat the pack as a generic spreadsheet. The standard ties evidence to concrete TSP artifacts: a risk assessment, risk treatment decisions, security requirements, operational procedures, a trust service practice statement, terms and conditions, an information security policy, operational records, continuity planning, termination planning, and supplier controls.

The risk section is the first control anchor for the pack. EN 319 401 requires the TSP to carry out a risk assessment covering trust service risks, select treatment measures, document necessary security requirements and operational procedures in the information security policy and practice statement, review and revise the assessment, and have management approve the assessment and accept residual risk.

The policy section gives the evidence pack its document backbone. The TSP needs policies and practices appropriate for the trust services it provides, management approval, communication to relevant employees and external parties, a practice statement covering applicable trust service policy requirements, external-organization obligations, and a defined review process for maintaining the practice statement.

Clause 7.10 is the core evidence-pack clause. It requires the TSP to record and keep accessible all relevant information concerning data issued and received by the TSP for an appropriate period, including after TSP activities have ceased, for legal evidence and continuity of service.

The records pack should therefore prove both content and control. It should show which service records exist, how confidentiality and integrity are maintained for current and archived records, how records are completely and confidentially archived according to disclosed business practices, and how records can be made available when required as evidence of correct service operation in legal proceedings.

Use this operating workflow when assigning the pack. Each row should produce a named artifact that a reviewer can inspect without relying on memory or unsupported internal claims.

1 | Scope and policy intake | Practice statement owner | Trust service policy list, practice statement, external-organization obligations | Does the pack match the trust service and its declared policies?

2 | Risk and control baseline | Risk and security owners | Risk assessment, risk treatment record, information security policy, operating procedures | Are selected controls tied to approved risk treatment?

3 | Subscriber and relying-party disclosures | Legal/compliance owner | Terms and conditions, limitations, event-log retention statement, relying-party instructions | Are disclosed practices consistent with evidence retention and service operation?

4 | Operational records and logs | Operations/security owner | Service records inventory, archive controls, UTC synchronization evidence, significant event logs | Can the TSP show correct service operation and protect records during retention?

5 | Continuity, termination, and suppliers | Continuity and supplier owners | Continuity plan, backup test results, termination plan, supplier register, agreements and SLAs | Will evidence remain accessible after disaster, service cessation, or supplier change?

The pack should not stop at logs. EN 319 401 also requires evidence around continuity planning, backup resources, recovery testing, crisis management, termination, legal compliance, personal-data protection, and supply-chain controls.

This matters because records must stay useful when the service changes, a disaster occurs, the TSP ceases activities, or a supplier relationship affects TSP information. Treat these areas as evidence dependencies for clause 7.10 rather than as separate paperwork.

Most weak packs fail because they describe intent but cannot prove operation. EN 319 401 repeatedly expects documented, approved, maintained, reviewed, available, archived, tested, or recorded artifacts. If a claim cannot be tied to one of those artifacts, narrow it until the evidence is inspectable.

Avoid implying that a public guide, internal checklist, or exported folder is a conformity certificate. EN 319 401 provides the general policy requirements baseline; independent assessment context and assessor requirements are separate.