An internal auditor must collect the following type of evidence (proof):
- Documents and records - e.g., reviewing policies, procedures, plans, logs, paper-based records, etc.
- Personal observations - e.g., observing activities or equipment to find out if they are performed or configured properly.
- Interviews with employees - e.g., talking to several people in the same process to find out if they are performing the process in exactly the same way.

This evidence must be collected for the following:
- For each of the clauses in the main part of ISO 27001 (clauses 4 to 10).
- For each control that is marked as applicable in the Statement of Applicability.
- For each requirement in the company's security policies and procedures.

Note: The same evidence will be collected by the certification auditor, so an internal audit is very good preparation for the certification audit.

Examples:
- ISO 27001 clause 5.2 requires the Information Security Policy to include the top management commitment to security - the internal auditor must read the document to see if this is included.
- The Backup Policy requires the backup to be performed every 6 hours - the internal auditor must ask a system administrator to show him the backup logs to determine the backup frequency.
- The Clear Desk and Clear Screen Policy require the screens to be locked if users are not next to their computer - when walking through the offices, the internal auditor must observe if all unattended computers have their screens locked.
- Control 5.3 Segregation of duties is marked as applicable in the Statement of Applicability (SoA) - the internal auditor must interview a couple of employees involved in performing sensitive operations to determine if their duties are segregated according to the implementation method specified in the SoA.