The inspection¶
Evidence and audit readiness.
You have assets, threats, zones, and controls mapped, and the defences have been tested. Now the question is: can you prove it? Auditing is not about theory; it is about evidence. Every control, every mitigation, every claimed security measure wants to be traceable and verifiable. Gaps in documentation are as fatal as gaps in configuration.
Evidence divides into two categories. Implementation evidence confirms controls are in place: logs are collected, configurations are documented, policies are approved, access rights are assigned. Effectiveness evidence confirms controls produce their intended effect under realistic conditions: a penetration test result showing that network segmentation held under a realistic attack path, an anomaly detection exercise confirming the signature fired against the expected technique, a tabletop result showing the incident response chain operated within acceptable time bounds.
An audit drawing only on implementation evidence documents that controls exist. Effectiveness evidence documents that they work; testing the defences is where it comes from.
Evidence types to check¶
Logs
System logs (controllers, SCADA, HMIs)
Network device logs (firewalls, switches, segmentation devices)
Security monitoring and SIEM alerts
Gap check: Missing logs, incomplete retention periods, or unassigned log owners are findings. Confirm logging covers all critical assets and events relevant to IEC 62443 requirements. ML-assisted anomaly detection in OT-capable SIEM deployments can surface deviations in controller behaviour or protocol patterns that volume-based manual review misses; where such tooling is in use, its configuration and alert handling form part of the evidence base.
Device configurations
Baseline settings, secure defaults, firmware versions
Change history and configuration snapshots
Gap check: Untracked or undocumented changes, missing version records, or unmanaged devices are immediate gaps.
Network diagrams and the zone model
Logical and physical topology, VLANs, zones, conduits, firewalls, and segmentation
Mapping of assets to zones
Gap check: Devices in the register not on diagrams, discrepancies between diagrams and deployed topology, or undocumented segmentation rules are findings.
Maintenance and lifecycle records
Updates, patches, preventative maintenance schedules
Decommissioning steps for retired assets
Gap check: Any lifecycle step not documented is a vulnerability. Confirm records exist for all controllers, sensors, and field devices.
Training and personnel documentation
Evidence of operator and engineer training, role awareness, incident response rehearsals
Gap check: Missing or outdated training records, unclear role responsibilities, or untested response procedures are findings. Attendance records are implementation evidence. Exercise performance records are effectiveness evidence: a drill where operators restored a system under time pressure, a tabletop that walked through the incident response procedure with current staffing, a scenario exercise where teams had to apply a procedure they had not recently practised.
Policy and procedure documentation
Asset management, change management, access control, network management, incident response
Gap check: Controls claimed in IEC 62443 mappings want supporting policies. Missing or inconsistent documentation is a finding.
Practical gap-spotting approach¶
Walk through each control and threat: is there documented evidence for it?
Ask: if an auditor asked for proof tomorrow, could you produce it immediately?
Cross-check assets, controls, logs and records, and diagrams against each other. Anything missing is a gap.
Verify ownership: each piece of evidence has a responsible party, or the ambiguity is itself a finding.
If a threat exists without documented mitigation, monitoring, or ownership, it is a gap worth closing before anyone audits the system.
Output¶
By the end of this stage, the organisation has an evidence package organised by zone and control, spanning both implementation and effectiveness evidence, with owners for every item and nothing that takes more than a day to produce on request. Keeping it that way is the business of keeping watch.
Related¶
Last updated: 4 July 2026