Evidence & Audit: Reliability

This section describes the evidence requirements for all 10 WAF-REL controls, organized by evidence type. Evidence is required for internal audits, external certifications (ISO 27001, BSI C5) and regulatory reviews (GDPR).

Governance Evidence

Governance evidence includes policies, process documents and strategic decisions.

Control	Type	Description
WAF-REL-010	Required	SLO document per workload: availability %, latency targets, error rate, measurement window – versioned.
WAF-REL-010	Optional	SLA contract referencing SLO definitions with escalation and compensation clauses.
WAF-REL-060	Required	Incident Response Plan with severity definitions, escalation paths and on-call structure.
WAF-REL-070	Required	DR plan with RTO/RPO targets, test plan and date of last review.
WAF-REL-080	Required	Dependency register with criticality, SLA and fallback behavior for all production dependencies.
WAF-REL-090	Required	Chaos Engineering Charter or policy with approval process and blast radius limits.
WAF-REL-100	Required	Versioned Reliability Debt Register with owner, severity and target date per entry.

Control

Type

Description

WAF-REL-010

Required

SLO document per workload: availability %, latency targets, error rate, measurement window – versioned.

WAF-REL-010

Optional

SLA contract referencing SLO definitions with escalation and compensation clauses.

WAF-REL-060

Required

Incident Response Plan with severity definitions, escalation paths and on-call structure.

WAF-REL-070

Required

DR plan with RTO/RPO targets, test plan and date of last review.

WAF-REL-080

Required

Dependency register with criticality, SLA and fallback behavior for all production dependencies.

WAF-REL-090

Required

Chaos Engineering Charter or policy with approval process and blast radius limits.

WAF-REL-100

Required

Versioned Reliability Debt Register with owner, severity and target date per entry.

IaC Evidence (Infrastructure-as-Code)

IaC evidence includes Terraform configurations and Kubernetes manifests.

Control	Type	Description
WAF-REL-020	Required	Terraform or Kubernetes manifests with readinessProbe and livenessProbe configurations.
WAF-REL-020	Required	Load balancer Terraform code (ALB, Azure LB, GCP LB) with explicit health_check block.
WAF-REL-030	Required	Terraform with Multi-AZ configuration for compute, databases and load balancers.
WAF-REL-040	Required	Terraform with backup configuration: retention, PITR, cross-account storage.
WAF-REL-050	Required	Terraform or service mesh configuration with timeout and circuit breaker settings.
WAF-REL-070	Optional	Automation scripts or Terraform configurations for DR failover procedures.
WAF-REL-090	Optional	AWS FIS experiment templates or Azure Chaos Studio workflow configurations.

Control

Type

Description

WAF-REL-020

Required

Terraform or Kubernetes manifests with readinessProbe and livenessProbe configurations.

WAF-REL-020

Required

Load balancer Terraform code (ALB, Azure LB, GCP LB) with explicit health_check block.

WAF-REL-030

Required

Terraform with Multi-AZ configuration for compute, databases and load balancers.

WAF-REL-040

Required

Terraform with backup configuration: retention, PITR, cross-account storage.

WAF-REL-050

Required

Terraform or service mesh configuration with timeout and circuit breaker settings.

WAF-REL-070

Optional

Automation scripts or Terraform configurations for DR failover procedures.

WAF-REL-090

Optional

AWS FIS experiment templates or Azure Chaos Studio workflow configurations.

Process Evidence

Process evidence includes meeting minutes, test results and review documentation.

Control	Type	Description
WAF-REL-010	Optional	Quarterly SLO review minutes with adjustments based on incident history.
WAF-REL-040	Required	Quarterly backup restore test report with RTO, data integrity and signature.
WAF-REL-060	Required	Post-incident review records for all SEV1/SEV2 incidents in the last 12 months.
WAF-REL-070	Required	DR test reports from the last 12 months with actual RTO/RPO achieved and signature.
WAF-REL-080	Optional	Quarterly dependency review minutes with signature.
WAF-REL-090	Required	Quarterly chaos experiment reports with hypothesis, expected result, actual result and remediation.
WAF-REL-100	Required	Quarterly review minutes with register inspection, closures and new entries.

Control

Type

Description

WAF-REL-010

Optional

Quarterly SLO review minutes with adjustments based on incident history.

WAF-REL-040

Required

Quarterly backup restore test report with RTO, data integrity and signature.

WAF-REL-060

Required

Post-incident review records for all SEV1/SEV2 incidents in the last 12 months.

WAF-REL-070

Required

DR test reports from the last 12 months with actual RTO/RPO achieved and signature.

WAF-REL-080

Optional

Quarterly dependency review minutes with signature.

WAF-REL-090

Required

Quarterly chaos experiment reports with hypothesis, expected result, actual result and remediation.

WAF-REL-100

Required

Quarterly review minutes with register inspection, closures and new entries.

Config Evidence

Config evidence includes monitoring dashboards, alert configurations and operational tools.

Control	Type	Description
WAF-REL-010	Required	Monitoring dashboard with SLO compliance and error budget burn rate in real time.
WAF-REL-020	Optional	Monitoring dashboard with health check pass/fail rate over time.
WAF-REL-030	Optional	Monitoring dashboard with AZ distribution of all deployed instances.
WAF-REL-040	Optional	Backup monitoring alerts with notification on job failure or aged backup.
WAF-REL-060	Optional	On-call schedule in PagerDuty/OpsGenie with current rotation.
WAF-REL-070	Optional	DR test calendar with scheduled exercises for the next 12 months.
WAF-REL-080	Optional	Service mesh dependency graph with all inter-service connections.

Control

Type

Description

WAF-REL-010

Required

Monitoring dashboard with SLO compliance and error budget burn rate in real time.

WAF-REL-020

Optional

Monitoring dashboard with health check pass/fail rate over time.

WAF-REL-030

Optional

Monitoring dashboard with AZ distribution of all deployed instances.

WAF-REL-040

Optional

Backup monitoring alerts with notification on job failure or aged backup.

WAF-REL-060

Optional

On-call schedule in PagerDuty/OpsGenie with current rotation.

WAF-REL-070

Optional

DR test calendar with scheduled exercises for the next 12 months.

WAF-REL-080

Optional

Service mesh dependency graph with all inter-service connections.

Evidence Mapping: ISO 27001 Annex A

ISO 27001 Control	WAF-REL Controls	Evidence Type
A.17.1 – Information Security Continuity	REL-010, REL-030, REL-070	Governance, Process
A.17.2 – Redundancies	REL-030, REL-040	IaC, Config
A.8.13 – Information Backup	REL-040	IaC, Process
A.16.1 – Management of IS Incidents	REL-060	Governance, Process
A.15.1 – IS in Supplier Relationships	REL-080	Governance

ISO 27001 Control

WAF-REL Controls

Evidence Type

A.17.1 – Information Security Continuity

REL-010, REL-030, REL-070

Governance, Process

A.17.2 – Redundancies

REL-030, REL-040

IaC, Config

A.8.13 – Information Backup

REL-040

IaC, Process

A.16.1 – Management of IS Incidents

REL-060

Governance, Process

A.15.1 – IS in Supplier Relationships

REL-080

Governance

Minimum Requirements for Compliance Audits

For an ISO 27001 compliance audit (Annex A.17), the following minimum evidence is required:

SLO documents for all critical systems (WAF-REL-010)
Backup restore test report from the last 12 months (WAF-REL-040)
DR plan with documented last test (WAF-REL-070)
Incident Response Plan with severity definitions (WAF-REL-060)
Post-incident reviews for all SEV1/SEV2 in the last 12 months (WAF-REL-060)
Dependency register with criticality assessment (WAF-REL-080)