The auditor sits down and opens with: "Show me your change approval process." Then: "Show me incident response times for the last quarter." Then: "Show me who currently has admin access to production systems." If these questions send your team scrambling through email threads and spreadsheets, the audit is already going badly. GLPI can answer all of them -- if you know where to look and how to export the evidence.
What auditors actually ask for
ISO 27001
ISO 27001 audits focus on information security management. The evidence GLPI can provide:
- Access control records -- who has which GLPI profiles and permissions, with change history (Administration > Users, Administration > Profiles)
- Change management logs -- every ticket of type "Change" with its approval workflow, implementation notes, and post-implementation review
- Incident statistics -- mean time to resolve, incidents by category, recurring incidents, escalation rates
- Asset inventory -- complete list of IT assets with ownership, location, and status
NIS2
NIS2 emphasizes incident reporting timelines and supply chain security. From GLPI:
- Incident reporting timelines -- timestamps showing when an incident was detected, reported, and resolved. GLPI's ticket lifecycle captures all of these if your workflow includes status transitions for detection and reporting.
- Asset register with supplier information -- GLPI tracks manufacturer, vendor, and support contract details per asset
- Risk assessment documentation -- while GLPI isn't a risk management tool, tickets tagged with risk-related categories can serve as evidence of risk identification and treatment
How to export evidence from GLPI
Saved searches to CSV
Build a search query in GLPI (e.g., all change tickets from the last 12 months with their approval status), then export the results as CSV or PDF. Save the search for reuse -- next audit, run it again with updated date filters. This is the simplest method and covers most audit evidence needs.
Statistics module
GLPI's built-in Statistics module (Assistance > Statistics) generates reports on ticket resolution times, SLA compliance percentages, and ticket volumes by category. Export these directly. Auditors prefer charts with numbers, not raw data.
REST API for automated evidence collection
For recurring audits, automate evidence collection with GLPI's REST API. A script can pull ticket data, user permissions, and asset records on a schedule, format them into a standardized report, and store them in a shared drive. When the auditor arrives, the evidence package is already assembled.
Example API endpoints:
/apirest.php/Ticket-- all tickets with filters for type, date, status/apirest.php/User-- user list with profile assignments/apirest.php/Computer-- asset inventory/apirest.php/Change-- change records with approval data
Building an audit preparation checklist
Create a checklist specific to your audit framework and map each item to a GLPI data source:
- Access control evidence: saved search of users + profiles, exported monthly
- Change management evidence: saved search of change tickets with approval status
- Incident response evidence: statistics export of incident resolution times
- Asset management evidence: full asset export with ownership and lifecycle status
- SLA compliance evidence: SLA statistics report for the audit period
Run this checklist quarterly, not just before the audit. Quarterly exports catch data quality issues early -- if change tickets aren't getting approval signatures, you want to know now, not when the auditor points it out.
Having the data vs. presenting it
GLPI contains the raw data. But auditors don't want a 5,000-row CSV file. They want a summary with key metrics, a few supporting details, and the ability to drill down if something looks wrong. Export the data from GLPI, then format it: a one-page summary of key metrics up front, detailed tables as appendices, and clear labels explaining what each export contains and which control it supports. The five minutes spent on formatting can make the difference between a smooth audit and a week of follow-up questions.