Maybe you're certifying at a lower level. I had to prove pretty much everything.
We have a "wallet" function, in support of which there's a DB that stores encrypted credit card numbers (they're encrypted by the app, so the DB never sees the cleartext). Obviously this database is backed up periodically. The auditor forced me to restore one of those backups and show them the content of the restored table, in order to prove that the backup/restore operation didn't magically decrypt the data.
This is something that I would have been willing to sign any document to certify, without having actually run the experiment. But they wanted screenshots.
They also told us that all employees need to have obfuscated email addresses to protect against spear phishing. That's when the infosec team finally told them they were being ridiculous.
We have a "wallet" function, in support of which there's a DB that stores encrypted credit card numbers (they're encrypted by the app, so the DB never sees the cleartext). Obviously this database is backed up periodically. The auditor forced me to restore one of those backups and show them the content of the restored table, in order to prove that the backup/restore operation didn't magically decrypt the data.
This is something that I would have been willing to sign any document to certify, without having actually run the experiment. But they wanted screenshots.
They also told us that all employees need to have obfuscated email addresses to protect against spear phishing. That's when the infosec team finally told them they were being ridiculous.