UnixTime

Research Note

A.7.1 Audit Evidence Pack

The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.

On this page

What the auditor wants to verify

Audit objective

Verify that physical security perimeters are defined, used, risk-based, and effective for areas containing information and associated assets.

The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.

Evidence to request

Evidence Purpose
Physical security zone register Shows protected areas and zone purpose
Site/floor security diagram Shows perimeters and boundaries
Physical security risk assessment Shows control selection is risk-based
Perimeter inspection records Shows boundaries are checked
Access control records Shows entry to sensitive areas is controlled
Reception/security procedures Shows public-to-secure transition is managed
Emergency exit procedures Shows emergency routes are controlled without compromising safety
Shared building/landlord access records Shows shared-premises access risk is managed
Out-of-hours access records Shows after-hours access is controlled

Strong evidence

Strong evidence test

Strong evidence links zone, asset, risk, perimeter, control, owner, and review.

  • Zones are defined from information classification, assets, processes, and risk.
  • Perimeters are complete enough for their purpose.
  • Entry/exit routes are controlled for sensitive zones.
  • Shared-building access is risk-assessed.
  • Emergency and out-of-hours routes are considered.
  • Physical controls are reviewed after layout, tenancy, process, or asset changes.

Weak evidence

Weak evidence warning

Weak evidence usually documents the building but not how the perimeter protects information.

  • Floorplan without security zones.
  • No risk assessment for perimeter controls.
  • Fire doors propped open.
  • Shared landlord master key with no risk treatment.
  • Reception unattended with no compensating control.
  • Incomplete walls or ceilings.
  • No review after office changes.

Sample interview questions

  • What physical zones exist and what is each intended to protect?
  • Which areas contain confidential information or critical associated assets?
  • How are fire exits and emergency evacuations handled securely?
  • How is landlord or building-management access controlled?
  • What changes trigger a perimeter review?

Common nonconformities

  • Perimeters not defined.
  • No physical security risk assessment.
  • Sensitive zones not separated from general areas.
  • Shared-premises access not assessed.
  • Out-of-hours access unmanaged.
  • Emergency doors undermine the perimeter.
  • Perimeter not reviewed after change.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A7 1

Note Metadata

Aliases: A.7.1 Evidence

Source: 04 Audit Evidence Packs/A.7.1 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.