What the auditor wants to verify
Audit objective
Verify that physical security perimeters are defined, used, risk-based, and effective for areas containing information and associated assets.
The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.
Evidence to request
| Evidence | Purpose |
|---|---|
| Physical security zone register | Shows protected areas and zone purpose |
| Site/floor security diagram | Shows perimeters and boundaries |
| Physical security risk assessment | Shows control selection is risk-based |
| Perimeter inspection records | Shows boundaries are checked |
| Access control records | Shows entry to sensitive areas is controlled |
| Reception/security procedures | Shows public-to-secure transition is managed |
| Emergency exit procedures | Shows emergency routes are controlled without compromising safety |
| Shared building/landlord access records | Shows shared-premises access risk is managed |
| Out-of-hours access records | Shows after-hours access is controlled |
Strong evidence
Strong evidence test
Strong evidence links zone, asset, risk, perimeter, control, owner, and review.
- Zones are defined from information classification, assets, processes, and risk.
- Perimeters are complete enough for their purpose.
- Entry/exit routes are controlled for sensitive zones.
- Shared-building access is risk-assessed.
- Emergency and out-of-hours routes are considered.
- Physical controls are reviewed after layout, tenancy, process, or asset changes.
Weak evidence
Weak evidence warning
Weak evidence usually documents the building but not how the perimeter protects information.
- Floorplan without security zones.
- No risk assessment for perimeter controls.
- Fire doors propped open.
- Shared landlord master key with no risk treatment.
- Reception unattended with no compensating control.
- Incomplete walls or ceilings.
- No review after office changes.
Sample interview questions
- What physical zones exist and what is each intended to protect?
- Which areas contain confidential information or critical associated assets?
- How are fire exits and emergency evacuations handled securely?
- How is landlord or building-management access controlled?
- What changes trigger a perimeter review?
Common nonconformities
- Perimeters not defined.
- No physical security risk assessment.
- Sensitive zones not separated from general areas.
- Shared-premises access not assessed.
- Out-of-hours access unmanaged.
- Emergency doors undermine the perimeter.
- Perimeter not reviewed after change.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 1
Note Metadata
Aliases: A.7.1 Evidence
Source: 04 Audit Evidence Packs/A.7.1 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.1 - Physical Security Perimeters
- Audit Evidence MOC
- AQ-ISO27001-A.7.1 Physical Security Perimeters
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.1 Physical Security Perimeters
- A.7.1 Audit Checklist
- Physical Security Perimeter Review Checklist
- Physical Security Zone Register
- Audit Evidence Index