What the auditor wants to verify
Audit objective
Verify that information processing facilities are protected from failures in power, cooling, telecommunications, water, fire protection, emergency lighting, and other supporting utilities.
Evidence to request
| Evidence | Purpose |
|---|---|
| Supporting utility dependency register | Shows required utilities are identified |
| Utility inspection and test logs | Shows utilities are regularly tested |
| UPS/generator capacity records | Shows runtime and load capacity are verified |
| HVAC maintenance/alarm records | Shows cooling is maintained and monitored |
| Telecommunications redundancy records | Shows connectivity resilience is assessed |
| Emergency lighting test records | Shows power-failure safety support |
| Supplier/service agreements | Shows external provider responsibilities |
| BMS security review | Shows in-scope building systems are protected |
Strong evidence
Strong evidence test
Strong evidence proves utility dependencies are mapped to critical facilities and tested against documented availability requirements.
- Critical facilities have documented utility dependencies.
- UPS/generator tests include load, runtime, cooling, and maintenance evidence.
- Alarms detect utility failures and trigger response.
- Telecoms redundancy is implemented or risk-accepted.
- Utility service requirements align to BCP/ICT continuity.
- Building management systems in scope have security controls.
Weak evidence
Weak evidence warning
Weak evidence shows equipment exists but not that utility resilience will work during a real outage.
- UPS exists but no test records exist.
- Generator runtime is assumed.
- Cooling load is excluded.
- Utility alarms are not tested.
- BMS is unmanaged from an IT/security perspective.
- Continuity requirements do not define required operating period.
Sample interview questions
- Which utilities are essential for critical information processing facilities?
- How long must the facility operate during power loss?
- Does UPS/generator capacity include cooling and network equipment?
- How often are utilities tested?
- Who receives utility failure alarms?
- What redundant telecommunications links exist?
- How are building management systems patched, backed up, and monitored?
Common nonconformities
- Utility dependencies not documented.
- UPS/generator not tested under realistic load.
- Cooling not included in resilience calculations.
- Utility inspection records missing.
- Emergency lighting not tested.
- Redundant utility connections not considered for critical services.
- Building management systems in scope not protected as IT systems.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 11
Note Metadata
Aliases: A.7.11 Evidence
Source: 04 Audit Evidence Packs/A.7.11 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.11 - Supporting Utilities
- Audit Evidence MOC
- AQ-ISO27001-A.7.11 Supporting Utilities
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.11 Supporting Utilities
- A.7.11 Audit Checklist
- Building Management System Security Review
- Supporting Utility Dependency Register
- Supporting Utility Inspection and Test Log
- UPS and Generator Capacity Test Record
- Audit Evidence Index