UnixTime

Research Note

A.7.2 Audit Evidence Pack

The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.

On this page

What the auditor wants to verify

Audit objective

Verify that secure areas are protected by appropriate entry controls and access points.

The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.

Evidence to request

Evidence Purpose
Secure-area register Shows secure areas are defined
Physical access authorization records Shows access is approved
Physical access logs Shows entry is recorded where needed
Physical access review Shows access remains appropriate
Visitor logs Shows visitors are tracked
Badge/key/card procedures Shows entry mechanisms are controlled
Delivery/despatch logs Shows goods movement is controlled
Loading area procedures Shows delivery routes do not bypass security
Asset inventory update records Shows received/despatched assets are reflected in inventory

Strong evidence

Strong evidence test

Strong evidence shows authorization, identification, access logging, visitor control, delivery control, and review.

  • Secure areas are identified by risk assessment.
  • Entry controls match area sensitivity.
  • Staff and visitors are identifiable.
  • Visitors are registered, escorted, and restricted.
  • Access rights are reviewed and revoked when no longer needed.
  • Delivery/loading areas are separated from secure zones.
  • Delivery/despatch records and inventory updates are complete.

Weak evidence

Weak evidence warning

Weak evidence shows entry technology exists, not that entry is controlled.

  • Staff do not wear badges.
  • Visitors can move unescorted.
  • Access cards are not removed for leavers.
  • Shared keys or door codes are used without logs.
  • Loading bay gives access to secure areas.
  • Delivery records are incomplete.
  • Physical access is never reviewed.

Sample interview questions

  • Which secure areas require special entry control?
  • How are staff and visitor identities checked?
  • What happens if someone is not wearing a badge?
  • How are physical access rights reviewed?
  • How are deliveries inspected and recorded?
  • Can delivery staff reach internal secure areas?

Common nonconformities

  • No secure-area list.
  • Physical access rights not reviewed.
  • Visitor escort not enforced.
  • Unbadged persons not challenged.
  • Shared keys or PINs with no accountability.
  • Delivery/loading routes bypass secure areas.
  • Asset inventory not updated after goods movement.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A7 2

Note Metadata

Aliases: A.7.2 Evidence

Source: 04 Audit Evidence Packs/A.7.2 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.