What the auditor wants to verify
Audit objective
Verify that secure areas are protected by appropriate entry controls and access points.
The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.
Evidence to request
| Evidence | Purpose |
|---|---|
| Secure-area register | Shows secure areas are defined |
| Physical access authorization records | Shows access is approved |
| Physical access logs | Shows entry is recorded where needed |
| Physical access review | Shows access remains appropriate |
| Visitor logs | Shows visitors are tracked |
| Badge/key/card procedures | Shows entry mechanisms are controlled |
| Delivery/despatch logs | Shows goods movement is controlled |
| Loading area procedures | Shows delivery routes do not bypass security |
| Asset inventory update records | Shows received/despatched assets are reflected in inventory |
Strong evidence
Strong evidence test
Strong evidence shows authorization, identification, access logging, visitor control, delivery control, and review.
- Secure areas are identified by risk assessment.
- Entry controls match area sensitivity.
- Staff and visitors are identifiable.
- Visitors are registered, escorted, and restricted.
- Access rights are reviewed and revoked when no longer needed.
- Delivery/loading areas are separated from secure zones.
- Delivery/despatch records and inventory updates are complete.
Weak evidence
Weak evidence warning
Weak evidence shows entry technology exists, not that entry is controlled.
- Staff do not wear badges.
- Visitors can move unescorted.
- Access cards are not removed for leavers.
- Shared keys or door codes are used without logs.
- Loading bay gives access to secure areas.
- Delivery records are incomplete.
- Physical access is never reviewed.
Sample interview questions
- Which secure areas require special entry control?
- How are staff and visitor identities checked?
- What happens if someone is not wearing a badge?
- How are physical access rights reviewed?
- How are deliveries inspected and recorded?
- Can delivery staff reach internal secure areas?
Common nonconformities
- No secure-area list.
- Physical access rights not reviewed.
- Visitor escort not enforced.
- Unbadged persons not challenged.
- Shared keys or PINs with no accountability.
- Delivery/loading routes bypass secure areas.
- Asset inventory not updated after goods movement.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 2
Note Metadata
Aliases: A.7.2 Evidence
Source: 04 Audit Evidence Packs/A.7.2 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.2 - Physical Entry
- Audit Evidence MOC
- AQ-ISO27001-A.7.2 Physical Entry
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.2 Physical Entry
- A.7.2 Audit Checklist
- Delivery and Loading Area Security Checklist
- Physical Entry Access Review
- Secure Area Access Register
- Visitor Access Log
- Audit Evidence Index