What the auditor wants to verify
Audit objective
Verify that physical security for offices, rooms, and facilities is designed and implemented based on the information and assets inside.
Evidence to request
| Evidence | Purpose |
|---|---|
| Room/facility security assessment | Shows controls are selected based on area risk |
| Asset/classification mapping | Shows protection matches sensitivity and criticality |
| Secure room control list | Shows required controls are documented |
| Physical walkthrough evidence | Shows controls operate in practice |
| Signage and directory review | Shows target clues are controlled |
| Access restriction records | Shows sensitive rooms are restricted |
| Clear desk/clear screen checks | Shows information exposure is controlled |
| Review records | Shows controls are maintained after changes |
Strong evidence
Strong evidence test
Strong evidence ties room purpose, information/assets, risk, implemented controls, and review.
- Controls are based on value, liability, importance, and classification.
- Sensitive room purpose is not unnecessarily exposed.
- Internal directories and access clues are protected.
- Controls match the most sensitive or critical information in the area.
- Centralized repositories have stronger controls.
- Specialized controls are risk-assessed before use.
Weak evidence
Weak evidence warning
Weak evidence documents rooms but not whether the physical protection is appropriate.
- Server room or records room is clearly signposted.
- Phone lists or directories are visible to visitors.
- Door codes are written on notice boards.
- Room controls are not risk-based.
- High-value records sit in ordinary rooms without added controls.
- No review after layout or asset changes.
Sample interview questions
- Which rooms contain the most sensitive or critical information?
- How are room-level physical controls selected?
- How are internal directories and phone lists protected?
- Are sensitive rooms deliberately unsigned or neutrally labelled?
- What changes trigger a room security review?
Common nonconformities
- No room/facility security assessment.
- Controls not aligned to classification or asset criticality.
- Sensitive room purpose visible to unauthorized persons.
- Internal directories accessible outside the organization.
- Access codes exposed.
- Centralized repositories not protected as high-impact areas.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 3
Note Metadata
Aliases: A.7.3 Evidence
Source: 04 Audit Evidence Packs/A.7.3 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- Audit Evidence MOC
- AQ-ISO27001-A.7.3 Securing Offices, Rooms and Facilities
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.3 Securing Offices, Rooms and Facilities
- A.7.3 Audit Checklist
- Office Room and Facility Security Assessment
- Sensitive Room Signage and Directory Review
- Audit Evidence Index