UnixTime

Research Note

A.7.3 Audit Evidence Pack

- Controls are based on value, liability, importance, and classification. - Sensitive room purpose is not unnecessarily exposed. - Internal directories and access clues are prot...

On this page

What the auditor wants to verify

Audit objective

Verify that physical security for offices, rooms, and facilities is designed and implemented based on the information and assets inside.

Evidence to request

Evidence Purpose
Room/facility security assessment Shows controls are selected based on area risk
Asset/classification mapping Shows protection matches sensitivity and criticality
Secure room control list Shows required controls are documented
Physical walkthrough evidence Shows controls operate in practice
Signage and directory review Shows target clues are controlled
Access restriction records Shows sensitive rooms are restricted
Clear desk/clear screen checks Shows information exposure is controlled
Review records Shows controls are maintained after changes

Strong evidence

Strong evidence test

Strong evidence ties room purpose, information/assets, risk, implemented controls, and review.

  • Controls are based on value, liability, importance, and classification.
  • Sensitive room purpose is not unnecessarily exposed.
  • Internal directories and access clues are protected.
  • Controls match the most sensitive or critical information in the area.
  • Centralized repositories have stronger controls.
  • Specialized controls are risk-assessed before use.

Weak evidence

Weak evidence warning

Weak evidence documents rooms but not whether the physical protection is appropriate.

  • Server room or records room is clearly signposted.
  • Phone lists or directories are visible to visitors.
  • Door codes are written on notice boards.
  • Room controls are not risk-based.
  • High-value records sit in ordinary rooms without added controls.
  • No review after layout or asset changes.

Sample interview questions

  • Which rooms contain the most sensitive or critical information?
  • How are room-level physical controls selected?
  • How are internal directories and phone lists protected?
  • Are sensitive rooms deliberately unsigned or neutrally labelled?
  • What changes trigger a room security review?

Common nonconformities

  • No room/facility security assessment.
  • Controls not aligned to classification or asset criticality.
  • Sensitive room purpose visible to unauthorized persons.
  • Internal directories accessible outside the organization.
  • Access codes exposed.
  • Centralized repositories not protected as high-impact areas.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A7 3

Note Metadata

Aliases: A.7.3 Evidence

Source: 04 Audit Evidence Packs/A.7.3 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.