What the auditor wants to verify
Audit objective
Verify that premises are continuously monitored for unauthorized physical access and that alerts are tested, escalated, and handled.
Evidence to request
| Evidence | Purpose |
|---|---|
| Physical monitoring procedure | Shows monitoring process is documented |
| Monitoring scope/register | Shows what is monitored |
| Alarm response procedure | Shows response and escalation are defined |
| Monitoring service agreement | Shows external monitoring responsibilities |
| Alarm test records | Shows monitoring is tested |
| Alarm logs | Shows alerts and responses are recorded |
| False alarm register | Shows false positives are managed |
| Incident linkage records | Shows information security involvement where relevant |
| Interview evidence | Shows responders know what to do |
Strong evidence
Strong evidence test
Strong evidence proves monitoring scope, response, testing, escalation, false-alarm handling, and incident linkage.
- Monitoring scope is documented and risk-based.
- Alerts have owners, response times, and escalation paths.
- Monitoring tests are performed and recorded.
- Monitoring staff know how to respond and escalate.
- Information security is involved when information/assets may be affected.
- False alarms are tracked and reduced.
Weak evidence
Weak evidence warning
Weak evidence proves alarms exist but not that monitoring works.
- Alarm system exists but no response process.
- Monitoring service responsibilities are unclear.
- Tests are not performed.
- Staff do not know who to notify.
- Information security is excluded from physical breach response.
- False alarms are frequent and not analyzed.
Sample interview questions
- What areas are monitored and why?
- What happens when an alarm is triggered?
- How do you verify whether an alarm is false?
- When is information security notified?
- How often are alarms tested?
- How are repeated false alarms handled?
Common nonconformities
- Monitoring scope undocumented.
- No alarm response procedure.
- No test records.
- No escalation chain.
- False alarms not managed.
- Physical breach response not linked to incident management.
- Monitoring logs not reviewed or retained.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 4
Note Metadata
Aliases: A.7.4 Evidence
Source: 04 Audit Evidence Packs/A.7.4 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.4 - Physical Security Monitoring
- Audit Evidence MOC
- AQ-ISO27001-A.7.4 Physical Security Monitoring
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.4 Physical Security Monitoring
- A.7.4 Audit Checklist
- Physical Security Alarm Test Record
- Physical Security False Alarm Register
- Physical Security Monitoring Procedure
- Audit Evidence Index