UnixTime

Research Note

A.7.4 Audit Evidence Pack

- Monitoring scope is documented and risk-based. - Alerts have owners, response times, and escalation paths. - Monitoring tests are performed and recorded. - Monitoring staff kn...

On this page

What the auditor wants to verify

Audit objective

Verify that premises are continuously monitored for unauthorized physical access and that alerts are tested, escalated, and handled.

Evidence to request

Evidence Purpose
Physical monitoring procedure Shows monitoring process is documented
Monitoring scope/register Shows what is monitored
Alarm response procedure Shows response and escalation are defined
Monitoring service agreement Shows external monitoring responsibilities
Alarm test records Shows monitoring is tested
Alarm logs Shows alerts and responses are recorded
False alarm register Shows false positives are managed
Incident linkage records Shows information security involvement where relevant
Interview evidence Shows responders know what to do

Strong evidence

Strong evidence test

Strong evidence proves monitoring scope, response, testing, escalation, false-alarm handling, and incident linkage.

  • Monitoring scope is documented and risk-based.
  • Alerts have owners, response times, and escalation paths.
  • Monitoring tests are performed and recorded.
  • Monitoring staff know how to respond and escalate.
  • Information security is involved when information/assets may be affected.
  • False alarms are tracked and reduced.

Weak evidence

Weak evidence warning

Weak evidence proves alarms exist but not that monitoring works.

  • Alarm system exists but no response process.
  • Monitoring service responsibilities are unclear.
  • Tests are not performed.
  • Staff do not know who to notify.
  • Information security is excluded from physical breach response.
  • False alarms are frequent and not analyzed.

Sample interview questions

  • What areas are monitored and why?
  • What happens when an alarm is triggered?
  • How do you verify whether an alarm is false?
  • When is information security notified?
  • How often are alarms tested?
  • How are repeated false alarms handled?

Common nonconformities

  • Monitoring scope undocumented.
  • No alarm response procedure.
  • No test records.
  • No escalation chain.
  • False alarms not managed.
  • Physical breach response not linked to incident management.
  • Monitoring logs not reviewed or retained.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A7 4

Note Metadata

Aliases: A.7.4 Evidence

Source: 04 Audit Evidence Packs/A.7.4 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.