What the auditor wants to verify
Audit objective
Verify that physical and environmental threats have been identified, risk-assessed, protected against, and connected to continuity and response arrangements.
Evidence to request
| Evidence | Purpose |
|---|---|
| Physical/environmental threat assessment | Shows relevant hazards were identified |
| Site risk assessment | Shows location, building, and neighbor risks were considered |
| Specialist advice or inspection records | Shows competent input where needed |
| Fire/flood/environmental protection records | Shows protective controls are implemented |
| Maintenance and inspection records | Shows controls remain effective |
| BCP/ICT continuity linkage | Shows fallback and backups align to physical risk |
| Training records | Shows responsible staff know what to do |
| Walkthrough/housekeeping records | Shows practical weaknesses are inspected |
Strong evidence
Strong evidence test
Strong evidence links hazards to implemented controls, specialist advice, continuity assumptions, training, and inspection.
- Hazard assessment includes site, room, utility, and neighbor risks.
- Specialist advice exists for material hazards.
- Controls are implemented and maintained.
- Continuity arrangements account for physical site failure and secondary effects.
- Walkthrough records identify and correct degraded controls.
- Training records cover relevant response roles.
Weak evidence
Weak evidence warning
Weak evidence shows generic safety activity but not ISMS-relevant physical and environmental protection.
- Generic safety policy with no information asset linkage.
- Fire extinguishers exist but no hazard assessment exists.
- BCP ignores server room, utility, or cooling failure.
- No evidence of specialist advice for material hazards.
- Practical site weaknesses remain unresolved.
Sample interview questions
- What physical or environmental hazards are most relevant to this site?
- How were neighboring premises considered?
- What specialist advice was obtained?
- What happens if power fails and cooling is lost?
- How do physical threat controls link to business continuity?
- When were these controls last inspected?
Common nonconformities
- Hazard assessment missing or generic.
- Neighboring-site risks not considered.
- Controls not implemented as documented.
- Fire doors, extinguishers, or access routes blocked.
- Server rooms or records exposed to water, heat, or fire risk.
- Continuity plans do not match physical site risk.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 5
Note Metadata
Aliases: A.7.5 Evidence
Source: 04 Audit Evidence Packs/A.7.5 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- Audit Evidence MOC
- AQ-ISO27001-A.7.5 Protecting Against Physical and Environmental Threats
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.5 Protecting Against Physical and Environmental Threats
- A.7.5 Audit Checklist
- Environmental Protection Inspection Checklist
- Physical and Environmental Threat Assessment
- Audit Evidence Index