UnixTime

Research Note

A.7.5 Audit Evidence Pack

- Hazard assessment includes site, room, utility, and neighbor risks. - Specialist advice exists for material hazards. - Controls are implemented and maintained. - Continuity ar...

On this page

What the auditor wants to verify

Audit objective

Verify that physical and environmental threats have been identified, risk-assessed, protected against, and connected to continuity and response arrangements.

Evidence to request

Evidence Purpose
Physical/environmental threat assessment Shows relevant hazards were identified
Site risk assessment Shows location, building, and neighbor risks were considered
Specialist advice or inspection records Shows competent input where needed
Fire/flood/environmental protection records Shows protective controls are implemented
Maintenance and inspection records Shows controls remain effective
BCP/ICT continuity linkage Shows fallback and backups align to physical risk
Training records Shows responsible staff know what to do
Walkthrough/housekeeping records Shows practical weaknesses are inspected

Strong evidence

Strong evidence test

Strong evidence links hazards to implemented controls, specialist advice, continuity assumptions, training, and inspection.

  • Hazard assessment includes site, room, utility, and neighbor risks.
  • Specialist advice exists for material hazards.
  • Controls are implemented and maintained.
  • Continuity arrangements account for physical site failure and secondary effects.
  • Walkthrough records identify and correct degraded controls.
  • Training records cover relevant response roles.

Weak evidence

Weak evidence warning

Weak evidence shows generic safety activity but not ISMS-relevant physical and environmental protection.

  • Generic safety policy with no information asset linkage.
  • Fire extinguishers exist but no hazard assessment exists.
  • BCP ignores server room, utility, or cooling failure.
  • No evidence of specialist advice for material hazards.
  • Practical site weaknesses remain unresolved.

Sample interview questions

  • What physical or environmental hazards are most relevant to this site?
  • How were neighboring premises considered?
  • What specialist advice was obtained?
  • What happens if power fails and cooling is lost?
  • How do physical threat controls link to business continuity?
  • When were these controls last inspected?

Common nonconformities

  • Hazard assessment missing or generic.
  • Neighboring-site risks not considered.
  • Controls not implemented as documented.
  • Fire doors, extinguishers, or access routes blocked.
  • Server rooms or records exposed to water, heat, or fire risk.
  • Continuity plans do not match physical site risk.