What the auditor wants to verify
Audit objective
Verify that secure-area working rules are defined, risk-based, understood, and consistently applied to employees and third parties.
Evidence to request
| Evidence | Purpose |
|---|---|
| Secure-area working procedure | Shows rules are defined |
| Secure-area risk assessment | Shows control level matches sensitivity |
| Authorized personnel list | Shows who may work in the area |
| Visitor/contractor escort records | Shows third-party supervision |
| Device/media restriction records | Shows recording and removal risks are controlled |
| Work authorization records | Shows sensitive work is approved |
| Dual-control records | Shows high-risk actions are controlled |
| Interview evidence | Shows personnel understand the rules |
Strong evidence
Strong evidence test
Strong evidence proves secure working behavior, not only physical entry control.
- Secure-area work is identified and risk-assessed.
- Need-to-know, device, media, supervision, and dual-control rules are documented.
- Employees, contractors, and third parties follow the same rules.
- Exceptions are approved and time-bound.
- Interviews and observations match the procedure.
Weak evidence
Weak evidence warning
Weak evidence proves the room is restricted, but not that work inside the room is protected.
- Badge access exists but no secure working rules exist.
- Staff cannot explain restrictions.
- Contractors follow informal local practice.
- Phones/cameras are allowed by habit.
- No records exist for sensitive media or work authorization.
Sample interview questions
- What work is performed in this secure area?
- Who is allowed to know about or participate in the work?
- Can phones, cameras, or recording devices be brought inside?
- How is paper, media, or equipment moved in or out?
- When is supervision or dual control required?
- Do contractors follow the same rules?
Common nonconformities
- Secure working procedure missing.
- Need-to-know not defined or enforced.
- Device restrictions absent or ignored.
- Contractors and visitors not consistently supervised.
- Dual control not used where risk requires it.
- No records for exceptions or media movement.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 6
Note Metadata
Aliases: A.7.6 Evidence
Source: 04 Audit Evidence Packs/A.7.6 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.