UnixTime

Research Note

A.7.6 Audit Evidence Pack

- Secure-area work is identified and risk-assessed. - Need-to-know, device, media, supervision, and dual-control rules are documented. - Employees, contractors, and third partie...

On this page

What the auditor wants to verify

Audit objective

Verify that secure-area working rules are defined, risk-based, understood, and consistently applied to employees and third parties.

Evidence to request

Evidence Purpose
Secure-area working procedure Shows rules are defined
Secure-area risk assessment Shows control level matches sensitivity
Authorized personnel list Shows who may work in the area
Visitor/contractor escort records Shows third-party supervision
Device/media restriction records Shows recording and removal risks are controlled
Work authorization records Shows sensitive work is approved
Dual-control records Shows high-risk actions are controlled
Interview evidence Shows personnel understand the rules

Strong evidence

Strong evidence test

Strong evidence proves secure working behavior, not only physical entry control.

  • Secure-area work is identified and risk-assessed.
  • Need-to-know, device, media, supervision, and dual-control rules are documented.
  • Employees, contractors, and third parties follow the same rules.
  • Exceptions are approved and time-bound.
  • Interviews and observations match the procedure.

Weak evidence

Weak evidence warning

Weak evidence proves the room is restricted, but not that work inside the room is protected.

  • Badge access exists but no secure working rules exist.
  • Staff cannot explain restrictions.
  • Contractors follow informal local practice.
  • Phones/cameras are allowed by habit.
  • No records exist for sensitive media or work authorization.

Sample interview questions

  • What work is performed in this secure area?
  • Who is allowed to know about or participate in the work?
  • Can phones, cameras, or recording devices be brought inside?
  • How is paper, media, or equipment moved in or out?
  • When is supervision or dual control required?
  • Do contractors follow the same rules?

Common nonconformities

  • Secure working procedure missing.
  • Need-to-know not defined or enforced.
  • Device restrictions absent or ignored.
  • Contractors and visitors not consistently supervised.
  • Dual control not used where risk requires it.
  • No records for exceptions or media movement.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A7 6

Note Metadata

Aliases: A.7.6 Evidence

Source: 04 Audit Evidence Packs/A.7.6 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.