What the auditor wants to verify
Audit objective
Verify that equipment is securely sited, physically protected, protected from realistic hazards, and included in inventory, scope, and risk assessment.
Evidence to request
| Evidence | Purpose |
|---|---|
| Equipment inventory | Shows equipment is known, owned, and located |
| Equipment siting assessment | Shows location and exposure risks were assessed |
| Equipment protection inspection records | Shows protections are checked in practice |
| Network/communications room access records | Shows sensitive equipment access is controlled |
| Environmental monitoring/maintenance records | Shows heat, humidity, power, and other conditions are managed |
| Remote equipment register | Shows remote equipment is included in scope |
| Staff awareness/training records | Shows users know equipment protection rules |
| Housekeeping/eating/drinking rules | Shows accidental damage risks are controlled |
Strong evidence
Strong evidence test
Strong evidence connects equipment location, inventory, risk assessment, protection, and walkthrough observations.
- Equipment inventory includes location, owner, and protection requirement.
- Siting assessment covers physical, environmental, viewing, access, and interference risks.
- Network and communications equipment is locked or access-controlled.
- Remote equipment is inventoried and included in risk assessment.
- Walkthrough evidence confirms equipment is protected from obvious hazards.
- Staff rules are communicated and enforced.
Weak evidence
Weak evidence warning
Weak evidence proves equipment exists but not that it is securely located or protected.
- Inventory exists but does not show location or owner.
- Network cupboards are unlocked.
- Screens face public or visitor areas.
- Remote equipment is missing from scope.
- Environmental risks are assumed away.
- Staff keep drinks, food, clutter, or magnets near equipment.
Sample interview questions
- How do you decide where equipment is located?
- Who owns this equipment and where is it recorded?
- What environmental hazards could affect it?
- Who can access communications rooms, cupboards, or patch panels?
- How do you protect screens from unauthorized viewing?
- What remote equipment is in scope?
- What rules exist for eating, drinking, smoking, and housekeeping near equipment?
Common nonconformities
- Equipment location risks not assessed.
- Network equipment accessible to unauthorized people.
- Remote equipment not inventoried or risk-assessed.
- Screens visible from public or visitor areas.
- Equipment exposed to water, heat, dust, vibration, chemicals, or fire hazards.
- Staff awareness and housekeeping controls missing.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 8
Note Metadata
Aliases: A.7.8 Evidence
Source: 04 Audit Evidence Packs/A.7.8 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.8 - Equipment Siting and Protection
- Audit Evidence MOC
- AQ-ISO27001-A.7.8 Equipment Siting and Protection
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.8 Equipment Siting and Protection
- A.7.8 Audit Checklist
- Equipment Protection Inspection Checklist
- Equipment Siting and Protection Assessment
- Remote Equipment Register
- Audit Evidence Index