UnixTime

Research Note

A.7.8 Audit Evidence Pack

- Equipment inventory includes location, owner, and protection requirement. - Siting assessment covers physical, environmental, viewing, access, and interference risks. - Networ...

On this page

What the auditor wants to verify

Audit objective

Verify that equipment is securely sited, physically protected, protected from realistic hazards, and included in inventory, scope, and risk assessment.

Evidence to request

Evidence Purpose
Equipment inventory Shows equipment is known, owned, and located
Equipment siting assessment Shows location and exposure risks were assessed
Equipment protection inspection records Shows protections are checked in practice
Network/communications room access records Shows sensitive equipment access is controlled
Environmental monitoring/maintenance records Shows heat, humidity, power, and other conditions are managed
Remote equipment register Shows remote equipment is included in scope
Staff awareness/training records Shows users know equipment protection rules
Housekeeping/eating/drinking rules Shows accidental damage risks are controlled

Strong evidence

Strong evidence test

Strong evidence connects equipment location, inventory, risk assessment, protection, and walkthrough observations.

  • Equipment inventory includes location, owner, and protection requirement.
  • Siting assessment covers physical, environmental, viewing, access, and interference risks.
  • Network and communications equipment is locked or access-controlled.
  • Remote equipment is inventoried and included in risk assessment.
  • Walkthrough evidence confirms equipment is protected from obvious hazards.
  • Staff rules are communicated and enforced.

Weak evidence

Weak evidence warning

Weak evidence proves equipment exists but not that it is securely located or protected.

  • Inventory exists but does not show location or owner.
  • Network cupboards are unlocked.
  • Screens face public or visitor areas.
  • Remote equipment is missing from scope.
  • Environmental risks are assumed away.
  • Staff keep drinks, food, clutter, or magnets near equipment.

Sample interview questions

  • How do you decide where equipment is located?
  • Who owns this equipment and where is it recorded?
  • What environmental hazards could affect it?
  • Who can access communications rooms, cupboards, or patch panels?
  • How do you protect screens from unauthorized viewing?
  • What remote equipment is in scope?
  • What rules exist for eating, drinking, smoking, and housekeeping near equipment?

Common nonconformities

  • Equipment location risks not assessed.
  • Network equipment accessible to unauthorized people.
  • Remote equipment not inventoried or risk-assessed.
  • Screens visible from public or visitor areas.
  • Equipment exposed to water, heat, dust, vibration, chemicals, or fire hazards.
  • Staff awareness and housekeeping controls missing.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A7 8

Note Metadata

Aliases: A.7.8 Evidence

Source: 04 Audit Evidence Packs/A.7.8 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.