What the auditor wants to verify
Audit objective
Verify that networks and network devices are secured, managed, monitored, and controlled to protect information in systems and applications.
Evidence to request
| Evidence | Purpose |
|---|---|
| Network architecture and topology diagrams | Shows network scope, zones, and trust boundaries |
| Network security standard | Shows required controls and procedures |
| Firewall/router/switch configuration reviews | Shows configuration matches intended control |
| Network device access records | Shows administration is restricted and accountable |
| Network change records | Shows changes are authorized |
| Zoning or segmentation test evidence | Shows boundaries are enforced |
| Network monitoring and fault records | Shows problems and potential breaches are detected |
| Virtual/cloud network reviews | Shows non-physical networks are included |
Strong evidence
- Diagrams match actual network configuration.
- Sensitive traffic paths and public network exposure are identified.
- Network zones are enforced and tested.
- Network device administration is restricted, logged, and reviewed.
- Firewall and routing rules are justified and reviewed.
- Virtual/cloud networks, hypervisors, admin networks, backup links, and DR links are in scope.
- Monitoring records feed incident or corrective action where needed.
Weak evidence
- Diagrams are stale or incomplete.
- Flat network has no risk justification.
- Firewall rules are broad, old, or ownerless.
- Shared admin accounts exist on network devices.
- Virtual networks are excluded from review.
- Backup or administrative networks bypass normal zoning.
- Monitoring identifies faults but does not trigger security escalation.
Sample interview questions
- How are network zones defined and enforced?
- Which network paths carry sensitive traffic?
- Who can administer network devices?
- How are firewall and routing changes approved?
- How are virtual and cloud networks reviewed?
- What monitoring detects network faults or breaches?
- Which network paths could bypass the intended architecture?
Common nonconformities
- Network topology is not current.
- Zoning is not implemented or tested.
- Network devices are not securely configured.
- Administrative networks are unmanaged.
- Virtual/cloud networks are out of scope.
- Network changes lack approval.
- Security alerts from network monitoring are not escalated.
Related notes
- Audit
- Evidence
- A8 20
- Iso27001
Note Metadata
Aliases: A.8.20 Evidence
Source: 04 Audit Evidence Packs/A.8.20 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.20 - Networks Security
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.20 Networks Security
- A.8.20 Audit Checklist
- Network Device Configuration and Change Review
- Network Monitoring and Corrective Action Register
- Network Security Architecture and Zoning Standard
- Virtual Network and Hypervisor Security Review
- Audit Evidence Index