UnixTime

Research Note

A.8.20 Audit Evidence Pack

- Diagrams match actual network configuration. - Sensitive traffic paths and public network exposure are identified. - Network zones are enforced and tested. - Network device ad...

On this page

What the auditor wants to verify

Audit objective

Verify that networks and network devices are secured, managed, monitored, and controlled to protect information in systems and applications.

Evidence to request

Evidence Purpose
Network architecture and topology diagrams Shows network scope, zones, and trust boundaries
Network security standard Shows required controls and procedures
Firewall/router/switch configuration reviews Shows configuration matches intended control
Network device access records Shows administration is restricted and accountable
Network change records Shows changes are authorized
Zoning or segmentation test evidence Shows boundaries are enforced
Network monitoring and fault records Shows problems and potential breaches are detected
Virtual/cloud network reviews Shows non-physical networks are included

Strong evidence

  • Diagrams match actual network configuration.
  • Sensitive traffic paths and public network exposure are identified.
  • Network zones are enforced and tested.
  • Network device administration is restricted, logged, and reviewed.
  • Firewall and routing rules are justified and reviewed.
  • Virtual/cloud networks, hypervisors, admin networks, backup links, and DR links are in scope.
  • Monitoring records feed incident or corrective action where needed.

Weak evidence

  • Diagrams are stale or incomplete.
  • Flat network has no risk justification.
  • Firewall rules are broad, old, or ownerless.
  • Shared admin accounts exist on network devices.
  • Virtual networks are excluded from review.
  • Backup or administrative networks bypass normal zoning.
  • Monitoring identifies faults but does not trigger security escalation.

Sample interview questions

  • How are network zones defined and enforced?
  • Which network paths carry sensitive traffic?
  • Who can administer network devices?
  • How are firewall and routing changes approved?
  • How are virtual and cloud networks reviewed?
  • What monitoring detects network faults or breaches?
  • Which network paths could bypass the intended architecture?

Common nonconformities

  • Network topology is not current.
  • Zoning is not implemented or tested.
  • Network devices are not securely configured.
  • Administrative networks are unmanaged.
  • Virtual/cloud networks are out of scope.
  • Network changes lack approval.
  • Security alerts from network monitoring are not escalated.