UnixTime

Research Note

A.8.22 Audit Evidence Pack

- Zones are risk-based and documented. - Systems and services are assigned to zones. - Inter-zone rules are specific and reviewed. - Wireless and cloud networks are included. -...

On this page

What the auditor wants to verify

Audit objective

Verify that groups of services, users, and systems are segregated in networks according to security requirements.

Evidence to request

Evidence Purpose
Network zone model Shows intended segregation
Zone and connection matrix Shows allowed flows
Firewall/routing/security group rules Shows technical enforcement
Segmentation test records Shows boundaries work
Wireless risk assessment Shows wireless access is controlled
Change and exception records Shows modifications are approved

Strong evidence

  • Zones are risk-based and documented.
  • Systems and services are assigned to zones.
  • Inter-zone rules are specific and reviewed.
  • Wireless and cloud networks are included.
  • Segmentation tests validate allowed and blocked paths.
  • Exceptions are approved and time-bound where practical.

Weak evidence

  • Network is flat with no justification.
  • Zones exist only in diagrams.
  • Broad any-any rules exist between zones.
  • Guest wireless reaches internal systems.
  • Cloud networks are not reviewed.
  • Performance changes bypass segregation.

Sample interview questions

  • What network zones exist?
  • Which systems belong to each zone?
  • How is traffic between zones controlled?
  • How is wireless access to internal networks risk-assessed?
  • How are performance-driven exceptions approved?

Common nonconformities

  • Zones are not documented.
  • Inter-zone controls are too broad.
  • Wireless networks bypass controls.
  • Segmentation is not tested.
  • Cloud or virtual networks are excluded.
  • Audit
  • Evidence
  • A8 22
  • Iso27001

Note Metadata

Aliases: A.8.22 Evidence

Source: 04 Audit Evidence Packs/A.8.22 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.