What the auditor wants to verify
Audit objective
Verify that groups of services, users, and systems are segregated in networks according to security requirements.
Evidence to request
| Evidence | Purpose |
|---|---|
| Network zone model | Shows intended segregation |
| Zone and connection matrix | Shows allowed flows |
| Firewall/routing/security group rules | Shows technical enforcement |
| Segmentation test records | Shows boundaries work |
| Wireless risk assessment | Shows wireless access is controlled |
| Change and exception records | Shows modifications are approved |
Strong evidence
- Zones are risk-based and documented.
- Systems and services are assigned to zones.
- Inter-zone rules are specific and reviewed.
- Wireless and cloud networks are included.
- Segmentation tests validate allowed and blocked paths.
- Exceptions are approved and time-bound where practical.
Weak evidence
- Network is flat with no justification.
- Zones exist only in diagrams.
- Broad any-any rules exist between zones.
- Guest wireless reaches internal systems.
- Cloud networks are not reviewed.
- Performance changes bypass segregation.
Sample interview questions
- What network zones exist?
- Which systems belong to each zone?
- How is traffic between zones controlled?
- How is wireless access to internal networks risk-assessed?
- How are performance-driven exceptions approved?
Common nonconformities
- Zones are not documented.
- Inter-zone controls are too broad.
- Wireless networks bypass controls.
- Segmentation is not tested.
- Cloud or virtual networks are excluded.
Related notes
- Audit
- Evidence
- A8 22
- Iso27001
Note Metadata
Aliases: A.8.22 Evidence
Source: 04 Audit Evidence Packs/A.8.22 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.