UnixTime

Research Note

A.7 Physical Controls Audit Guide

1. Review zone registers, floor/security diagrams, and risk assessment. 2. Walk the physical site and test practical bypass paths. 3. Observe badge use, visitor handling, recept...

On this page

Auditor lens

Use this page when planning first-party audit tests for physical security controls.

Audit objectives

Control What to verify Evidence pack
A.7.1 Physical Security Perimeters Physical perimeters are defined, risk-based, complete enough for purpose, and reviewed A.7.1 Audit Evidence Pack
A.7.2 Physical Entry Entry controls restrict secure areas to authorized people and control visitors, deliveries, and access reviews A.7.2 Audit Evidence Pack
A.7.3 Securing Offices Rooms and Facilities Offices, rooms, and facilities have physical controls matching the information/assets inside A.7.3 Audit Evidence Pack
A.7.4 Physical Security Monitoring Premises are continuously monitored and alarms are tested, escalated, and linked to incident handling A.7.4 Audit Evidence Pack
A.7.5 Protecting Against Physical and Environmental Threats Physical/environmental hazards are identified, protected against, and aligned to continuity A.7.5 Audit Evidence Pack
A.7.6 Working in Secure Areas Secure-area working rules are defined and applied to sensitive work A.7.6 Audit Evidence Pack
A.7.7 Clear Desk and Clear Screen Clear desk/screen rules are defined, observed, technically supported, and enforced A.7.7 Audit Evidence Pack
A.7.8 Equipment Siting and Protection Equipment is securely located, protected from hazards/interference, and included in inventory and risk scope A.7.8 Audit Evidence Pack
A.7.9 Security of Assets Off-Premises Off-site assets are authorized, protected, tracked, periodically confirmed, returned, and risk-accepted where needed A.7.9 Audit Evidence Pack
A.7.10 Storage Media Storage media is controlled across acquisition, use, transport, storage, erasure, disposal, destruction, and damaged-media handling A.7.10 Audit Evidence Pack
A.7.11 Supporting Utilities Supporting utilities are identified, tested, maintained, monitored, and aligned to availability and continuity requirements A.7.11 Audit Evidence Pack
A.7.12 Cabling Security Power, data, and supporting service cables are protected from interception, interference, and damage A.7.12 Audit Evidence Pack
A.7.13 Equipment Maintenance Equipment maintenance is planned, recorded, performed by authorized personnel, and protects information during work A.7.13 Audit Evidence Pack
A.7.14 Secure Disposal or Re-Use of Equipment Equipment containing storage media is verified before reuse/disposal so sensitive data and licensed software are removed A.7.14 Audit Evidence Pack

Audit approach

  1. Review zone registers, floor/security diagrams, and risk assessment.
  2. Walk the physical site and test practical bypass paths.
  3. Observe badge use, visitor handling, reception, fire doors, and loading routes.
  4. Sample access logs, visitor records, and delivery/despatch records.
  5. Review room signage, directories, phone lists, and access-code exposure.
  6. Sample alarm tests, alarm logs, false alarms, and escalation records.
  7. Walk the site for fire, flood, environmental, neighbor, and housekeeping hazards.
  8. Observe secure-area work practices, device restrictions, supervision, and media movement.
  9. Check desks, screens, printers, fax machines, and unattended information.
  10. Inspect equipment siting, screen exposure, network cupboards, racks, environmental hazards, and remote-equipment records.
  11. Sample off-premises asset authorizations, registers, long-term attestations, return records, and BYOD controls.
  12. Sample storage media inventory, movement logs, transport records, destruction evidence, and damaged-media decisions.
  13. Review supporting utility dependency maps, UPS/generator tests, HVAC records, telecoms redundancy, utility alarms, emergency lighting, and BMS security.
  14. Walk cable routes, cabinets, patch panels, and external junction exposure.
  15. Sample equipment maintenance schedules, fault logs, maintainer access, and post-maintenance checks.
  16. Sample equipment disposal/reuse records, sanitization proof, hidden storage checks, and repair dispatch decisions.
  17. Compare physical access rights to current personnel and role need.
  18. Verify asset inventory updates after relevant deliveries/despatch.
  19. Raise findings where the physical control exists on paper but not in behavior.

Common audit challenges

Challenge Audit response
Facilities owns the process, not security Include facilities and reception/security in audit scope
Site diagram is treated as evidence Walk the site and inspect bypass routes
Badge process exists but is not followed Observe behavior and interview personnel
Loading bay is seen as logistics only Test it as a physical entry route into secure areas
Access logs exist but are not reviewed Check review frequency, findings, and removals
Room labels are treated as harmless Test whether signs/directories expose sensitive targets
Alarm system exists Test response, escalation, false alarm handling, and information security involvement
Environmental protection is treated as safety-only Link hazards to information assets, ICT continuity, and evidence
Secure area has a locked door Test working practices inside the area
Clear desk policy exists Inspect real desks, screens, printers, and enforcement records
Equipment inventory exists Check where equipment is sited, who can access it, and what can damage or expose it
Remote work is approved Check off-site asset custody, protection, return, and accepted risk
Media policy exists Test media movement, transport, disposal, and damaged-media records
UPS or generator exists Test runtime, load, cooling dependency, maintenance, alarms, and documented requirements
Cable diagram exists Walk routes and inspect labels, protection, segregation, and access to terminations
Maintenance vendor is trusted Check authorization, escorting, data protection, and tamper checks
Disposal certificate exists Confirm asset-level sanitization/destruction and hidden storage coverage
  • Iso27001
  • ISO27002
  • Auditor guide
  • Physical controls
  • Internal audit

Note Metadata

Aliases: A.7 Audit Guide

Source: 06 Auditor Guide/A.7 Physical Controls Audit Guide.md

Graph-sourced resources

Templates and evidence