Auditor lens
Use this page when planning first-party audit tests for physical security controls.
Audit objectives
| Control | What to verify | Evidence pack |
|---|---|---|
| A.7.1 Physical Security Perimeters | Physical perimeters are defined, risk-based, complete enough for purpose, and reviewed | A.7.1 Audit Evidence Pack |
| A.7.2 Physical Entry | Entry controls restrict secure areas to authorized people and control visitors, deliveries, and access reviews | A.7.2 Audit Evidence Pack |
| A.7.3 Securing Offices Rooms and Facilities | Offices, rooms, and facilities have physical controls matching the information/assets inside | A.7.3 Audit Evidence Pack |
| A.7.4 Physical Security Monitoring | Premises are continuously monitored and alarms are tested, escalated, and linked to incident handling | A.7.4 Audit Evidence Pack |
| A.7.5 Protecting Against Physical and Environmental Threats | Physical/environmental hazards are identified, protected against, and aligned to continuity | A.7.5 Audit Evidence Pack |
| A.7.6 Working in Secure Areas | Secure-area working rules are defined and applied to sensitive work | A.7.6 Audit Evidence Pack |
| A.7.7 Clear Desk and Clear Screen | Clear desk/screen rules are defined, observed, technically supported, and enforced | A.7.7 Audit Evidence Pack |
| A.7.8 Equipment Siting and Protection | Equipment is securely located, protected from hazards/interference, and included in inventory and risk scope | A.7.8 Audit Evidence Pack |
| A.7.9 Security of Assets Off-Premises | Off-site assets are authorized, protected, tracked, periodically confirmed, returned, and risk-accepted where needed | A.7.9 Audit Evidence Pack |
| A.7.10 Storage Media | Storage media is controlled across acquisition, use, transport, storage, erasure, disposal, destruction, and damaged-media handling | A.7.10 Audit Evidence Pack |
| A.7.11 Supporting Utilities | Supporting utilities are identified, tested, maintained, monitored, and aligned to availability and continuity requirements | A.7.11 Audit Evidence Pack |
| A.7.12 Cabling Security | Power, data, and supporting service cables are protected from interception, interference, and damage | A.7.12 Audit Evidence Pack |
| A.7.13 Equipment Maintenance | Equipment maintenance is planned, recorded, performed by authorized personnel, and protects information during work | A.7.13 Audit Evidence Pack |
| A.7.14 Secure Disposal or Re-Use of Equipment | Equipment containing storage media is verified before reuse/disposal so sensitive data and licensed software are removed | A.7.14 Audit Evidence Pack |
Audit approach
- Review zone registers, floor/security diagrams, and risk assessment.
- Walk the physical site and test practical bypass paths.
- Observe badge use, visitor handling, reception, fire doors, and loading routes.
- Sample access logs, visitor records, and delivery/despatch records.
- Review room signage, directories, phone lists, and access-code exposure.
- Sample alarm tests, alarm logs, false alarms, and escalation records.
- Walk the site for fire, flood, environmental, neighbor, and housekeeping hazards.
- Observe secure-area work practices, device restrictions, supervision, and media movement.
- Check desks, screens, printers, fax machines, and unattended information.
- Inspect equipment siting, screen exposure, network cupboards, racks, environmental hazards, and remote-equipment records.
- Sample off-premises asset authorizations, registers, long-term attestations, return records, and BYOD controls.
- Sample storage media inventory, movement logs, transport records, destruction evidence, and damaged-media decisions.
- Review supporting utility dependency maps, UPS/generator tests, HVAC records, telecoms redundancy, utility alarms, emergency lighting, and BMS security.
- Walk cable routes, cabinets, patch panels, and external junction exposure.
- Sample equipment maintenance schedules, fault logs, maintainer access, and post-maintenance checks.
- Sample equipment disposal/reuse records, sanitization proof, hidden storage checks, and repair dispatch decisions.
- Compare physical access rights to current personnel and role need.
- Verify asset inventory updates after relevant deliveries/despatch.
- Raise findings where the physical control exists on paper but not in behavior.
Common audit challenges
| Challenge | Audit response |
|---|---|
| Facilities owns the process, not security | Include facilities and reception/security in audit scope |
| Site diagram is treated as evidence | Walk the site and inspect bypass routes |
| Badge process exists but is not followed | Observe behavior and interview personnel |
| Loading bay is seen as logistics only | Test it as a physical entry route into secure areas |
| Access logs exist but are not reviewed | Check review frequency, findings, and removals |
| Room labels are treated as harmless | Test whether signs/directories expose sensitive targets |
| Alarm system exists | Test response, escalation, false alarm handling, and information security involvement |
| Environmental protection is treated as safety-only | Link hazards to information assets, ICT continuity, and evidence |
| Secure area has a locked door | Test working practices inside the area |
| Clear desk policy exists | Inspect real desks, screens, printers, and enforcement records |
| Equipment inventory exists | Check where equipment is sited, who can access it, and what can damage or expose it |
| Remote work is approved | Check off-site asset custody, protection, return, and accepted risk |
| Media policy exists | Test media movement, transport, disposal, and damaged-media records |
| UPS or generator exists | Test runtime, load, cooling dependency, maintenance, alarms, and documented requirements |
| Cable diagram exists | Walk routes and inspect labels, protection, segregation, and access to terminations |
| Maintenance vendor is trusted | Check authorization, escorting, data protection, and tamper checks |
| Disposal certificate exists | Confirm asset-level sanitization/destruction and hidden storage coverage |
Related templates
- A.7.1 Audit Checklist
- A.7.2 Audit Checklist
- A.7.3 Audit Checklist
- A.7.4 Audit Checklist
- A.7.5 Audit Checklist
- A.7.6 Audit Checklist
- A.7.7 Audit Checklist
- A.7.8 Audit Checklist
- A.7.9 Audit Checklist
- A.7.10 Audit Checklist
- A.7.11 Audit Checklist
- A.7.12 Audit Checklist
- A.7.13 Audit Checklist
- A.7.14 Audit Checklist
- Physical Security Zone Register
- Secure Area Access Register
- Visitor Access Log
- Delivery and Loading Area Security Checklist
- Physical Security Monitoring Procedure
- Physical and Environmental Threat Assessment
- Secure Area Working Procedure
- Clear Desk and Clear Screen Checklist
- Equipment Siting and Protection Assessment
- Off-Premises Asset Authorization Register
- Storage Media Handling Procedure
- Supporting Utility Dependency Register
- Cabling Route and Protection Register
- Equipment Maintenance Register
- Equipment Disposal and Reuse Register
- Iso27001
- ISO27002
- Auditor guide
- Physical controls
- Internal audit
Note Metadata
Aliases: A.7 Audit Guide
Source: 06 Auditor Guide/A.7 Physical Controls Audit Guide.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
- A.7.1 Audit Checklist
- A.7.1 Audit Evidence Pack
- A.7.2 Audit Checklist
- A.7.2 Audit Evidence Pack
- A.7.3 Audit Checklist
- A.7.3 Audit Evidence Pack
- A.7.4 Audit Checklist
- A.7.4 Audit Evidence Pack
- A.7.5 Audit Checklist
- A.7.5 Audit Evidence Pack
- A.7.6 Audit Checklist
- A.7.6 Audit Evidence Pack
- A.7.7 Audit Checklist
- A.7.7 Audit Evidence Pack
- A.7.8 Audit Checklist
- A.7.8 Audit Evidence Pack
- A.7.9 Audit Checklist
- A.7.9 Audit Evidence Pack
- A.7.10 Audit Checklist
- A.7.10 Audit Evidence Pack
- A.7.11 Audit Checklist
- A.7.11 Audit Evidence Pack
- A.7.12 Audit Checklist
- A.7.12 Audit Evidence Pack
- A.7.13 Audit Checklist
- A.7.13 Audit Evidence Pack
- A.7.14 Audit Checklist
- A.7.14 Audit Evidence Pack
Related Notes
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.13 - Equipment Maintenance
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7.1 Audit Evidence Pack
- A.7.10 Audit Evidence Pack
- A.7.11 Audit Evidence Pack
- A.7.12 Audit Evidence Pack
- A.7.13 Audit Evidence Pack
- A.7.14 Audit Evidence Pack
- A.7.2 Audit Evidence Pack
- A.7.3 Audit Evidence Pack
- A.7.4 Audit Evidence Pack
- A.7.5 Audit Evidence Pack
- A.7.6 Audit Evidence Pack
- A.7.7 Audit Evidence Pack
- A.7.8 Audit Evidence Pack
- A.7.9 Audit Evidence Pack
- AQ-ISO27001-A.7.1 Physical Security Perimeters
- AQ-ISO27001-A.7.10 Storage Media
- AQ-ISO27001-A.7.11 Supporting Utilities
- AQ-ISO27001-A.7.12 Cabling Security
- AQ-ISO27001-A.7.13 Equipment Maintenance
- AQ-ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment
- AQ-ISO27001-A.7.2 Physical Entry
- AQ-ISO27001-A.7.3 Securing Offices, Rooms and Facilities
- AQ-ISO27001-A.7.4 Physical Security Monitoring
- AQ-ISO27001-A.7.5 Protecting Against Physical and Environmental Threats
- AQ-ISO27001-A.7.6 Working in Secure Areas
- AQ-ISO27001-A.7.7 Clear Desk and Clear Screen
- AQ-ISO27001-A.7.8 Equipment Siting and Protection
- AQ-ISO27001-A.7.9 Security of Assets Off-Premises
- ISO 27001 Auditor Guide
- A.7.1 Audit Checklist
- A.7.10 Audit Checklist
- A.7.11 Audit Checklist
- A.7.12 Audit Checklist
- A.7.13 Audit Checklist
- A.7.14 Audit Checklist
- A.7.2 Audit Checklist
- A.7.3 Audit Checklist
- A.7.4 Audit Checklist
- A.7.5 Audit Checklist
- A.7.6 Audit Checklist
- A.7.7 Audit Checklist
- A.7.8 Audit Checklist
- A.7.9 Audit Checklist
- Cabling Route and Protection Register
- Clear Desk and Clear Screen Checklist
- Delivery and Loading Area Security Checklist
- Equipment Disposal and Reuse Register
- Equipment Maintenance Register
- Equipment Siting and Protection Assessment
- Off-Premises Asset Authorization Register
- Physical and Environmental Threat Assessment
- Physical Security Monitoring Procedure
- Physical Security Zone Register
- Secure Area Access Register
- Secure Area Working Procedure
- Storage Media Handling Procedure
- Supporting Utility Dependency Register
- Visitor Access Log
- Annex A Controls MOC
- Audit Evidence Index
- ISO 27001 Overview