← Blog

Una guida al safety walk around per la conformità IT

Pubblicato: 2026-05-10
safety walk around compliance audit nis2 dora risk management
Una guida al safety walk around per la conformità IT

The most common advice about a safety walk around is also the least useful for regulated IT. It treats the walk as a visual sweep. Check doors, note housekeeping, move on. That model works poorly in data centres, secure offices, and mixed cyber-physical environments where the actual question isn't whether someone noticed an issue. It's whether the organisation can prove that a control existed, operated as intended, and was assigned to the right owner.

In regulated environments, a safety walk around is closer to control verification in the physical world than to a traditional inspection. A server room door, visitor escort practice, cable routing decision, clean desk failure, or unsecured disposal bin can all create audit consequences when they break the link between policy, control, and evidence. If the walk doesn't produce structured records, it won't stand up well during review.

That's the shift that matters. The walk around itself is not the system. The system is the combination of scope, checklist design, evidence capture, ownership, and remediation tracking. Without that structure, teams collect observations. With it, they generate auditable proof.

Reimagining the Safety Walk Around for Regulated IT

The phrase safety walk around still brings to mind a factory floor, high-visibility clothing, and obvious physical hazards. That picture is incomplete for IT. In a regulated technology environment, the same discipline applies to places where physical conditions affect confidentiality, integrity, availability, and resilience.

The idea itself isn't new. The modern safety walk around traces back to the Management by Wandering Around approach popularised at Hewlett-Packard in the 1970s and later adapted by EHS teams for proactive hazard identification, as described in this overview of MBWA and safety walk origins. What has changed is the environment. A modern walk may include a colocation cage, a backup media store, a network cabinet in a shared office, or an engineering area where sensitive builds and devices are handled.

What the traditional model misses

Generic EHS advice usually assumes the walk is about spotting isolated defects. In regulated IT, that's only part of the job. The harder problem is establishing whether a physical observation maps cleanly to a control requirement and whether that mapping can be defended later.

Consider a few ordinary examples:

  • Physical access might look fine at a glance, but badge logs, escort practice, and exception handling may tell a different story.
  • Secure disposal may appear compliant because bins are present, yet labels, collection process, and chain of custody might be weak.
  • Resilience controls such as cooling pathways or cabinet organisation may create operational risk long before they become a visible incident.

Practical rule: If a walk around ends with a list of issues but no control references, no named owners, and no preserved evidence, it was useful operationally but weak from a compliance perspective.

The IT version is evidence-led

For CISOs and compliance leads, the purpose isn't to perform a ceremonial site visit. It's to verify that physical and cyber-physical controls are functioning in the same disciplined way as technical controls. That means the walk should test reality against policy, not just against appearance.

A good safety walk around in IT answers questions such as:

  • Which regulated services or assets are in scope.
  • Which controls are being checked on site.
  • What evidence is required to support each observation.
  • Who owns remediation if the observed state doesn't match the intended control state.

That changes the character of the activity. It stops being a casual inspection and becomes a repeatable method for generating trustworthy compliance evidence.

Scoping and Planning Your Walk Around Process

Most weak walk around programmes fail before anyone sets foot on site. The failure starts in planning. Teams schedule a recurring tour, invite whoever happens to be available, and use a broad checklist that mixes facilities, security, and operational concerns without a clear rationale. That produces activity, not assurance.

A defensible process starts with scope. In a regulated IT setting, the first question is not how often to walk. It's what service, asset group, or control boundary you're verifying.

Define the boundary before the route

A useful scope has both a physical and a logical side. The physical side may include a data centre hall, office floor, secure archive room, loading area, or network closet. The logical side ties those places to services, data classes, suppliers, and control objectives.

That means a walk around plan should identify:

  • In-scope locations tied to critical services or regulated processing.
  • Relevant control domains such as physical access, environmental resilience, media handling, visitor management, or secure disposal.
  • Dependencies including facilities teams, managed service providers, and building security.
  • Expected evidence outputs such as photographs, access records, observation notes, maintenance references, or exception approvals.

If teams skip this step, they often inspect areas that are convenient rather than important.

Choose frequency by change and risk

In manufacturing guidance, weekly walk arounds are often recommended for each manager. In regulated IT, that cadence isn't automatically right. The better approach is to set frequency using the rate of environmental change and the risk profile of the assets being assessed, as explained in this guidance on implementing risk-based safety walk schedules.

A static archive room and a busy colocation space don't need the same rhythm. A recently reconfigured office with new contractors, badge changes, and equipment moves usually deserves closer attention than a tightly controlled room with little operational change.

Frequency should be justified the same way any other control activity is justified. By risk, by change, and by the consequences of control failure.

Build ownership before execution

A walk around creates accountability pressure. That's why ownership has to be established in advance. If participants don't know whether they're observing, approving, escorting, validating, or remediating, findings will stall.

Here's a simple structure that works well.

Role Responsibility During Walk Post-Walk Responsibility
IT Operations Confirm asset context, system dependencies, and operational constraints Validate technical remediation feasibility and completion
Security Team Verify physical security controls and exception handling Record findings against control owners and track closure
Facilities Manager Explain building services, access arrangements, and maintenance status Coordinate physical repairs and contractor actions
Compliance or Risk Lead Ensure scope aligns with control obligations and evidence needs Review traceability, approvals, and audit readiness
Local Site Manager Provide site context and support staff coordination Confirm local actions are implemented and sustained

Plan the walk as a controlled activity

A short planning record is usually enough if it is specific. It should state the scope, date window, participants, route, control themes, expected outputs, and escalation path for urgent findings.

What doesn't work is relying on memory, email threads, or a generic recurring calendar invitation. Auditors rarely care that a walk happened. They care whether the organisation can show why it happened, what it covered, and how the resulting evidence fits the control model.

Developing Standardised and Dynamic Checklists

A checklist is often treated as an administrative detail. In practice, it defines the quality of the entire safety walk around. If the checklist is vague, static, or detached from the control library, the evidence will be vague too.

Paper lists with pass or fail boxes are still common because they're familiar. They're also hard to version, hard to review across sites, and poor at prompting the kind of evidence a regulated environment needs. A better checklist is version-controlled, tied to control IDs, and designed to collect proof rather than opinion.

Design prompts for evidence, not impressions

A weak item asks, “Is the server room secure?”

A stronger item asks for something observable and attributable. For example:

  • Verify server room access control. Capture an image showing the secured entry state. Confirm whether access records show any unexplained attempts requiring follow-up. Map the observation to the relevant physical access control.
  • Verify visitor handling at reception and restricted areas. Record whether the sign-in process, escort expectations, and badge visibility align with local policy.
  • Verify media disposal handling. Confirm that disposal containers are present, labelled, and placed in a controlled location. Note any unsecured material left outside the process.

That difference matters because it reduces interpretation drift. Two reviewers can disagree about whether a room “feels secure”. They're less likely to disagree about whether required evidence was captured.

Un diagramma che illustra l'evoluzione delle checklist di sicurezza con framework dinamici, controllo delle versioni e logica standardizzata.

Standardise structure but keep the checklist adaptive

A strong checklist has a fixed backbone and flexible branches. The backbone keeps data consistent across sites. The branches adapt to location type, asset sensitivity, and recent changes.

Useful fields include:

  • Control reference so the item maps directly to your policy and control set.
  • Evidence type required such as photo, note, document reference, or system record.
  • Observation context including location, asset, and operational condition.
  • Exception path for justified deviations with named approval.
  • Review version so teams can prove which checklist logic was used at the time.

For teams refining this approach, it can help to customize your security checklist against your own physical security model rather than starting from a blank page.

Build examples by environment

The checklist for a secure office shouldn't look like the checklist for a colocation room. Some examples make the distinction clearer.

Data centre and infrastructure spaces

In infrastructure-heavy areas, useful prompts usually focus on control condition and operational side effects.

  • Cabinet access. Confirm that cabinets intended to be locked are secured and that local exception practice is documented.
  • Cabling discipline. Note unmanaged temporary cabling, obstructed access routes, or ad hoc changes that bypass normal change control.
  • Environmental resilience. Observe whether airflow paths, sensor placement, and housekeeping support reliable operation.

Secure office and handling areas

In office environments, the checklist often shifts towards data handling and behavioural controls.

  • Clean desk and screen exposure. Record visible sensitive material in shared or accessible spaces.
  • Visitor control. Observe whether visitors are identifiable and appropriately accompanied in controlled areas.
  • Document disposal. Confirm that confidential waste handling matches policy in practice.

Teams that already run control assurance programmes should align checklist outputs with the same logic used for a test of controls process. That keeps physical verification from becoming a separate evidence silo.

A checklist should narrow judgement, not replace it. Good design tells the reviewer what kind of proof is needed and where that proof belongs.

Capturing and Securing Verifiable Evidence

Once the walk begins, the main discipline is no longer observation. It is evidence integrity. Many organisations lose credibility here by using personal phones, informal notes, or shared folders that mix drafts, final records, and unrelated material. That may be convenient, but it weakens chain of custody and makes later review unnecessarily difficult.

Una mano che tiene un tablet digitale che mostra uno schizzo dettagliato di una valvola di tubazione industriale.

A safety walk around should produce records that are attributable, timestamped, access-controlled, and retained within a governed system. The organisation needs to know who captured the evidence, when it was captured, what it relates to, and whether it has been modified.

Use the right observation mode

Effective walk arounds don't rely on one type of observation. They use a multi-format protocol that includes direct work observation of around 10 minutes, inquiry-based discussion with employees, or physical inspection, with the method chosen collaboratively with the personnel involved, as described in the Berkeley Lab safety walkaround checklist guidance.

In practice, each mode serves a different purpose:

  • Direct work observation helps verify whether stated procedures are followed under normal conditions.
  • Discussion-based inquiry helps test understanding, local workarounds, and exception handling.
  • Physical inspection confirms the condition and placement of controls, equipment, and surrounding conditions.

The mistake is treating all three as interchangeable. They aren't. If you need to verify visitor escort behaviour, a static photo of a reception desk won't tell you much. If you need to verify cabinet lock condition, an interview alone is weak.

Capture context with the evidence

An isolated image or note often has little value. Evidence becomes useful when it carries context. For each record, capture enough metadata to support later interpretation without requiring the original observer to explain it again.

That usually means recording:

  • Exact location within the site, not just the building name.
  • Control or checklist item reference associated with the observation.
  • Observer identity and, where relevant, the local contact present.
  • Short annotation stating what the evidence confirms or contradicts.
  • Related exception or ticket reference when the condition is already known.

Teams that struggle with this usually discover the problem during audits, when they have files but can't easily show why each one matters. A disciplined audit evidence process avoids that by storing evidence with the control context from the start.

Avoid weak storage practices

Personal devices and open shared drives create three recurring problems. First, they blur the line between official and unofficial records. Second, they make access control difficult. Third, they introduce uncertainty about version history and alteration.

What works better is simple and operationally realistic:

  • Use a dedicated capture workflow rather than ad hoc messaging apps.
  • Encrypt evidence in transit and at rest within the chosen platform.
  • Restrict access by role so observers, reviewers, and approvers see what they need and no more.
  • Preserve original records even when summaries or remediation notes are added later.

This short video gives a useful visual reference for the discipline involved in structured inspections and evidence capture.

Records captured during a walk around should behave like compliance evidence from the moment of creation, not become “official” only when someone uploads them later.

That principle matters because delayed upload and retrospective editing are exactly where ambiguity enters. If the walk is meant to verify control operation, the evidence trail has to be at least as disciplined as the control being checked.

Documenting Findings and Managing Remediation

A walk around only becomes governance when findings move into a managed remediation system. Without that step, the organisation has observations but not control over outcomes. In this context, many otherwise capable teams weaken their own position. They capture useful evidence, then store findings in meeting notes, spreadsheet tabs, or email chains that don't show ownership or closure.

Un'illustrazione a mano che mostra un mucchio disordinato di appunti che vengono trasferiti in una cartella organizzata con un segno di spunta.

A better model is closed-loop. Every finding should enter a record that links the original observation, the affected control, the accountable owner, the target action, and the verification of completion.

Prioritise by risk and compliance impact

Not every issue deserves the same urgency. For audit readiness, findings should first be evaluated by severity and frequency, and then any issue that breaches a regulation or industry standard should be given precedence, as noted in the earlier Berkeley Lab guidance.

That logic is practical because it separates inconvenience from material control weakness. A minor housekeeping issue may matter less than a physical access failure tied to a regulated environment, even if the latter looks less dramatic during the walk.

A simple prioritisation record should include:

  • Finding statement written in factual terms.
  • Affected control or policy reference.
  • Risk view based on severity and recurrence potential.
  • Compliance relevance where a standard or obligation is implicated.
  • Required action with owner and due date.
  • Closure evidence showing that the issue was resolved and rechecked.

The useful question isn't “How many issues did we find?” It's “Can we show how each material issue moved from observation to verified resolution?”

Write findings so they can survive scrutiny

The strongest findings are precise and neutral. They describe observed conditions, not assumptions about intent. They also distinguish between control failure, control absence, and control exception.

For example, “server room door observed unsecured during operational hours with no recorded approved exception” is stronger than “poor security practice in server room”. The first supports action. The second invites argument.

Teams that want more consistency in write-ups often benefit from broader habits that improve your technical documentation, especially around terminology, versioning, and review discipline.

Turn remediation into an auditable workflow

A finding should never disappear into an action register without control context. The remediation process needs to preserve lineage from the original walk around record to the final closure decision.

A workable flow usually looks like this:

  1. Register the finding against the relevant site, control, and observation date.
  2. Assign ownership to the team that can implement the fix, not just the team that discovered it.
  3. Set a due date and review path based on impact.
  4. Capture implementation evidence such as updated access settings, revised signage, contractor completion records, or repeat inspection evidence.
  5. Verify closure independently where the issue was material.

If your organisation already runs structured remediation, it helps to use the same discipline you would apply in a CAPA corrective action and preventive action process. That avoids a split between operational fixes and audit records.

Link findings back to ownership and controls

The final maturity step is traceability. A finding should not exist as a free-floating issue. It should connect back to the control library and to the ownership matrix created during planning. That shows who was responsible for the control, who accepted the remediation task, and who confirmed closure.

What doesn't work is assigning everything to “facilities” or “security” at a department level. Audits rarely accept broad labels as proof of accountability. Named ownership, recorded dates, and linked evidence make the difference between “we're addressing it” and “we addressed it”.

From Periodic Check to Continuous Verification

The value of a safety walk around becomes evident when it stops being treated as a calendar event. On its own, a periodic walk is only a snapshot. Integrated into governance, it becomes part of continuous verification.

That means the walk feeds a larger operating model. Scope comes from risk. Checklist logic comes from the control framework. Evidence is captured in a governed system. Findings move into remediation with owners and closure checks. Audits then become a review of how the system behaves, not a scramble to reconstruct what happened.

What mature teams do differently

Mature teams don't ask whether they completed the walk. They ask whether the walk improved confidence in control operation. That's a stricter standard.

In practice, that usually means they:

  • Treat physical verification as part of resilience, not as a side task owned only by facilities.
  • Align on-site observations with digital records so physical and technical control narratives don't diverge.
  • Use recurring outputs to refine control design, site procedures, and ownership assumptions.

There's a similar lesson in broader work on unified cyber security detection and response. Tooling can accelerate visibility, but it doesn't remove the need for disciplined workflows, clear ownership, and human review. The same is true here. Automation can support a safety walk around. It can't replace accountability.

A well-run walk around reduces audit friction as a side effect. Its primary purpose is to make the environment more observable, more governable, and easier to trust.

That's why this process matters. In regulated IT, compliance isn't paperwork attached to operations. It's the evidence that operations are designed, executed, and corrected with intent.

AuditReady helps regulated teams turn activities like safety walk arounds into structured, exportable evidence. If you need a way to link observations to controls, preserve encrypted records, assign ownership clearly, and produce audit-ready packs for frameworks such as DORA, NIS2, and GDPR, see AuditReady.