DC Tour & Audit Support¶

Service ownership

Owner: dc-operations (colo-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11

Auditor escorts, evidence packs, and BB ICT 4.0 §8 (Physical & Environmental) walk-throughs.

Why this is a first-class service¶

Audit is a real workload at every regulated FI in Bangladesh. The auditor needs more than "trust us, it's Tier-III":

They need to walk the floor and see what they're attesting to
They need point-in-time photos and logs they can take back as evidence
They need to talk to operations staff about run-procedures
They need to validate the isolation story for cages and dedicated infrastructure

Cloud Digit treats this as a service line, not an interruption. Trained host engineers walk the audit, with templated evidence packs ready to go.

What's included¶

Component	What
Audit-prep call (1 h)	Scope, attendees, evidence-pack pre-shaping
On-site walk (½ – 1 day)	Escorted by DC engineering lead
Evidence pack	Tier-III attestation, ISO/SOC reports, CCTV-retention proof, access logs (redacted), commissioning docs
Q&A session	With Cloud Digit ops staff
Findings response (within 5 BWD post-audit)	Written response to any findings the auditor raises

Frameworks supported¶

BB ICT Security Guideline 4.0 — §8 (Physical & Environmental), §15 (Incident), §16 (BCP)
ISO 27001:2022 — A.7 Physical, A.5 Organizational
PCI DSS v4.0 — Requirements 9 (Physical access)
SOC 2 Type II — Common Criteria 6 (Logical and Physical access)
e-GP / Government procurement audits

Pricing¶

Standard tier: included annually for Enterprise / Regulated FI accounts (1 audit/year, ½ day)
Additional audits: per-engagement fee
Custom evidence requests outside the standard pack: per-hour

See Pricing.

Operate this service¶

AdministrationOperationTroubleshooting

Scheduled facility tours and audit assistance for compliance reviews — your auditors visit, you bring evidence.

When this is needed¶

ISO 27001 audit
PCI-DSS Level 1 assessment
BB ICT 4.0 inspection
Customer due diligence (banking customer visiting their vendor's DC)
Insurance assessment

IAM¶

Role	Can do
`dc-audit.viewer`	View past tour records
`dc-audit.requester`	Schedule tours
`dc-audit.admin`	Approve high-sensitivity visits

Tour types¶

Type	Duration	Visitors max	Lead time
Standard tour	2 h	6	5 BWD
Compliance audit	4-8 h	4 (auditors)	10 BWD
Customer DD visit	2-3 h	3	5 BWD
Insurance assessment	4 h	2	10 BWD

Pre-tour requirements¶

KYC for all visitors (passport, photo)
NDA executed (mutual)
Photography policy (no, by default; case-by-case approval)
Tour route reviewed in advance

What's shown¶

Standard: customer cage/rack, DC entry, NOC overview, redundant systems demo.

Audit-grade: above + access logs, power redundancy paths, fire suppression, environmental monitoring, BMS console.

NOT shown: other customers' cages, security guard rotation details.

Evidence package¶

For audits, CD provides: - Tier-III certification documents - SOC 1 / SOC 2 / ISO 27001 reports - Power and cooling design documents (NDA-required) - Access log samples - Recent maintenance history

bash cd colo dc-audit evidence-package --type pci-dss --output evidence.zip

Related¶

Audit workflow¶

Request — cd colo dc-audit schedule --type pci-dss --date <ts> --visitors @auditors.csv
Pre-tour prep — CD verifies KYC, NDAs, tour plan
Day-of — Reception → security check → tour with CD escort
Evidence handover — CD provides documents on-site or to specified email
Post-tour — Auditor questions handled via Customer Engineer
Closeout report — CD documents tour outcome

Document delivery¶

For audit reports, delivery options: - Secure portal download (default) - Email (with encryption) - Hand-delivered USB at the tour (for ultra-sensitive)

Documents are NDA-protected; treat with care.

Audit-specific evidence¶

Common asks:

Standard	Evidence
ISO 27001	Information security policy, access logs, incident records
PCI-DSS	Cardholder data environment isolation, key management
SOC 2 Type II	Operating effectiveness of controls over 6-12 months
BB ICT 4.0	Bangladesh-specific compliance evidence

CD pre-stages packages for each.

Customer visit logistics¶

Banking / regulated customers often have multiple auditor visits/year. Pre-arrange a standing tour authorization for known auditor firms — reduces per-visit paperwork.

Recording / photography¶

Default no. Exceptions: - Compliance auditor needs evidentiary photo of specific cabinet - Pre-approved, photos taken by CD security, watermarked, NDA-bound

Related¶

Auditor refused entry¶

Day-of, an auditor can't get in: - KYC documents not pre-submitted (last-minute fixes possible if KYC office staffed) - Passport not matching submitted name - Sanctions screening hit (rare; pre-screen via KYC submission)

CD security has final say; manager escalation possible.

Evidence package missing items¶

The auditor asked for something not in the standard package: - File a supplementary request via Customer Engineer - Some items have lead time (1-3 BWD) - Some items are restricted (other customers' data, security operations specifics)

Tour disrupted by DC event¶

A real incident during the tour (rare but possible): - Tour pauses; visitors moved to safe location - May convert into a "see how we handle real incidents" learning moment - Post-incident, CD provides written summary for the audit report

Auditor wants prohibited photos¶

Negotiation: - Customer engineer mediates - Often: CD takes the photo on auditor's behalf, hands over with NDA - Sometimes: auditor accepts written description in lieu

Tour overran¶

8-h audit booked but auditor wants more: - Available if DC capacity (next tour scheduled?) - Bills as additional tour service - Most audits fit the booked window with prep

Auditor disputes findings¶

CD provides evidence; auditor disputes interpretation: - CD's compliance officer engages - May involve documentation update - Rare to require certification revisit

Documentation requested post-tour¶

Auditor follow-up emails: - CE remains point of contact for 90 days post-tour - Standard documents quick turnaround - Custom asks may need 5+ BWD