Do you allow tenants to specify which of your geographic locations their data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?

Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and isolated from data storage and process?

Do you restrict physical access to information assets and functions by users and support personnel?

Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented?

Is automated equipment identification used as a method to validate connection authentication integrity based on known equipment location?

Do you provide tenants with documentation that describes scenarios in which data may be moved from one physical location to another (e.g., offsite backups, business continuity failovers, replication)?

Can you provide tenants with evidence documenting your policies and procedures governing asset management and repurposing of equipment?

Can you provide evidence that policies, standards, and procedures have been established for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas?

Can you provide evidence that your personnel and involved third parties have been trained regarding your documented policies, standards, and procedures?

Do you maintain a complete inventory of all of your critical assets that includes ownership of the asset?