In examining physical security, the auditor should be concerned with where the system is physically located and which physical locations it can be accessed from.
For most systems, it is sensible to store the data server and Web server hardware in an air-conditioned room that has no windows and that is not easily accessed (preferably with access controlled by some kind of security card reader or keycode entry system). For more critical systems, it may also be important to vet the holders of such security cards or change the keycode used to enter the server room regularly.
Depending upon the level of security required, it may be necessary to check that security guards are employed to guard against intruders (and that theyand the company they work forare trustworthy and reliable and have been subjected to a police check).
For systems with high availability requirements and high levels of business criticality, it is crucial to ensure that the whole system is duplicated off site in case of disaster, so that the whole system can be switched to the other site in case of an unfortunate incident such as a fire, an earthquake (a much bigger worry for me when I worked in Wellington, New Zealand, than it is now I am in London!), a bomb, or even a plane crashing into the building (sad though it is that we do have to consider such eventualities).
It is important to ensure that this "failover site" is just as secure as the main site (not easy when such a site is managed by a third party that manages a great number of "failover sites" for a number of companies!). It is also important to check that this duplicate system really could cope in case of disaster. For example, a client of mine spent a lot of money duplicating his Web site, Web server software and hardware, and database server (using replication) at his failover site. However, the Web server at the failover site used the same Internet service provider as the main Web server. When one was not available due to a problem with his ISP, neither was the other!
Check that the whole architecture is duplicatedincluding the web server hardware and software, the database server software (and hardware, if separate from the Web server hardware), the data (via replication or managed backups and restores at regular intervals), the network, the routers, the hubs, any firewalls, and so on.