Physical Controls protect your organization’s tangible assets and environments from unauthorized access, damage, or interference. In ISO 27001 Annex A, the A.7 category spans 14 controls (A.7.1–A.7.14) that cover everything from secure office entry to equipment disposal. This post explains each control, offers practical implementation tips, and shows how to verify their effectiveness. For a high-level view of all Annex A domains, see our Annex A Controls Overview.
This domain ensures that physical environments and hardware are secured according to risk, preventing theft, vandalism, or environmental threats.
A.7.1 Secure Areas
A physically constrained space with enforced entry controls where critical systems and data are stored to prevent unauthorized access.
How to implement:
Define secure zones (e.g., server rooms) in facility plans.
Install access controls such as badge readers or coded locks.
Post signage and maintain visitor logs.
How to verify:
Inspect access control system logs for unauthorized entry attempts.
Physically audit barriers and locks for functionality.
Review visitor logbooks for completeness and accuracy.
A.7.2 Physical Entry Controls
Mechanisms and procedures that authenticate and authorize individuals before they enter restricted areas, ensuring only approved personnel gain access.
How to implement:
Deploy turnstiles, mantraps, or security personnel at building entrances.
Enforce ID checks and escort policies for visitors.
Integrate entry control with surveillance cameras.
How to verify:
Audit CCTV footage for policy compliance.
Test emergency exits for proper alarm triggers.
Confirm escort logs against visitor records.
A.7.3 Securing Offices, Rooms, and Facilities
Controls safeguarding general workspaces by preventing casual or opportunistic access, theft, or inadvertent data exposure.
How to implement:
Use window locks, perimeter alarms, and motion sensors.
Implement desk-cleaning policies to reduce data exposure.
Control access to sensitive areas with keycards or codes.
How to verify:
Conduct regular walk-throughs to check alarm and lock status.
Review clearance sweep checklists for compliance.
A.7.4 Protecting Against External and Environmental Threats
Technical and structural measures that mitigate risks from hazards such as fire, flood, extreme temperatures, or seismic events.
How to implement:
Install fire suppression systems and environmental sensors (smoke, humidity).
Position critical equipment above flood levels and secure racks.
Perform risk assessments for environmental hazards.
How to verify:
Test fire alarms and suppression annually.
Check sensor calibration records.
Review incident records for environmental triggers.
A.7.5 Working in Secure Areas
Operational rules that govern maintenance and operational tasks within secure zones minimize the risk of unauthorized actions or contamination.
How to implement:
Issue special access badges for technicians.
Log maintenance activities and restrict tools and equipment.
Require supervision or escorts for external personnel.
How to verify:
Audit maintenance logs for completeness.
Interview technicians about access procedures.
A.7.6 Delivery and Loading Areas
Defined points for receiving and dispatching goods with controls to verify and secure all items entering or leaving the premises.
How to implement:
Define separate loading docks for deliveries and shipments.
Screen all inbound and outbound items against manifests.
Secure delivery areas when not in use.
How to verify:
Review delivery logs and mismatch reports.
Inspect physical barriers and locking mechanisms.
A.7.7 Equipment Security
Physical safeguards to prevent unauthorized removal, tampering, or damage of hardware assets within or outside secure areas.
How to implement:
Use cable locks for desktops and laptops in open areas.
Anchor servers and networking equipment in racks.
Implement device inventory and tagging.
How to verify:
Conduct spot checks of asset tags and inventory lists.
Review theft or loss incident reports.
A.7.8 Disposal of Equipment
Secure data sanitization and destruction processes for hardware to eliminate residual information before disposal or reuse.
How to implement:
Wipe data using approved methods or destroy media physically.
Document disposal activities and certify destruction.
Use licensed disposal vendors with a chain-of-custody.
How to verify:
Inspect disposal certificates and chain-of-custody logs.
Audit sample devices to confirm data elimination.
A.7.9 Cabling Security
Measures to protect the physical network and power cables from interception, tampering, or accidental damage.
How to implement:
Route cables through secure conduits and locked trays.
Label cables and restrict access to wiring closets.
How to verify:
Visually inspect cable trays and closets.
Review maintenance records for cable work.
A.7.10 Equipment Maintenance
Structured maintenance processes that preserve device integrity and ensure security configurations remain intact after servicing.
How to implement:
Follow manufacturer guidelines for hardware upkeep.
Log all maintenance activities and verify post-maintenance security settings.
How to verify:
Check maintenance logs for date, scope, and personnel.
Test equipment configurations after service events.
A.7.11 Security of Equipment Off-Premises
Controls ensure that devices used outside company locations maintain the same security posture as on-premises equipment.
How to implement:
Enforce encryption and remote wipe for mobile devices.
Require password protection and screen locks.
How to verify:
Audit mobile device management (MDM) reports for compliance.
Review incident logs for off-premises security events.
A.7.12 Secure Disposal of Media
Procedures for destroying non-digital media to prevent recovery of sensitive information.
How to implement:
Use cross-cut shredders or secure disposal services.
Maintain logs for destroyed media.
How to verify:
Inspect disposal logs and receipts.
Sample check for shredded material storage.
A.7.13 Physical Protection Against Damage
Preventive measures to shield hardware from environmental damage like spills, pests, or structural failures.
How to implement:
Use protective covers and raised floors for critical equipment.
Schedule regular pest control and structural inspections.
How to verify:
Review maintenance and inspection records.
Confirm protective measures are in place.
A.7.14 Monitoring Physical Access
Surveillance systems and sensors that detect and record unauthorized or suspicious movements within protected areas.
How to implement:
Deploy CCTV, motion detectors, and alarm systems in sensitive areas.
Integrate logs with the security operations center (SOC) or the monitoring team.
How to verify:
Review footage for incidents and ensure retention policy compliance.
Audit alarm logs and response times.
Protecting the physical layer is non-negotiable. By implementing and verifying these 14 controls, you turn buildings, rooms, and devices into secure extensions of your information security program. Next up: dive into Technological Controls (A.8) for digital safeguards.
