Physical Controls (A.7)

Physical security is the foundation of information security. No matter how strong your technical controls are, they're worthless if someone can walk in and steal your servers. Annex A.7 contains 14 controls for protecting physical assets and facilities.

Overview of Physical Controls

ISO 27001:2022 Annex A.7 covers:

A.7.1 Physical security perimeters
A.7.2 Physical entry
A.7.3 Securing offices, rooms and facilities
A.7.4 Physical security monitoring
A.7.5 Protecting against physical and environmental threats
A.7.6 Working in secure areas
A.7.7 Clear desk and clear screen
A.7.8 Equipment siting and protection
A.7.9 Security of assets off-premises
A.7.10 Storage media
A.7.11 Supporting utilities
A.7.12 Cabling security
A.7.13 Equipment maintenance
A.7.14 Secure disposal or re-use of equipment

These controls protect your physical infrastructure, equipment, and the information they contain.

A.7.1 - Physical Security Perimeters

Purpose: Prevent unauthorized physical access to information processing facilities.

Control Statement: "Security perimeters shall be defined and used to protect areas that contain information and other associated assets."

Security Perimeter Layers

Layer 1: Property Boundary

Fence or wall around property
Clear property boundaries
Controlled vehicle entry points
Lighting around perimeter
Security patrols (if needed)
CCTV coverage
"No Trespassing" signs

Layer 2: Building Exterior

Secure building entrances
Reinforced doors and frames
Secure windows (ground floor)
Emergency exits (alarmed)
Loading dock security
Roof access control
After-hours monitoring

Layer 3: Reception/Lobby

Staffed reception desk
Visitor management
Employee/visitor separation
Badge access to interior
Security awareness signage
Emergency procedures posted
CCTV coverage

Layer 4: General Office Areas

Badge access required
Restricted to employees and escorted visitors
Clean desk policy enforced
Clear screen policy
Locked when unoccupied
Asset inventory

Layer 5: Secure Zones

Server rooms and data centers
Network equipment rooms
Backup media storage
Sensitive document storage
Executive offices (if needed)
Enhanced access controls
Logging and monitoring
Environmental controls

Layer 6: Highly Secure Areas

Safe/vault for critical assets
Dual authentication required
Video surveillance
Intrusion detection
Limited authorized personnel
Visit logging
Escort required

Perimeter Security Features

Physical Barriers:

6-8 foot fence minimum
Anti-climb features
Gates with access control
Bollards at entry points
Reinforced doors
Security glass
Mantrap entries for high security

Detection Systems:

Perimeter intrusion detection
Door/window contacts
Motion sensors
Glass break detectors
Panic buttons
Duress codes

Monitoring:

CCTV cameras
Recording and retention (30-90 days)
Live monitoring (critical areas)
Remote monitoring
Integration with alarm system
Analytics (motion, loitering, etc.)

Access Control:

Card readers
Biometric readers (high security)
PIN pads
Guard posts
Visitor logs
Temporary badge issuance

A.7.2 - Physical Entry

Purpose: Control physical entry to secure areas.

Control Statement: "Secure areas shall be protected by appropriate entry controls and access points."

Entry Control Methods

1. Employee Access

Badge Access:

Photo ID badges
Unique to each person
Different access levels
No sharing of badges
Report lost badges immediately
Deactivated upon termination
Regular access reviews

Access Levels:

Level 1 - General Access
- Public areas
- General office spaces
- Conference rooms
- Break rooms

Level 2 - Restricted Access
- IT areas
- Finance department
- HR areas
- Executive wing

Level 3 - High Security
- Data center
- Server rooms
- Network closets
- Backup storage
- R&D labs

Level 4 - Critical
- Executive offices
- Safe/vault
- Security monitoring
- Special projects

Authentication Methods:

Badge (something you have)
PIN (something you know)
Biometric (something you are)
Multi-factor for sensitive areas

2. Visitor Access

Visitor Management Process:

1. Pre-registration (when possible)
   - Visitor name and company
   - Purpose of visit
   - Host employee
   - Expected date/time
   - Background check if needed

2. Check-In
   - Arrive at reception
   - Present ID
   - Sign visitor log
   - Receive visitor badge
   - Review security rules
   - Meet host

3. During Visit
   - Wear visible visitor badge
   - Escorted at all times
   - Restrict to approved areas
   - No photography without permission
   - No unattended time

4. Check-Out
   - Return to reception
   - Return visitor badge
   - Sign out
   - Exit facility
   - Host notified

Visitor Log Contents:

Visitor name
Company/affiliation
ID presented and number
Time in/out
Host name
Purpose of visit
Areas visited
Badge number issued

3. Contractor/Vendor Access

Short-term (< 1 week):

Treated as visitors
Escorted access
Daily sign-in/out
Temporary badge

Long-term (> 1 week):

Background check
Security training
Contractor badge (distinct color)
Unescorted access (limited areas)
Badge returned at end of contract

4. Delivery Personnel

Package Delivery:

Restricted to loading dock or reception
No interior access
Packages screened
Escort required if interior access needed

Service Providers:

Utilities, maintenance, etc.
Verify identity
Escort required
Work supervised
Badge issued and tracked

Entry Control Technologies

Card Readers:

Proximity cards (RFID)
Smart cards (contact or contactless)
Magnetic stripe (legacy, less secure)

Biometric Readers:

Fingerprint (most common)
Hand geometry
Facial recognition
Iris scan (high security)
Multi-factor recommended

Mantraps:

Two-door airlock
One door locks before other opens
Prevents tailgating
Weight sensors or people counting
Used for high-security areas

Turnstiles:

Physical barrier
One person at a time
Badge required for entry
Prevents tailgating
Can count occupancy

Security Guards:

Verify credentials
Check visitor logs
Monitor entry points
Respond to alarms
Patrol premises
Friendly but vigilant

A.7.3 - Securing Offices, Rooms and Facilities

Purpose: Design and apply physical security for offices, rooms and facilities.

Control Statement: "Physical security for offices, rooms and facilities shall be designed and implemented."

Office Security

General Offices:

Lockable doors
Limited access outside business hours
Valuable equipment secured
Confidential information not visible
Clean desk policy
Visitor access controlled
Windows secured (ground floor)

Private Offices:

Key or badge access
Lock when unoccupied
Confidential discussions
Secure document storage
Privacy glass/blinds
Phone conversations (be aware of volume)

Meeting Rooms:

Book through central system
Clear whiteboards after use
No confidential materials left behind
Video conference security
Lock if confidential meeting
Visitor escorted

Server Rooms/Data Centers:

Separate from general office areas
Reinforced walls (floor to ceiling)
Solid core doors
Heavy-duty locks
Badge + PIN or biometric access
Visit logging
CCTV monitoring
Environmental monitoring
Fire suppression
No windows (or secured)
Restricted to authorized personnel only
Escort required for non-IT staff

Network Equipment Rooms:

Locked at all times
Badge access
Access logging
No general storage
Cable access secured
Environmental monitoring
Equipment secured in racks

Backup Storage:

Fireproof safe or cabinet
Limited access (2-3 people)
Access logging
Climate controlled
Off-site backup at separate location
Encryption of backup media

Facility Security Design

Construction Considerations:

Walls from true floor to true ceiling
Solid core doors
Quality locks and frames
Secure HVAC ducts
Secure cable pathways
Fire-rated construction for critical areas
Flood protection

Location Considerations:

Avoid ground floor for sensitive areas
Not adjacent to public spaces
Away from hazards (chemical, flood risk)
Multiple exit routes
Power and cooling infrastructure
Secure loading dock access

A.7.4 - Physical Security Monitoring

Purpose: Monitor premises for unauthorized physical access attempts.

Control Statement: "Premises shall be continuously monitored for unauthorized physical access."

Monitoring Systems

Video Surveillance (CCTV):

Coverage:

All entry/exit points
Perimeter
Parking areas
Loading docks
Server rooms
Network closets
Reception areas
Elevator lobbies
Stairwells

Technical Requirements:

High-resolution cameras (1080p minimum)
Night vision/low-light capability
Weather-resistant (outdoor)
Tamper detection
Redundant recording
Network-based (IP cameras)
Encrypted transmission
Secure camera admin interface

Recording:

Continuous recording
30-90 day retention
Redundant storage
Backup of critical camera footage
Audit access to recordings
Comply with privacy laws
Posted notices (privacy)

Intrusion Detection:

Alarm System:

Door/window contacts
Motion detectors
Glass break sensors
Vibration sensors
Panic buttons
Duress codes (appear normal but alert)

Monitoring:

24/7 monitoring (critical facilities)
Monitored by security company
Redundant communication paths
Battery backup
Regular testing
Logs all events
Integrated with access control

Access Logging:

Log All Access:

Who accessed
What door/area
When (date/time)
Granted or denied
Tailgating attempts
Door held open too long
After-hours access
Failed access attempts

Review Logs:

Daily review of failed attempts
Weekly review of after-hours access
Monthly comprehensive review
Investigate anomalies
Retain logs 1+ year
Protect log integrity

Security Guards:

Duties:

Monitor security systems
Patrol premises
Verify identities
Manage visitors
Respond to alarms
Investigate incidents
Enforce security policies
Maintain visitor logs

Guard Posts:

Main entrance
After-hours reception
Security operations center
Critical facility monitoring

A.7.5 - Protecting Against Physical and Environmental Threats

Purpose: Protect against physical and environmental threats.

Control Statement: "Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented."

Natural Disaster Protection

Earthquakes:

Seismic bracing for racks
Secure equipment
Flexible connections
Structural assessment
Emergency procedures
Backup site in different seismic zone

Floods:

Avoid flood zones
Raise critical equipment
Flood barriers
Sump pumps
Water sensors
Drainage systems
Waterproof doors/seals

Fire:

Smoke detectors
Fire suppression (FM-200, Inergen, or water)
Fire extinguishers
Fire-rated walls and doors
Emergency power-off
Fireproof safes for media
Regular fire drills
Automatic alerts to fire department

Severe Weather:

Storm shutters
Reinforced roof
Backup power
Weather monitoring
Emergency procedures
Redundant facilities in different regions

Power Failure:

Uninterruptible Power Supply (UPS)
Emergency generators
Automatic transfer switch
Fuel supply for generators
Regular testing
Battery maintenance
Redundant power feeds

Environmental Controls

HVAC (Heating, Ventilation, Air Conditioning):

Maintain proper temperature (18-24°C / 64-75°F)
Humidity control (40-60%)
Positive air pressure
Air filtration
Redundant HVAC units
Temperature/humidity monitoring
Alerts for out-of-range conditions

Water Detection:

Water sensors under raised floors
Near HVAC units
Near plumbing
Automatic alerts
Automatic shutoff valves

Lightning Protection:

Lightning rods
Grounding system
Surge protection
Isolated ground for sensitive equipment

Electromagnetic Interference:

EMI shielding
Proper grounding
Separate power for sensitive equipment
Distance from EMI sources

Man-Made Threats

Theft:

Access control
CCTV
Security guards
Asset tagging
Inventory management
Secure storage

Vandalism:

Physical barriers
Surveillance
Lighting
Prompt repair of damage
Security culture

Sabotage:

Background checks
Access restrictions
Monitoring
Segregation of duties
Change control
Incident response

Terrorism:

Security assessment
Blast protection (if high risk)
Standoff distance
Vehicle barriers
Package screening
Coordination with law enforcement

A.7.6 - Working in Secure Areas

Purpose: Define procedures for working in secure areas.

Control Statement: "Security measures for working in secure areas shall be designed and implemented."

Secure Area Procedures

Access Requirements:

Authorization required
Escort if not authorized
Sign in/out
Badge visible
No unauthorized materials
No photography/recording
One person at a time (highly secure)

Work Rules:

No food or drink
No personal devices
No unnecessary items
Follow all procedures
Report any issues
Lock when leaving (even briefly)
Log all work performed

Entry/Exit Procedures:

Entry:
1. Request access or use badge
2. Log entry in register
3. State purpose of visit
4. Verify authorization
5. Complete required forms
6. Enter when granted

Exit:
7. Complete work
8. Clean up workspace
9. Remove all materials
10. Log exit
11. Ensure door locked
12. Return keys/access card (if temporary)

Visitor Access to Secure Areas:

Pre-approval required
Business need justified
NDA signed if needed
Escorted at all times
Limited to specific areas
No devices without approval
No photography
Briefed on security rules
Logged in detail

A.7.7 - Clear Desk and Clear Screen

Purpose: Reduce risk of unauthorized access and damage to information.

Control Statement: "A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted."

Clear Desk Policy

Requirements:

At End of Day:

All papers in locked drawer/cabinet
No confidential documents on desk
Remove sticky notes
Clear whiteboard if confidential
Lock filing cabinets
Log off computer
Lock office/workspace

When Away from Desk:

Lock computer screen
Secure visible documents
Flip over confidential papers
Don't leave sensitive items unattended
Lock drawer if leaving building

General Practices:

Minimize paper use
Shred when done with confidential documents
Don't print more than needed
Collect print jobs immediately
Don't leave documents in printer/copier
No sensitive documents in trash
Use secure shred bins

Exceptions:

Working on active document (but stay at desk)
Reference materials in use
Brief absence with document secured

Clear Screen Policy

Requirements:

Automatic Screen Lock:

After 5-10 minutes of inactivity
Password required to unlock
Can't be disabled by user
Same lock time company-wide (or by role)

Manual Lock:

Lock before leaving desk (Windows+L or Ctrl+Alt+Del)
Even for brief absences
Required policy
Include in training

Screen Privacy:

Privacy filters for confidential work
Position monitors away from windows/doors
Limit viewing angle
Be aware of who can see screen
In public areas, minimize confidential data display

Additional Measures:

Auto-save work frequently
Lock when answering door
Lock during meetings away from desk
Lock before going to printer/copier
Lock in common areas (cafeteria, etc.)

Implementation

Training:

Include in security awareness
Explain the why
Demonstrate screen lock
Share examples of breaches
Remind regularly

Enforcement:

Random security checks
Leave friendly reminder for violations
Track repeat offenders
Recognize good practices
Escalate persistent violations

Making It Easy:

Keyboard shortcuts (post reminder)
Convenient locked storage
Shred bins readily available
Secure print release
Good screen lock timeout balance

A.7.8 - Equipment Siting and Protection

Purpose: Properly site and protect equipment to reduce risks.

Control Statement: "Equipment shall be sited securely and protected."

Equipment Placement

Servers and Critical Systems:

In controlled access room
Not visible from outside
Away from water sources
Proper ventilation
Organized in racks
Cable management
Access from front (back to wall)
Seismically secured

Workstations:

Not facing windows (screen privacy)
Proper ergonomics
Cable secured (trip hazard)
Power protection
Lock capability
In secure area

Printers/Copiers:

In secure area for confidential printing
Secure print release for sensitive docs
Network isolation
Hard drive encryption
Regular clearing of memory

Network Equipment:

In locked closets/rooms
Temperature controlled
Proper power
Cable organization
Access logging
No public visibility

Equipment Protection

Physical Protection:

Locks (Kensington locks for laptops)
Secure mounts
Anti-theft devices
Asset tags (tracking and deterrent)
Inventory management
Rack locks
Equipment cages (for co-location)

Environmental Protection:

Temperature control
Humidity control
Dust control
Water protection
Power conditioning
Surge protection
UPS systems

Operational Protection:

Regular maintenance
Cleaning (dust removal)
Monitor performance
Log errors
Replace aging equipment
Update firmware

A.7.9 - Security of Assets Off-Premises

Purpose: Protect assets taken outside organizational premises.

Control Statement: "Assets off-premises shall be protected."

Off-Premises Asset Security

Laptops:

Full disk encryption (mandatory)
Strong password/biometric
Auto-lock screen
Physical cable lock when in public
Never leave in vehicle
Keep with you when traveling
Don't check as luggage
Use laptop bag (not obvious computer bag)

Mobile Devices:

PIN/password/biometric lock
Encryption enabled
Remote wipe capability
MDM/MAM enrollment
Keep secured
Don't leave unattended

Documents:

Minimize taking sensitive documents out
Secure in locked briefcase
Don't read in public
Shred when done
Track confidential documents
Return or destroy

Removable Media:

Encrypted
Minimize use
Track movement
Secure when not in use
Controlled distribution
Destruction when done

Work from Home:

Same security as office
Secure home office
Lock devices when away
Family members don't use work devices
Secure network (VPN)
No sensitive data on home printer

Traveling:

Use privacy screen
Don't work on sensitive matters in public
Beware of shoulder surfing
Secure hotel room safe
Hand-carry critical items
Use VPN for all connections
Avoid public WiFi or use VPN
Don't plug into unknown USB ports

Asset Tracking

Check-Out Process:

Record what was taken
Who took it
When
Expected return
Approval if needed
Sign acknowledgment
Understand responsibilities

Inventory:

Maintain asset register
Location tracking
Assign to responsible person
Regular inventory reconciliation
Investigate missing items

A.7.10 - Storage Media

Purpose: Manage storage media throughout its lifecycle.

Control Statement: "Storage media shall be managed throughout their lifecycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements."

Media Management

Types of Media:

Hard drives
SSDs
USB drives
Optical discs (CD/DVD/Blu-ray)
Backup tapes
SD cards
Mobile device storage
Paper documents

Handling by Classification:

Public:

Standard handling
Normal disposal

Internal:

Controlled distribution
Basic protection
Shred paper
Wipe electronic media

Confidential:

Encryption required
Approved storage only
Secure transmission
Secure shred/destroy
Track movement

Restricted:

Encryption mandatory
Highly restricted access
Approval for movement
Logged handling
Witnessed destruction

Media Lifecycle

1. Acquisition:

Procure from approved vendors
Verify against order
Inspect for tampering
Register in inventory
Prepare for use (format, encrypt)

2. Use:

Access controlled
Usage logged (for sensitive)
Maintain securely
Encrypt sensitive data
Scan for malware

3. Transportation:

Encrypted
Secure packaging
Tracked shipping
Authorized courier
Sign for receipt
Notify recipient

4. Disposal: See A.7.14 for detailed disposal procedures.

A.7.11 - Supporting Utilities

Purpose: Ensure proper installation, monitoring and protection of utilities.

Control Statement: "Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities."

Power Systems

Uninterruptible Power Supply (UPS):

Provide clean, continuous power
Bridge power outages
Runtime: 15-30 minutes typical
Sized for load
Regular testing
Battery maintenance/replacement
Monitoring and alerting

Emergency Generators:

Automatic start on power loss
Fuel for 24-72 hours
Regular testing (monthly)
Maintenance contract
Automatic transfer switch
Load testing annually

Power Distribution:

Redundant power feeds
Different circuits
Different transformers (if possible)
Different utility sources (if possible)
Surge protection
Power monitoring

Cooling Systems:

Redundant HVAC units
Different power sources
Emergency cooling
Temperature monitoring
Humidity monitoring
Automatic alerts

Telecommunications:

Redundant Internet connections
Different providers
Different paths
Automatic failover
Phone systems backup
Cellular backup

Water:

Reliable water supply
For cooling systems
For fire suppression
Water quality monitoring

A.7.12 - Cabling Security

Purpose: Protect cables carrying data or supporting information services.

Control Statement: "Cables carrying power, data or supporting information services shall be protected from interception, interference or damage."

Cable Protection

Data Cables:

Run in conduit or trunking
Above false ceiling or under raised floor
Avoid public areas
Separate from power cables
Label clearly
Protect connections
Lock network closets
Document cable runs

Power Cables:

Separate from data cables
Proper gauge and rating
Professional installation
Regular inspection
Protection from damage
Clearly marked

Physical Protection:

Armored cable (high security)
Locked conduit
Above ceiling (secure)
Underground (with warning tape)
Cable trays (secured)
Inaccessible to unauthorized persons

Logical Protection:

Encrypted transmission
Network segmentation
Monitor for taps
Detect unusual traffic
Authentication required

Labeling:

Both ends labeled
Indicate purpose
Classification level
Destination
Circuit number
Do not over-document (security risk)

A.7.13 - Equipment Maintenance

Purpose: Ensure continued availability and integrity through proper maintenance.

Control Statement: "Equipment shall be correctly maintained to ensure availability, integrity and confidentiality of information."

Maintenance Management

Scheduled Maintenance:

Regular maintenance schedule
Follow manufacturer recommendations
Document all maintenance
Minimize downtime
Test after maintenance
Maintain spares

Service Providers:

Qualified technicians
Authorized vendors
Escorted on-site
No unattended access
Review work performed
NDA if accessing data
Background checks (if accessing sensitive systems)

Maintenance Records:

Equipment maintained
Date and time
Type of maintenance
Technician name
Issues found
Work performed
Parts replaced
Next maintenance due

Security Considerations:

No unauthorized modifications
Firmware updates verified
Malware scans after maintenance
Verify functionality
Check for backdoors
Review logs
Change default passwords

A.7.14 - Secure Disposal or Re-use of Equipment

Purpose: Ensure information cannot be recovered from disposed or re-used equipment.

Control Statement: "Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use."

Disposal Methods

Hard Drives / SSDs:

For Re-use:

Multiple-pass overwrite (DoD 5220.22-M or better)
Verify all data unrecoverable
Test functionality
Remove old asset tags
Apply new inventory tag

For Disposal:

Degaussing (HDDs only, not SSDs)
Physical destruction:
- Shredding (most secure)
- Crushing
- Drilling (multiple holes)
- Disintegration
Certificate of destruction
Environmentally responsible disposal
Use certified vendor

Classification-Based Requirements:

Classification	Minimum Disposal Method
Public	Normal deletion
Internal	Single-pass overwrite or shred paper
Confidential	3-pass overwrite or physical destruction
Restricted	Physical destruction mandatory (shred, crush, incinerate)

Mobile Devices:

Factory reset
Remove SIM and SD cards
Verify data unrecoverable
Physical destruction (high classification)
Remove from MDM

Removable Media:

Overwrite or physical destruction
Break/shred optical media
Destroy USB drives
Degauss tapes
Shred paper documents

Equipment with Embedded Storage:

Printers (hard drives)
Copiers (hard drives)
Network equipment (configuration)
IoT devices (firmware)
Remove or destroy storage
Factory reset
Update firmware to clear settings

Disposal Process

1. Equipment end-of-life identified
2. Decommission from production
3. Remove from inventory
4. Classify data sensitivity
5. Select appropriate disposal method
6. Perform data destruction
7. Verify destruction
8. Document disposal
9. Certificate of destruction (if required)
10. Update inventory
11. Environmentally responsible disposal

Disposal Vendors

Vendor Selection:

Certified (NAID, R2, e-Stewards)
Insured
Certificate of destruction provided
Audit trail
Secure chain of custody
On-site or secure facility destruction
Environmentally compliant
References and reputation

Vendor Management:

Written agreement
Security requirements
Audit rights
Insurance requirements
Incident notification
Compliance reporting
Regular audits

Physical Security Implementation Checklist

Perimeter Security:

Security perimeters defined
Fencing/barriers in place
Entry points controlled
Perimeter lighting
Perimeter surveillance
Signage posted

Access Control:

Badge system implemented
Access levels defined
Entry logging enabled
Visitor management process
Contractor procedures
After-hours access controlled

Facility Security:

Offices secured
Server rooms locked and monitored
Network closets secured
Backup storage secured
Clean desk policy
Clear screen policy

Monitoring:

CCTV system installed
Recording and retention
Intrusion detection system
24/7 monitoring (if needed)
Access logs reviewed
Security guards (if needed)

Environmental:

Fire detection and suppression
HVAC systems redundant
Water detection
UPS systems installed
Generator installed and tested
Environmental monitoring

Asset Protection:

Equipment properly sited
Asset inventory maintained
Off-premises assets tracked
Cable security implemented
Maintenance procedures
Disposal procedures

Policies and Procedures:

Physical security policy
Visitor procedures
Working in secure areas procedure
Clear desk/screen policy
Asset disposal procedure
Maintenance procedures

Next Lesson: Technological Controls (A.8) - Explore the 34 technical controls covering endpoint security, network protection, access management, cryptography, secure development, and security monitoring.