A.7.1 through A.7.4 — Physical Perimeters Entry and Securing Facilities

A.7.1 Physical Security Perimeters: Beyond the Garden Fence Mentality

Control A.7.1 demands that organizations define and use security perimeters to protect areas containing information and associated assets. In fifteen years of auditing, I've seen everything from impressive-looking mantrap entries that you can bypass through the ceiling tiles to glass-walled "secure" areas where anyone can see exactly what you're protecting.

The standard isn't asking you to build a fortress. It's asking you to think systematically about where your critical assets live and create meaningful, risk-appropriate boundaries around them. This starts with understanding that a perimeter isn't just walls—it's a complete security envelope that includes every possible entry point.

When I assess Control A.7.1, I look for organizations that have mapped their perimeters completely. This means documenting not just the obvious doors and windows, but the utility penetrations, shared walls with neighboring tenants, roof access points, HVAC systems, and raised floor access. I once found a data center where the "secure" perimeter extended to the drop ceiling but not the actual structural ceiling. The utility corridor above was accessible from an adjacent tenant space—a motivated attacker could have bypassed six-figure access controls with a stepladder.

Risk-Based Perimeter Design

The implementation guidance within ISO/IEC 27002:2022 emphasizes that perimeter strength should align with the information security requirements of the assets within. This connects directly to your Clause 6.1.2 risk assessment—you can't design appropriate perimeters without understanding what you're protecting and the threats you face.

I recommend establishing clear perimeter classifications:

• Public areas: Reception, meeting rooms—basic boundary definition, focus on controlling access deeper into the facility
• Controlled areas: General office space—standard construction, basic access control
• Restricted areas: IT operations, records storage—enhanced barriers, monitored entry points
• High-security areas: Data centers, server rooms—maximum protection with continuous monitoring per Control A.7.4

Your physical security policy should document this classification scheme and the rationale behind protection levels. When auditors ask why different areas have different controls, you need a documented, risk-based answer.

A.7.2 Physical Entry Controls: Where Technology Meets Human Nature

Control A.7.2 requires secure areas to be protected by appropriate entry controls to ensure only authorized personnel can access them. The word "appropriate" carries significant weight here—and I've seen creative interpretations that would make security professionals weep.

Entry controls aren't just about the technology. Card readers, biometric systems, and electronic locks are meaningless if the processes around them fail. The most common failures I observe:

• Tailgating being culturally acceptable ("holding doors is polite!")
• Access cards shared between employees or left unattended
• Visitor badges that work indefinitely
• Access control systems disconnected from HR termination processes
• Lost or stolen cards not promptly reported or revoked

The technology rarely fails—the human processes do.

Visitor Management That Actually Works

Proper visitor management exemplifies Control A.7.2 implementation. I've seen penetration testers walk into organizations unchallenged by claiming to be "here for a meeting" or "the copier repair technician." Effective visitor controls require:

Auditor's tip: I always test visitor procedures during my facility walkthrough. If I can access restricted areas as a "visitor," your controls aren't working regardless of what your documentation says.

• Pre-registration requirements for expected visitors
• Identity verification against government-issued ID
• Escort requirements for sensitive areas
• Time-limited access badges that automatically expire
• Clear procedures for unexpected visitors
• Badge return and access revocation upon departure

A.7.3 Securing Offices, Rooms and Facilities: The Devil in the Details

Control A.7.3 addresses security for offices, rooms, and facilities, extending beyond perimeter controls to the specific spaces where work happens. This control often gets overlooked because it seems obvious, but implementation requires attention to details that many organizations miss.

The control encompasses both physical protection and operational security within secured areas. Key areas include secure storage of sensitive information, protection of processing facilities, and ensuring that the security measures match the sensitivity of activities performed in each space.

During audits, I examine how organizations classify and protect different work areas. A customer service area handling personal information needs different protections than a general meeting room. The same applies to executive offices where sensitive business decisions occur versus open-plan workspace areas.

Common Implementation Gaps

Organizations frequently struggle with consistent application of Control A.7.3. I regularly find:

• Inconsistent locking mechanisms across similar-risk areas
• Sensitive documents left unsecured in low-security spaces
• IT equipment in general areas without appropriate protection
• Meeting rooms with sensitive discussions lacking sound privacy
• Storage areas with mixed security classifications

The solution requires mapping your information flows to physical spaces and applying consistent protection measures. If sensitive HR discussions happen in a particular meeting room, that room needs acoustic privacy and access controls appropriate for the information discussed there.

A.7.4 Physical Security Monitoring: Your Security Perimeter's Early Warning System

Control A.7.4 is new in the 2022 version of ISO/IEC 27002, requiring premises to be continuously monitored for unauthorized physical access. This control acknowledges that even the best perimeters and entry controls can be bypassed—you need detection capabilities to identify when that happens.

Physical monitoring serves dual purposes: detection and deterrence. Visible monitoring systems often prevent unauthorized access attempts, while detection capabilities ensure you know when breaches occur. The control specifically mentions closed-circuit television (CCTV), intruder alarms, and physical security information management software.

Monitoring System Design Considerations

Effective monitoring under Control A.7.4 requires strategic placement and integration with your incident response procedures. The standard emphasizes that monitoring system designs should remain confidential—publishing camera locations or detection patterns helps potential attackers avoid them.

Key implementation elements include:

• Coverage of all external doors and accessible windows
• Motion detection in unoccupied areas during off-hours
• Video recording with appropriate retention periods
• Integration with alarm systems and incident response
• Protection of monitoring equipment from tampering
• Regular testing to ensure continued effectiveness

Remember that Control A.7.4 must comply with local data protection regulations. If your monitoring captures personal information—and most CCTV systems do—you need to address privacy requirements under standards like ISO/IEC 27018 for personally identifiable information processing.

Integration Across Physical Security Controls

These four controls work together to create layered physical security. Control A.7.1 establishes your security boundaries, A.7.2 controls who can cross those boundaries, A.7.3 protects specific work areas, and A.7.4 monitors for unauthorized access attempts.

The integration extends beyond Annex A. Your physical security program must align with:

• Control A.5.15 (Access Control) for logical access integration
• Control A.8.9 (Configuration Management) for security system management
• Control A.6.8 (Incident Management) for physical security breaches

Organizations using cloud services should also reference ISO/IEC 27017 for cloud-specific physical security considerations when evaluating service providers.

What Auditors Look For

During physical security audits, I examine both documentation and actual implementation. Key evidence expectations include:

• Complete perimeter mapping with risk-based protection rationale
• Access control procedures with visitor management protocols
• Evidence of regular access review and termination processes
• Monitoring system documentation including coverage maps and retention policies
• Integration between physical and logical access controls
• Incident logs showing detection and response to physical security events

I always conduct a physical walkthrough, testing visitor procedures and observing actual security practices. Documentation means nothing if your staff routinely prop open fire doors or share access cards.

Common audit finding: Organizations that implement sophisticated access control technology but fail to maintain it properly. I regularly find access control databases containing terminated employees who retain facility access months after departure.

Physical security isn't glamorous, but it's fundamental. You can have the most sophisticated cybersecurity controls in the world, but if someone can walk into your server room unchallenged, you've built a digital fortress with unlocked doors. Controls A.7.1 through A.7.4 ensure your information assets have the physical protection they deserve.

For organizations implementing these controls, remember that effective physical security requires ongoing attention. Regular audits, employee training, and continuous monitoring ensure your physical barriers remain effective against evolving threats.

Need help implementing physical security controls or preparing for your ISO 27001 audit? Connect with experienced practitioners and get practical implementation guidance at the IX ISO 27001 Info Hub or schedule a consultation to discuss your specific physical security challenges.

Need personalized guidance? Reach our team at ix@isegrim-x.com.

Related Articles

• A.7.5 through A.7.8 — Environmental Threats Secure Areas and Clean Desks
• A.7.9 through A.7.11 — Asset Security Off-Premises
• A.7.12 and A.7.13 — Cabling and Equipment Maintenance
• Annex A.5.1 through A.5.4 — Information Security Policies and Roles
• A.6.1 through A.6.3 — Screening Employment Terms and Awareness