Annex A Controls

A.7.5 through A.7.8 — Environmental Threats Secure Areas and Clean Desks

Alex Fuerst

Alex Fuerst

7 min read
A.7.5 through A.7.8 — Environmental Threats Secure Areas and Clean Desks

A.7.5 — Protecting Against Physical and Environmental Threats

Environmental threats don't care about your NIST framework implementation or how sophisticated your SIEM deployment is. During one particularly memorable audit, I watched a CTO explain their million-dollar cybersecurity investment while standing ankle-deep in water from a burst pipe that had destroyed their primary data center. Control 7.5 requires organizations to design and apply protection against physical and environmental threats—and this control separates security professionals who understand holistic risk from those who live exclusively in the digital realm.

The control encompasses the full spectrum of environmental hazards: fire, flood, earthquake, explosion, civil unrest, electromagnetic interference, and what ISO/IEC 27002:2022 calls "other forms of natural disaster or disaster caused by human beings." The guidance specifically mentions conducting risk assessments that consider local topography, urban threats, and appropriate elevation relative to bodies of water and tectonic fault lines. This isn't theoretical—it's grounded in the reality that your information assets exist in physical space subject to physical laws.

What the Auditor Looks For

When I assess Control 7.5 implementation, I'm examining several critical elements:

  • Comprehensive risk assessment documentation that identifies location-specific environmental threats based on geographic, geological, and urban factors
  • Evidence of specialist consultation—the standard explicitly recommends obtaining specialist advice for managing environmental risks
  • Proportionate protective measures implemented based on assessed risks, not generic best practices
  • Regular testing and maintenance of protective systems with documented results
  • Integration with business continuity planning under Clause 8.1 to ensure environmental incidents trigger appropriate response procedures

I also cross-reference environmental protection with Control 7.11 (Supporting utilities) and related cloud security considerations under ISO/IEC 27017 when organizations depend on third-party infrastructure they don't directly control.

Implementation Reality

The most sophisticated implementation I've audited was at a pharmaceutical manufacturer in a seismically active, flood-prone region. Their environmental risk assessment identified multiple credible threats, leading to seismic bracing for all equipment racks, elevation of critical systems above the 100-year flood level, and water detection sensors with escalating alert chains. They'd consulted structural engineers, flood management specialists, and even urban planning experts to understand potential civil unrest patterns near their facility.

Contrast this with the common failure pattern: organizations that assume building management handles environmental protection. During one audit, I discovered that a company's "fire suppression system" was actually a building-wide sprinkler system that would destroy their equipment faster than any fire. They'd never verified that their server room modifications were covered by building protections, never tested alert systems, and had no procedures for environmental emergencies.

Practical tip: Don't just read your lease agreement—walk your space with qualified specialists and document gaps between building-provided protection and your actual needs. The standard's emphasis on specialist advice isn't bureaucracy; it's recognition that environmental protection requires expertise most security professionals don't possess.

A.7.6 — Working in Secure Areas

Control 7.6 addresses the human element within physically secured spaces. This control recognizes that access control systems solve only half the security equation—you also need to govern behavior once someone legitimately enters a restricted area. The control requires implementing security measures for working in secure areas, including supervision requirements, recording device restrictions, and procedures for entering and leaving such spaces.

The practical challenge is that most organizations approach this control with a compliance mindset rather than a security mindset. They focus on creating policies that sound impressive to auditors rather than implementing measures that actually protect information assets within secure areas.

What the Auditor Looks For

During secure area assessments, I examine:

  • Clear definition of secure areas with documented justification for designation
  • Specific behavioral requirements for different types of secure areas and different categories of personnel
  • Supervision protocols that are actually implemented, not just documented
  • Recording device policies with enforcement mechanisms and exceptions handling
  • Evidence that personnel understand and follow procedures through observation and interviews

I also verify integration with Control 7.1 (Physical security perimeters) and Control 7.2 (Physical entry controls) to ensure coherent layered protection.

Common Implementation Failures

The most frequent deficiency is treating "secure areas" as a binary concept. Organizations designate entire floors as "secure" but implement no differentiated controls within those areas. I've audited companies where janitorial staff had unrestricted access to server rooms because they'd passed the same background check as IT administrators. The cleaning crew wasn't supervised, had no training on information security requirements, and freely brought personal devices into areas containing sensitive equipment.

Another persistent issue is the failure to address the mobile device reality. Policies prohibit "recording devices" but nobody defines what this means in an era of ubiquitous smartphones with high-resolution cameras. During one audit, I discovered that an organization's data center contained whiteboards covered with network diagrams, password fragments, and IP address ranges—all photographable by anyone with legitimate access.

Effective implementation requires thinking through actual use cases. One financial services firm I audited had implemented a clever tiered approach: their primary server room required supervised access for all non-technical personnel, but their secondary equipment areas allowed unsupervised access for pre-approved maintenance personnel with specific training on information security requirements within those spaces.

A.7.7 — Clear Desk and Clear Screen

Control 7.7 requires implementing a clear desk policy for papers and removable storage media, and a clear screen policy for information processing facilities. This control protects against unauthorized access to information through casual observation—what we call "visual hacking" or "shoulder surfing." The control also addresses the broader information security challenge of unattended workstations and improperly secured physical information.

What makes this control challenging for many organizations is that effective implementation requires changing entrenched cultural habits. People resist policies that feel like micromanagement or that conflict with their preferred working styles.

What the Auditor Looks For

During clear desk assessments, I evaluate:

  • Physical workspace observations during unannounced walks through work areas
  • Automatic screen locking configuration and consistent implementation across all workstations
  • Physical document handling procedures with secure storage solutions readily available
  • Removable media management including USB drives, external hard drives, and backup tapes
  • Evidence of regular reinforcement through management communication and training updates

I also examine integration with Control 8.10 (Information deletion) and related data classification requirements to ensure clear desk policies align with information sensitivity levels.

Implementation Success Factors

The most successful clear desk implementations I've audited focus on making compliance easy rather than punitive. One technology company provided locking drawer units for every employee, installed privacy screens on monitors in open work areas, and configured all workstations to lock after two minutes of inactivity. They also designated specific areas for confidential discussions and document review, complete with visual barriers and enhanced security measures.

The key insight from this implementation was that they addressed the legitimate business need to work with sensitive information while providing practical tools to do so securely. Contrast this with organizations that simply announce a clear desk policy without providing secure storage solutions or addressing the reality of modern flexible work arrangements.

Practical tip: Your clear desk policy effectiveness correlates directly with how easy you make compliance. If secure storage is inconvenient or screen privacy is uncomfortable, people will find workarounds that undermine your information security objectives.

A.7.8 — Equipment Siting and Protection

Control 7.8 requires that equipment be sited securely and protected from both environmental and human threats. This control bridges physical protection with operational security by addressing where and how you position information processing equipment. The control specifically mentions minimizing unnecessary access, reducing visual compromise risks, protecting against theft and tampering, and maintaining appropriate environmental conditions.

ISO/IEC 27002:2022 provides detailed guidance including temperature and humidity monitoring, lightning protection, electromagnetic emanation shielding, and separation of organizational equipment from third-party managed facilities. For organizations using cloud services, this control intersects with ISO/IEC 27017 requirements for understanding and validating provider physical security measures.

What the Auditor Looks For

When assessing equipment siting and protection, I examine:

  • Strategic positioning decisions that minimize both access requirements and visual compromise
  • Environmental monitoring systems with appropriate thresholds and alert mechanisms
  • Protection against electromagnetic emanation for equipment processing confidential information
  • Physical separation between organizational and third-party equipment
  • Lightning and surge protection appropriate to the geographic location and building characteristics
  • Maintenance access procedures that balance operational needs with security requirements

I also verify integration with supplier relationship management under Control 5.19 and ISO/IEC 27036 when equipment protection depends on third-party services or shared facilities.

Advanced Implementation Considerations

One manufacturing company I audited had implemented sophisticated equipment protection that went well beyond basic environmental controls. Their server room used positive air pressure systems to prevent dust infiltration, had redundant cooling with automatic failover, and implemented electromagnetic shielding that exceeded TEMPEST requirements for their most sensitive processing equipment. They'd also positioned information displays to prevent visual access from public areas while maintaining necessary visibility for operations personnel.

The lesson from advanced implementations is that equipment protection requires thinking holistically about threats. Physical theft is obvious, but what about electromagnetic eavesdropping? Environmental damage is clear, but what about electromagnetic interference from nearby industrial equipment? The most effective organizations conduct thorough threat modeling that considers their specific operating environment and information sensitivity levels.

Integration with Broader ISMS Requirements

These physical security controls don't operate in isolation. They integrate with risk assessment procedures under Clause 6.1, incident management under Control 5.24, and business continuity planning under Control 5.29. Organizations implementing ISO/IEC 27001 must ensure these controls align with their overall risk appetite and complement technical security measures.

For organizations in highly regulated industries, these controls often intersect with sector-specific requirements. Financial services organizations must consider regulatory expectations for physical security, while healthcare organizations must address HIPAA physical safeguard requirements. The key is ensuring your ISMS treats physical security as an integral component of information protection, not an afterthought managed by facilities teams.

Final insight: Physical security controls are force multipliers for your entire information security program. No amount of technical sophistication can compensate for fundamental physical vulnerabilities, but well-implemented physical controls provide a foundation that enhances every other aspect of your security posture.

Want to dive deeper into physical security implementation strategies or discuss how these controls integrate with your specific industry requirements? Connect with the IX ISO 27001 Info Hub for practical guidance from practitioners who've implemented these controls across diverse organizational contexts.

Need personalized guidance? Reach our team at ix@isegrim-x.com.

Related Articles

Read more

ISO 27001 and Zero Trust Architecture — Modern Security Meets Compliance

ISO 27001 and Zero Trust Architecture — Modern Security Meets Compliance

Executive Summary: * Architecture-Documentation Alignment: Zero Trust implementations fail audit when security architecture shifts to identity-centric models but ISMS documentation still describes perimeter-based controls * Multi-Framework Convergence: Zero Trust principles naturally align with ISO 27001's risk-based approach and map directly to NIST CSF, CMMC, and TISAX requirements—creating implementation synergies