ISO 27001 Annex A 7.1 is a control about physical security. It asks you to set up a security perimeter to protect your offices and work areas. This control helps you stop unwanted people from getting inside your buildings.
Table of contents
What is ISO 27001 Annex A 7.1?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Physical Security Perimeters”.
What is the ISO 27001 Annex A 7.1 control objective?
The formal definition and control objective in the standard is: “To prevent unauthorised physical access, damage and interference to the organisations information and other associated assets.“
What is the purpose of ISO 27001 Annex A 7.1?
The purpose of ISO 27001 Annex A 7.1 is “To ensure physical security is in place to stop people you don’t want to allow from gaining physical access to property and assets.”
Is ISO 27001 Annex A 7.1 Mandatory?
ISO 27001 Annex A control 7.1 (Physical Security Perimeters in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.1 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Why is ISO 27001 Annex A 7.1 Important?
- Protect Your Main Assets: You must use perimeters to guard your most important assets, such as servers and data storage devices. This stops people from simply walking in to steal equipment or tampering with network parts like routers or switches.
- Create Clear Trust Zones: You need to set up defined areas of trust inside your buildings. These zones range from public spaces (like a lobby) to highly restricted zones (like a server room) that demand extra security measures. The ISO standard requires you to define and record how these areas are separated.
- Manage Who Comes and Goes: You must put processes in place to control who enters your restricted areas and what they carry. This includes checking visitors, verifying deliveries, and preventing anyone from taking out sensitive assets, such as hard drives or key documents, without permission.
- Ensure Business Stays Running: By securing your physical locations, you protect systems from both theft and environmental harm, like fire or flood. This directly helps keep your essential IT systems reliable and supports your overall business continuity.
In short, physical security perimeters make sure your digital security measures aren’t bypassed by a lack of basic building security.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. This rule is mainly about having a clear process for:
You will need to define your physical security needs based on your business risks. You must write a specific Physical and Environmental Security Policy. You should secure any physical place where you process information.
Building Construction and Security
Think about the floor, walls, ceiling, and roof of your building; they should be strongly built. All outside doors must have locks. You should have alarms and monitoring systems. You must have a plan for how to respond to intruders. Always follow all laws and rules, especially those for fire, health, and safety.
Health and Safety
Your most important duty is to follow all laws. You should speak to a lawyer to fully understand your legal duties. The most crucial laws are those for health and safety, as protecting people is always the first goal. Common safety items include fire alarms, fire suppression systems, fire doors, and doors that open when power fails. While protecting data and buildings is vital, protecting people is your absolute top concern.
Defining Physical Security Needs
The standard mentions facilities where information is processed, which includes offices and data centers. Auditors will also check your home working setup for this rule. To start, you must clearly state your own security needs. Your choices should be based on business needs and the risks you face. Start with simple controls like door locks. Then, you can decide if you need stronger locks, biometric scanners, or security gates. Do what makes sense for you. Look at the area around your location and the potential dangers, and be smart about fixing them.
Physical and Environmental Security Policy
To tell people what you do and what you expect, you must write, approve, use, and share your detailed Physical and Environmental Security Policy.
Alarms and Monitors
Alarms and monitors are controls that alert you when something bad happens. Getting alarms installed is always a good idea. You should create a clear response plan and make sure the contact list of who gets notified is current. Who will get the call at 2 a.m. and what are they expected to do?
CCTV
You may consider using CCTV cameras, but know that this brings extra duties regarding data protection laws like GDPR. You must seek legal advice before installing CCTV to make sure you do it legally. You must decide things like how, how long, where, and in what format you save the recordings. Then, you must decide who can see them and how they will be destroyed. It is more complicated than just setting up a simple home camera.
Secure Areas
The standard says a secure area can be a locked office or an inside area with a special internal barrier. This means your physical spaces can be divided inside based on what needs to be protected. This is often done for rooms where you keep paper files, old records, or old IT equipment. Data centres on your property also count, but most people now use cloud services.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will check:
1. You have a physical security boundary.
This is one of the easiest checks for the auditor. It is often the first thing they see when they visit your physical office. They will visit and check all physical locations that are part of your scope.
2. Your physical security boundary is strong.
Auditors have done this job for a long time. They know what to look for. They will test your security controls. They will see what happens. They may try to open doors. They may try to open locked storage areas. They may try to enter places they should not go.
3. Your documentation is ready.
They will look at your audit trails and all your written papers. They will check your access review forms. They will review logs, reports, and incidents. They will check how you managed any problems.
