ISO 27001 Annex A 7.3 is a about how you to protect your offices, rooms, and facilities. You must use physical security. This control focuses on physical access. It is about letting the right people enter. They can then do their work easily. It keeps out anyone you do not want to access these areas.
Table of contents
What is ISO 27001 Annex A 7.3?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Securing Offices, Rooms and Facilities”.
What is the ISO 27001 Annex A 7.3 control objective?
The formal definition and control objective in the standard is: “Physical security for offices, rooms and facilities should be designed and implemented.“
What is the purpose of ISO 27001 Annex A 7.3?
The purpose of ISO 27001 Annex A 7.3 is “to ensure you prevent unauthorised physical access, damage and interference to the organisations information and other associated assets in offices, rooms and facilities.“
Is ISO 27001 Annex A 7.3 Mandatory?
ISO 27001 Annex A control 7.3 (Securing Offices, Rooms and Facilities in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.3 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Requirements
You will need to talk to a legal expert to make sure you follow all laws and rules. You must only let authorised people enter your buildings and sites. Also, you must put in place physical security measures based on your risks and business needs.
Things to Think About
Some other things you might want to consider are:
- Think about placing secret or sensitive information where the public cannot get to it.
- Check your outside signs so they do not show where you process information.
- Prevent people outside your physical area from seeing or hearing inside.
- If you are a government agency, you may need electromagnetic shielding.
- Only give internal contact lists and maps to staff who absolutely need them.
The steps for securing your offices and rooms relate to the physical security perimeter. You can find help for this in the Ultimate guide to ISO 27001 Annex A 7.1 Physical Security Perimeter.
Health and Safety
Your most important duty is to meet all legal and regulatory requirements. Be sure to speak with a legal expert to learn what you can and cannot do and to check you are not breaking any laws. The most critical laws are those about health and safety, as protecting people’s lives is always the main goal. A common safety point to consider is making sure doors at entry points open when there is a failure. While you want to protect buildings and information, your absolute main goal is to protect people.
Define Your Access Control Needs
You should start by looking at your risks and doing a risk assessment. To find help on how to do this, read The Complete Guide to ISO 27001 Risk Assessment. Your final controls will depend on what the business needs and the risks you must handle. Basic steps include putting locks on doors, but you should also check the strength of those locks and see if you need other controls, like biometric scanners or gates. Do what is right for your needs. Look at the area around your location and any threats it may pose, and respond to them sensibly.
Physical and Environmental Security Policy
You will need to write, approve, put into practice, and share your own Physical and Environmental Security Policy. This document tells people what you do and what you expect from them.
Secure Areas
The standard says a secure area can be a locked office or any internal space that has its own security barrier. This means your physical locations may be divided into smaller areas based on what protection they require. You usually do this when you have a file room, an archive, or a room for old IT devices. On-site data centres also fall into this group, but few people use them today, as most now use cloud services.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
- Your physical entry control will be checked. This is one of the easiest things for an auditor to check. It is often the first thing they see when they arrive at your physical location for the audit. They will visit and check all physical locations that are part of the audit.
- The strength of your physical security access will be checked. Auditors have much experience and know what to look for. They will test your security controls and see what happens. They will try to open doors, open storage areas, and gain access to places you do not allow.
- They will look at all your written paperwork. You must have audit trails and good documentation. They will look at your access reviews to make sure they are correct. They will also look at logs, reports, security incidents, and how you managed them.
