ISO 27001 Annex A 7.5 asks you to protect your business from physical threats. This rule means you must guard against both natural and physical dangers. This is one of the controls that helps you limit harm. It works to cut damage from things you cannot plan for or control.
Table of contents
What is ISO 27001 Annex A 7.5?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Protecting Against Physical and Environmental Threats”.
What is the ISO 27001 Annex A 7.5 control objective?
The formal definition and control objective in the standard is: “Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.“
What is the purpose of ISO 27001 Annex A 7.5?
The purpose of ISO 27001 Annex A 7.5 is “to ensure you prevent or reduce the consequences of events originating from physical and environmental threats.“
Is ISO 27001 Annex A 7.5 Mandatory?
ISO 27001 Annex A control 7.5 (Protecting Against Physical and Environmental Threats in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.5 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You will need to do several things:
- Carry out a risk assessment.
- Ask a professional for expert advice when you need it. This could be for risks like fire, flood, theft, civil unrest, earthquakes, or explosions.
- Put in place and set up systems that detect fire, flood, electrical surges, explosives, and weapons.
- Use physical security measures based on the level of risk and what your business requires.
You can find help for securing your offices, rooms, and facilities by reading our Guide to ISO 27001 Annex A 7.1 Physical Security Perimeter.
Health and Safety
Your most important goal is meeting all laws and rules. You must talk to a legal expert to learn what you can and cannot do and to ensure you are following all laws. The most crucial laws relate to health and safety, because protecting people is always the highest priority. You should think about common issues, such as entry doors that must open if there is a failure. While you want to protect buildings and data, your absolute main concern is protecting people.
Defining What You Need to Protect
Begin by understanding your risks and performing a risk assessment. For advice on how to do this, read The Complete Guide to ISO 27001 Risk Assessment. Your plan will depend on your business needs and the threats you are managing. You should always cover basic risks like fire and flood. The location itself might bring other threats, such as electrical surges, local unrest, explosives, or tectonic faults. Choose the right approach for your location. Consider the area around your building and the threats you face, and take sensible action to deal with them.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
- That you have thought about physical and environmental threats. The audit will look around. It will find any clear physical or nature threats. It will check that you have fixed these issues. If you are in a flood zone, you must show that you have taken steps to prevent floods. If your area has civil problems, your security must address this. Basics like fire safety must be correct. A common check is that fire extinguishers are legal. They must also be serviced, and you must have records to prove this.
- That you have put security controls into action. Auditors have done many checks. They know what to look for. They will test your controls to see what happens. They will ask to see proof that the controls have been checked. They will check that the controls are working as you intended.
- Documentation. They will read your audit trails and all your documents. They will check maintenance records. They will look at logs for monitoring and reports. They will check records of all incidents and how you handled them.
