When most people think of ISO 27001, they immediately think of digital threats, hackers, firewalls, and encryption. But a significant portion of the standard has always been dedicated to the “real world.” In the transition from the 2013 version to the 2022 update, the rules for protecting your physical space were given a modern makeover. If you are updating your compliance roadmap, Annex A 7.1: Physical Security Perimeters is your starting point for securing the bricks and mortar of your organization.
Table of contents
The Structural Shift: From 11.1.1 to 7.1
In the older ISO 27001:2013 standard, physical security was tucked away in Domain 11. Specifically, the requirement for perimeters was Control 11.1.1. It was often viewed through a traditional “facility management” lens, put up a fence, lock the front door, and you’re mostly there.
The 2022 update simplifies the entire structure of the standard. It has moved from 14 complex domains into just four “themes.” 11.1.1 has been rebranded as Annex A 7.1 and placed into the Physical Controls theme. While the core objective remains similar, the shift in naming and placement is part of a broader effort to make the standard leaner and easier to navigate. According to experts at Hightable.io, the 2022 version aims for a more “risk-driven” approach rather than just following a prescriptive list of hardware requirements.
Defining the “Perimeter” in 2022
The 2013 version was quite specific about traditional barriers like walls, card-controlled entry gates, or manned reception desks. While those are still vital, the 2022 version of Annex A 7.1 is designed to be more flexible. It acknowledges that a “perimeter” isn’t always a fence around a building. In today’s landscape, a perimeter could be:
- The external walls of a shared office floor.
- A secure server room within a larger facility.
- A designated high-security zone inside a manufacturing plant.
The goal is to prevent unauthorized physical access, damage, and interference. The 2022 update encourages you to define your perimeters based on the criticality of the information inside them. If you are storing highly sensitive physical records or local servers, your “Layer 1” perimeter needs to be significantly stronger than the one protecting your breakroom.
What is New in the Implementation Guidance?
The 2022 version provides refined guidance on how these perimeters should be built and maintained. Key areas of focus that have evolved since 2013 include:
- Solid Construction: The standard is now more explicit about the “fabric” of the building. This includes checking that roofs, ceilings, and floors are sturdy enough to prevent entry.
- Unoccupied Areas: There is a stronger emphasis on keeping unoccupied areas locked and alarmed at all times, not just after business hours.
- Separation of Facilities: The 2022 version reinforces the need to physically separate your organization’s information processing facilities from those managed by third parties (like shared data centers) to prevent cross-contamination of security risks.
The Introduction of Control Attributes
One of the most helpful additions in the 2022 standard is the “Attribute” system. Every control, including Annex A 7.1, now has metadata tags that help you filter and manage your security efforts.
For 7.1, the primary attribute is Preventive. As noted by Hightable.io, these attributes allow you to map your physical controls directly to your digital ones. When you report to the board, you can now show that your physical perimeter is just as much a “Preventive” measure as your firewall, providing a unified view of your security posture that was harder to achieve in the 2013 version.
Practical Transition: What Auditors Scrutinize
If you are moving from the 2013 version, an auditor will expect to see that your Physical and Environmental Security Policy has been updated to reflect the 2022 language. They will likely start their assessment the moment they step onto your site. Common audit checks for Annex A 7.1 include:
- Zoning Evidence: Do you have a map or register that defines exactly where your security perimeters start and end?
- Visible Deterrents: Are there clear signs, cameras, or barriers that make it obvious that access is restricted?
- Maintenance Logs: Can you prove that your physical barriers (like electronic locks or alarms) are tested and maintained regularly?
Why This Change Matters
The transition to Annex A 7.1 reflects a move toward “integrated security.” In 2013, physical security was often an afterthought for IT teams. In 2026, we recognise that a breach of the physical perimeter, like a stolen laptop or an unauthorised person in a server room can be just as devastating as a remote hack.
As suggested by Hightable.io, the best way to tackle this transition is to conduct a “physical gap analysis.” Don’t assume your old locks are enough. Walk your perimeter and look for modern vulnerabilities, such as propped-open fire doors or weak windows. By aligning your physical space with the new 2022 standards, you aren’t just passing an audit; you are building a resilient foundation that protects your people, your hardware, and your data.