When an organisation shifts from ISO 27001:2013 to the 2022 update, the physical security of their premises often gets a second look. While we spend a lot of time worrying about hackers in digital spaces, the “front door” remains a primary risk vector. In the 2022 revision, the requirements for managing who walks into your building have been refined under Annex A 7.2: Physical Entry.
Table of contents
The Structural Evolution: From 11.1.2 to 7.2
In the older ISO 27001:2013 standard, physical entry was governed by Control 11.1.2. It sat within the “Physical and Environmental Security” domain. The focus was relatively simple: ensure that secure areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access.
Under the 2022 update, this control has been rebranded as Annex A 7.2 and moved into the Physical Controls theme. While the change might seem like a simple renumbering, the new framework is designed to be much more integrated. According to experts at Hightable.io, the 2022 standard moves away from a “checklist” approach and toward a “risk-adaptive” model. This means your entry controls shouldn’t just exist; they should be specifically tailored to the level of risk within the area they protect.
What is New in Annex A 7.2?
The core objective hasn’t changed, you still need to keep unauthorised people out, but the 2022 version is much more descriptive about how you manage and monitor that access. Key refinements include:
- Accountable Ownership: The new guidance places a stronger emphasis on naming individuals who are responsible for specific entry points. You can no longer just say “reception handles it.” You need an audit trail showing who authorised an individual’s access.
- Visitor Management Lifecycle: The 2022 version is more explicit about the full visitor lifecycle. This includes not just the sign-in book, but ensuring visitors are escorted, that their access is limited to a specific time/zone, and that their credentials are recovered immediately upon exit.
- Continuous Monitoring: As noted by Hightable.io, there is an increased expectation for proactive monitoring. It isn’t enough to have a log; you must demonstrate that logs are reviewed and that “tailgating” (someone following an authorised person through a door) is actively discouraged through training and physical barriers.
The Role of Control Attributes
A major feature of the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 7.2, the control is now officially tagged as a Preventive control. This metadata helps security managers align their physical security directly with their broader cybersecurity concept of “Protect.”
By using these attributes, you can clearly show an auditor that your badge system and visitor logs are not just administrative hurdles, they are active security measures designed to prevent physical breaches that could lead to data loss or equipment tampering.
Practical Implementation: Modern Expectations
In the 2013 era, a paper guestbook at the front desk was often considered “best practice.” In 2026, the 2022 standard pushes for more robust, digital, and auditable solutions. To satisfy an auditor under Annex A 7.2, you should focus on:
- Granular Access Logs: Moving away from generic keys toward digital fobs or biometrics that record exactly who entered a room and when.
- Review of Access Rights: Periodically checking who has a “master key” or high-level access. As Hightable.io suggests, access drift is a common audit failure, ensuring that people who have moved roles or left the company lose their physical access immediately is critical.
- Secure Loading Areas: The 2022 update reinforces the need to manage delivery and loading areas so that external personnel cannot gain access to secure internal zones.
What Will an Auditor Look For?
When you transition to the 2022 version, the auditor’s walkthrough will likely be more detailed. They won’t just look at the door; they will look at the process. Expect them to ask:
- “Show me the log for this specific server room for the last 30 days.”
- “Who is the assigned ‘Owner’ of this entry point?”
- “What is your process for a visitor who loses their temporary badge?”
- “How do you ensure that delivery drivers are kept away from sensitive information processing facilities?”
Why the Transition to 7.2 Matters
The update to Annex A 7.2 reflects a world where physical and digital security are two sides of the same coin. A stolen laptop from an office is just as much a data breach as a remote hack. By treating physical entry as a strategic organizational control, ISO 27001:2022 ensures that your “first line of defence” is as strong as your firewall.
As suggested by Hightable.io, the best way to move forward is to conduct a “walk-through audit” of your own. Look for propped-open doors, unescorted contractors, or generic “reception” logins. By tightening these physical controls, you aren’t just meeting the new 2022 standard, you are building a culture of vigilance that protects your most valuable assets from the outside in.