When you are upgrading your Information Security Management System (ISMS) from the 2013 version to the 2022 update, you will notice that the “Physical” theme has been streamlined to reflect modern working environments. One of the most critical controls for any organization handling sensitive hardware or physical records is the management of secure areas. In the 2022 revision, this is addressed under Annex A 7.6: Working in Secure Areas.
Table of contents
The Structural Evolution: From 11.1.5 to 7.6
In the ISO 27001:2013 version, the rules for how people should behave and work inside sensitive zones were found under Control 11.1.5. It was part of the “Physical and Environmental Security” domain. The focus was primarily on ensuring that “security measures for working in secure areas” were designed and applied.
With the arrival of ISO 27001:2022, this requirement has been rebranded as Annex A 7.6 and moved into the Physical Controls theme. While the change might look like a simple renumbering on the surface, the new framework is designed to be more comprehensive. According to experts at Hightable.io, the 2022 update places a much stronger emphasis on the “human factor” and the specific protocols that prevent accidental or intentional data leakage within these high-risk zones.
What is New in Annex A 7.3?
The core objective of Annex A 7.6 remains the same: to protect information processing facilities and sensitive data from unauthorised access or damage. However, the 2022 version provides much more detailed guidance on the “dos and don’ts” of working in these areas. Key refinements include:
- Visibility and Awareness: There is a more explicit requirement that staff working in these areas should only know what is necessary for their role. The standard also suggests that work in secure areas should be visible to others where possible to deter unauthorised activities.
- Recording Equipment Restrictions: The 2013 version touched on this, but the 2022 version is more aligned with modern technology. It highlights the need to control or prohibit the use of cameras, mobile phones, and other recording devices in areas where sensitive information is processed or stored.
- Unoccupied Areas: The new guidance is clearer about the “last man out” rule. Secure areas must be checked and locked whenever they are left unoccupied, ensuring that a room is never left vulnerable even for a short duration.
The Role of Control Attributes
A major innovation of the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 7.6, the control is now officially tagged as a Preventive control. This metadata helps security managers align their physical workspace rules directly with their broader cybersecurity strategy.
As noted by Hightable.io, these attributes allow you to map your physical controls to modern frameworks. By tagging 7.6 as a Preventive measure, you can clearly demonstrate to an auditor how your internal workspace protocols, such as “no-phone zones” or “clean desk” policies within server rooms, actively stop security incidents before they happen.
Practical Implementation: Modern Expectations
In the 2013 era, many organisations relied on a simple sign on the door. In 2026, the 2022 standard expects a more robust and auditable approach. To satisfy the requirements of Annex A 7.6, you should consider the following practical steps:
- Defining Secure Areas: Clearly mark (internally) which rooms are “secure areas” and ensure the rules for each area are documented and displayed at the point of entry.
- Supervision Protocols: For third-party contractors or visitors, the 2022 guidance strongly recommends continuous supervision while they are inside a secure area.
- Health and Safety Alignment: The update acknowledges that security shouldn’t compromise safety. Your secure area protocols must align with fire safety and emergency exit requirements.
What Will an Auditor Look For?
When you transition to the 2022 standard, an auditor’s walkthrough will be focused on behavioural compliance. They won’t just check if the door has a lock; they will look for evidence that the rules are being followed. Expect them to check for:
- Are staff using mobile phones in areas where they are prohibited?
- Is there a log or “sign-in” process for high-security zones like server rooms?
- Are sensitive documents or screens left visible to people who don’t have a “need to know”?
- Does the staff understand the specific emergency procedures for that secure area?
Why the Transition to 7.6 Matters
The update to Annex A 7.6 reflects a world where every employee carries a high-definition camera and a data storage device in their pocket. In 2013, the risk of someone taking a photo of a server rack or a sensitive document was lower. Today, it is a primary threat. By treating the management of secure areas as a strategic Physical Control, ISO 27001:2022 ensures that your most sensitive physical zones are protected by modern, enforceable protocols.
As suggested by Hightable.io, the best way to move forward is to conduct a fresh risk assessment of your existing secure areas. Don’t assume your 2013-era rules are still sufficient. Look for modern gaps like the use of smartwatches or unauthorised personal devices and update your “Secure Area Policy” to reflect these realities. This doesn’t just help you pass your audit; it creates a significantly more resilient physical security posture.
Final Thoughts
Transitioning to Annex A 7.6 is about moving from “locked doors” to “disciplined environments.” By focusing on the specific ways people interact with sensitive spaces, you can significantly reduce the risk of accidental exposure or intentional theft. In the era of ISO 27001:2022, how you work inside a room is just as important as how you get through the door.