How to Implement ISO 27001 Annex A 7.2 Physical Entry
Welcome to this guide on implementing Annex A 7.2. At ISO27001.com, we often see organisations struggle with physical security because they focus too much on digital threats. However, physical entry is just as vital. If someone can walk into your server room, your firewalls do not matter. This control is about ensuring only authorised people can enter your secure areas.
Table of contents
Understanding Annex A 7.2
The official title of this control is Physical Entry. In the ISO 27001:2022 standard, it falls under the Physical controls category. The goal is simple. You must protect your secure areas with appropriate entry controls. This ensures only authorised personnel, visitors, or suppliers are allowed access.
You might think this only applies to large offices with turnstiles. That is not true. Even if you work in a small shared office, you must control who enters your specific space. You need to prove that you know exactly who is in your building at any time.
Identify Your Access Points
You should start by walking around your physical perimeter. Look for every door, window, and gate that allows entry. You need to list these access points. We call this your physical perimeter. Once you know where people can enter, you must decide how to secure each point.
You do not need expensive biometrics for every door. A solid lock and a key management process are often enough for low-risk areas. However, for sensitive zones like server rooms or archive storage, you should use stronger controls. This might include access cards or pin codes.
Implement Entry Controls
You must select controls that match your risk level. If you have a high volume of staff, swipe cards are efficient. They also create a digital log of who entered and when. We love to see digital logs during an audit. They are easy to search and verify.
If you rely on physical keys, you must have a logbook. You need to record who holds which key. If a staff member leaves, you must get the key back. If you cannot get it back, you might need to change the locks. This is why electronic access is often cheaper in the long run.
Manage Visitors and Suppliers
Your reception area is your first line of defence. You must have a process for handling visitors. When a visitor arrives, they should sign in. You should record their name, the time, and who they are visiting. You must also issue them a badge. This badge should look different from staff badges.
You should verify the identity of external support staff or suppliers. Do not just let someone in because they are wearing a high-visibility vest. Check their ID card. You should also ensure visitors are escorted in secure areas. Do not let them wander alone.
What We Look For as Auditors
When we visit you for an audit, we will test your controls. We might try to open doors that should be locked. We will look for doors that are propped open with fire extinguishers. This is a common failure. It renders your expensive access control system useless.
We will ask to see your access logs. We expect you to review these logs regularly. We want to see evidence that you check for unusual activity. For example, why did someone enter the office at 3 AM on a Sunday? If you have a valid reason, that is fine. If you do not know, that is a non-conformity.
Reviewing Access Rights
You must regularly check who has access to your building. People leave jobs or change roles. Their access rights should change too. We expect you to carry out a review at least once a year. You should look at the list of active access cards and remove anyone who no longer works there.
Summary of Key Actions
- Define your physical perimeter and list all entry points.
- Install locks, card readers, or keypads based on risk.
- Create a strict visitor sign-in process.
- Issue visitor badges that are easy to spot.
- Keep logs of all entries and review them for strange activity.
- Audit your active access cards regularly to remove old staff.
Physical entry controls are the foundation of your security. If you get this right, you build a strong culture of security from the front door inwards.