How should I record visitor access for ISO 27001?

Record visitor access using internal document systems like Confluence or SharePoint. Do not rely on external SaaS providers for core security logs. Internal records provide a verifiable audit trail of management oversight and intent.

Why is management review of entry logs required?

Management reviews confirm that access remains appropriate. They identify unauthorised attempts or process failures. Recording these reviews in meeting minutes proves compliance to an auditor better than a software dashboard.

ISO 27001:2022 Annex A 7.2 Guide

Q: What is ISO 27001 Annex A 7.2 Physical Entry?

Physical entry controls ensure only authorised personnel access secure areas. This control requires documented procedures and logging of all entries. You must manage this via internal tools like SharePoint to ensure data remains within your control.

What is ISO 27001 Annex A 7.2 Physical Entry in ISO 27001?

ISO 27001 Annex A 7.2 Physical Entry controls access to secure areas. It requires documented procedures within standard office tools. Organisations must record every entry and exit. Management must review these logs regularly. This process ensures only authorised personnel enter sensitive locations to protect physical information assets.

Auditor’s Eye: The Shortcut Trap

Many firms rely on automated SaaS visitor management platforms. These “Black Box” systems often decouple security from daily business operations. Auditors frequently find that staff ignore these platforms. We prefer seeing entry approvals in your Jira workflows. We want to see your visitor logs in SharePoint. This shows that your team actually owns the security process. Surface-level compliance in a separate tool often hides a lack of real management oversight.

ISO 27001:2013 Reference	ISO 27001:2022 Reference	Primary Focus
Annex A 11.1.2	Annex A 7.2	The 2022 update clarifies logging and monitoring requirements. It integrates more closely with general site security management.

How to Implement ISO 27001 Annex A 7.2 (Step-by-Step)

Physical entry implementation must focus on cultural change. Use your existing SharePoint and Jira environments. This approach makes security part of the daily routine. Avoid installing new software that staff will likely bypass.

Define secure areas on site plans stored in SharePoint.
Create a Jira workflow for all physical access requests.
Ensure the site manager approves every request within the ticket.
Maintain a digital visitor log in Confluence.
Audit entry logs monthly and record results in meeting minutes.

ISO 27001 Annex A 7.2 Physical Entry Audit Evidence Checklist

Focus on manual records and internal document versions. These prove human oversight and operational intent. Auditors look for evidence that your team actively manages the process.

Site access policy stored in a version-controlled SharePoint folder.
Completed Jira tickets for employee and contractor site access.
Minutes from management meetings showing log review activities.
Digital visitor records with timestamps and host signatures.
Photographic evidence of physical signs and entry restrictions.

Relational Mapping

Annex A 7.2 does not work in isolation. It links to several core clauses:

Clause 5.3: Roles and responsibilities for site security.
Clause 9.1: Monitoring and measurement of entry point effectiveness.
Annex A 7.1: The physical perimeters that these entries protect.

Auditor Interview: Direct Process Verification

Auditor: How do you approve access for a new contractor?

Manager: We raise a Jira ticket for the request. The department head must comment with an approval.

Auditor: How do you verify who entered the server room last month?

Manager: We export the log to our SharePoint audit folder. I review it and sign the file electronically.

Common Non-Conformities

Failure Type	Observed Issue	Required Fix
Automated Complacency	A SaaS tool shows “Active” but logs have no management review.	Move logs to SharePoint and record formal reviews.
Process Bypass	Staff use side doors to avoid the logging system.	Improve physical barriers and conduct staff training.
Static Access Lists	Former employees still have active entry cards.	Integrate HR exit checklists with Jira access tickets.

Frequently Asked Questions

What is ISO 27001 Annex A 7.2 Physical Entry?

The Bottom Line: It is the requirement to secure and log access to protected areas. You must document who enters and exits your secure sites. Using internal tools like SharePoint ensures these records remain part of your management system. This control protects physical hardware and paper records from unauthorised access.

How does an auditor verify physical entry controls?

The Bottom Line: Auditors check for a clear audit trail of authorisation and logging. They look at your internal Jira tickets and SharePoint logs. They will also physically test entry points. They want to see that your staff follow the documented procedures every day.

Can I use a paper logbook for Annex A 7.2?

The Bottom Line: Yes, but digital logs in internal systems are better. A digital log in Confluence or SharePoint allows for easier searching and review. It also prevents the loss of physical pages. Ensure all entries are legible and include the date, time, and purpose of visit.

LA CASA DE CERTIFICACIÓN