ISO 27001 Annex A 7.2, called Physical Entry, is a rule that asks you to protect secure areas. You must use clear access points and entry controls for these areas. This rule helps you keep people who are not approved out of secure parts of your buildings.
Table of contents
What is ISO 27001 Annex A 7.2?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Physical Entry”.
What is the ISO 27001 Annex A 7.2 control objective?
The formal definition and control objective in the standard is: “Secure areas should be protected by appropriate entry controls and access points.“
What is the purpose of ISO 27001 Annex A 7.2?
The purpose of ISO 27001 Annex A 7.2 is “To ensure only authorised physical access to the organisations information and other associated assets occurs.”
Is ISO 27001 Annex A 7.2 Mandatory?
ISO 27001 Annex A control 7.2 (Physical Entry in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.2 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps.
You will need to do several key things:
- Consult a legal professional to ensure your actions are within the law.
- Only allow authorised people into buildings, sites, and physical locations.
- Create a process to manage this access.
- Check access rights on a regular basis.
- Keep a record (log) of who accesses these areas.
ISO 27001 Physical Entry Checklist
Consider these points where appropriate for your situation:
- Reception Area: Think about having a monitored reception area.
- Searching: Consider searching people if it is truly needed.
- Shared Spaces: Remember to account for shared access points with other groups.
- Identification: Give identification badges to your staff and visitors.
- Secure Entries: Secure entry points, such as emergency exits, in a way that is both legal and safe.
- Technology: Look into different technologies, like biometrics.
- Keys: Have a clear system for managing physical keys.
The rules for physical entry should be consistent with the physical boundaries you set for your site. You can find more advice in guides about physical security perimeters.
Health and Safety
Your top priority must be following all health and safety laws. Be sure to engage a legal professional to fully understand what you can and cannot do. Laws regarding health and safety are critical because protecting human life is always the most important goal. Think about common safety practices, such as making sure exit doors open during a power failure. While protecting buildings is important, protecting people is your first concern.
Defining Access Control Needs
You should start by assessing your risks. This is the basis for your access control needs. At a minimum, you must have locks on doors. You then assess if you need stronger locks or extra controls like biometrics or gates. Only implement what is right for you. Think about the area around your building and any threats it may pose, and respond with common sense.
Implementing the Access Process
You will write, sign, and begin using an official access process based on your risks and needs. The process must explain how you:
- Grant access to people.
- Change existing access rights.
- Take away (revoke) access rights.
- Review who has access.
You will decide what “regularly” means for reviewing access. A common suggestion is monthly, but this timing depends on several factors:
- How often staff changes.
- How sensitive the site is.
- The risk level to your business.
- Your business needs.
- Any past security events.
Your process will also require you to keep a secure log of visitors. You may use a log book or digital records. Be sure to follow data protection laws regarding what information you keep and for how long.
Security Policy
You will write, sign, use, and share a special Physical and Environmental Security Policy. This document tells everyone what you do and what you expect from them.
Reception Areas
The standard does not demand a reception area, but suggests you consider one. Be sensible when you decide if one is right for your location. If you have a reception, it makes sense to have it monitored by staff. This monitoring could be done remotely, meaning someone does not have to be sitting there all day.
Visitors
Here are key things you should check and think about for visitors:
- How to confirm a visitor’s identity.
- Recording when people enter and leave.
- Watching over (supervising) visitors or clearly allowing them to walk alone.
Visitor Badges
Using identification for staff and visitors is a very good control. A visitor badge helps you quickly spot if someone is in an area they should not be. Do what is sensible for your organisation’s size and risk.
Alarms and Monitors
Alarms and monitors are controls used to alert you when something wrong has happened. Getting alarms fitted is a smart idea. You must define a clear response plan and make sure that the contact list of who to call is always current. Who gets the 2 a.m. phone call, and what must they do when they get it?
Physical Keys
If you use physical keys, you need a system to manage them. Ensure keys are given to the right people and that you have a plan for what happens if a person is absent or leaves the company. This process also applies to other codes and tokens, like combination locks. You should keep a log book and perform an annual check on all keys.
CCTV
You can think about using CCTV, but know that it creates extra work related to data protection laws, like GDPR. You should get legal advice before installing cameras to ensure you do it correctly. You must decide how, for how long, where, and in what way you store the recordings. Then, you need a plan for who can look at the footage and how you destroy it later. It is much more complex than just installing a simple home camera.
Secure Areas
The standard says a secure area can be a locked office or any internal area that has an extra security barrier. This considers that your site may have different areas that need different levels of protection. These are often rooms where you keep important files, archives, or old IT equipment. Data centres on your site also fall into this group, but many people now use cloud storage instead.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will check:
1.You have a physical entry control
This is often the first thing the auditor will check if your company has a physical office. For every location that is part of the audit scope, the auditor will visit and check your physical entry controls.
2. The strength of your physical security access
The auditors have done many checks and know what they need to see. They will test your controls to see how they work. They may try to open doors, open cabinets, or try to enter areas where you should not allow access.
3. Your documentation
The auditor will look at your audit trails and all your records. They will check logs of monitors and reports. They will look at how you managed security problems and if you reviewed access correctly.
