When you are navigating the transition from ISO 27001:2013 to the 2022 update, it is easy to get caught up in the digital jargon of cloud security and threat intelligence. However, the physical environment remains a critical pillar of any robust Information Security Management System (ISMS). One of the most important shifts in the physical domain occurs in Annex A 7.3: Securing offices, rooms and facilities. While the core mission of keeping your workspaces safe remains, the way the standard expects you to do it has become much more integrated and risk-aware.
Table of contents
The Evolution from 11.1.3 to 7.3
In the older ISO 27001:2013 version, the requirement for securing physical workspaces was known as Control 11.1.3. It sat within the “Physical and Environmental Security” domain. At that time, many organisations treated it as a straightforward facilities task, lock the doors and maybe have a filing cabinet for sensitive papers.
In the 2022 update, this has been reclassified as Annex A 7.3 and moved into the Physical Controls theme. This transition is about more than just a new number. According to insights from Hightable.io, the 2022 version shifts the focus from purely “technical” security measures to a more holistic “organizational” approach. It isn’t just about having a lock; it’s about the design and implementation of security in the very layout of your office.
What is New in Annex A 7.3?
The 2022 version is designed to be more intuitive and less prescriptive, allowing businesses to apply controls based on their specific environment. Here are the key refinements:
- Strategic Location: The new guidance places a heavier emphasis on where you put your most sensitive activities. For instance, a server room or an HR archive should not be easily accessible from a public lobby or a shared loading bay.
- Visual Deterrence: There is a renewed focus on making secure areas “discreet.” The 2022 standard suggests that you should avoid putting up obvious signs that shout “Confidential Server Room Here” if it could attract unwanted attention.
- Integrated Surveillance: While the 2013 version touched on monitoring, the 2022 version (when read alongside the brand-new Control 7.4) expects your secure offices and facilities to be part of a proactive, continuous monitoring strategy rather than just having a passive alarm.
A Risk-Based Design Approach
One of the standout features of the 2022 update is the expectation of security by design. Hightable.io highlights that for Annex A 7.3, you should be able to demonstrate that your office layout was planned with security in mind. This might involve:
- Using internal walls and partitions to create “sub-zones” within an office floor.
- Ensuring that passers-by cannot see sensitive data through ground-floor windows (using blinds or privacy film).
- Managing environmental risks like fire or flood specifically for areas housing critical hardware.
The Role of Control Attributes
Like all controls in the 2022 version, Annex A 7.3 now includes Attributes. These are metadata tags that help you sort and filter your controls. For 7.3, the primary attribute is Preventive.
By using these attributes, you can clearly communicate to auditors how your physical workspace design prevents unauthorized access, damage, or interference. It bridges the gap between the “physical” world and your “information security” strategy, providing a unified view of risk that was missing in the 2013 version.
Practical Transition: What Auditors Scrutinize
When you transition to the 2022 standard, an auditor’s visit will likely involve a more thorough “site tour.” They won’t just check for locks; they will look for vulnerabilities in the workflow. Expect them to check for things like:
- Are sensitive documents left on printers in common areas?
- Are “unoccupied” rooms left open and unmonitored?
- Can an unauthorized person “tailgate” into a secure zone?
- Is there evidence that staff actually understand their role in maintaining office security?
Why the Transition to 7.3 Matters
The move to Annex A 7.3 reflects the modern reality of the workplace. In 2013, we were worried about desktop PCs. In 2026, we are worried about portable devices, open-plan office risks, and the security of shared co-working spaces. By treating the securing of facilities as a primary Physical Control, ISO 27001:2022 ensures that your physical environment is as resilient as your digital infrastructure.
As suggested by Hightable.io, the best way to move forward is to conduct a “physical security walk-through.” Don’t just rely on your old policy, look at your office with fresh eyes. Identify where your most valuable data “lives” and ensure those areas are protected by layers of security that are appropriate for the modern threat landscape.