When transitioning from the 2013 version of ISO 27001 to the 2022 update, many organisations focus heavily on the new digital controls. However, the physical environment remains a massive risk factor. In the 2022 version, the protection against external and environmental threats has been refined and moved to Annex A 7.5: Protecting against physical and environmental threats. This control is your primary defence against everything from floods and fires to civil unrest.
Table of contents
The Structural Shift: From 11.1.4 to 7.5
In the ISO 27001:2013 version, this requirement was found under Control 11.1.4 (Protecting against external and environmental threats). It lived in the “Physical and Environmental Security” domain. While the core intent hasn’t changed, the 2022 update has rebranded it as Annex A 7.5 and placed it within the Physical Controls theme.
By moving to Theme 7, the standard simplifies how we categorise physical risks. According to insights from Hightable.io, the 2022 version encourages a more “risk-driven” approach. It isn’t just a list of things to buy; it’s a requirement to look at your specific location and the unique threats it faces, whether that’s a nearby river prone to flooding or a region susceptible to electrical surges.
What Exactly is New in Annex A 7.5?
The 2022 version provides much more prescriptive guidance on how to manage these threats compared to the 2013 version. The new standard emphasizes a proactive, three-step strategy: complete a risk assessment, establish controls, and then monitor them. Key refinements include:
- Specialist Advice: The 2022 update is more explicit about consulting experts. For complex risks like fire suppression in server rooms or seismic bracing in earthquake zones, the standard expects you to seek professional guidance rather than guessing.
- Environmental Design: There is a new mention of “Crime Prevention Through Environmental Design” (CPTED). This involves using the physical environment, like landscaping or lighting, to naturally discourage threats.
- Layered Protection: Hightable.io notes that the 2022 guidance suggests an “extra layer” of measures, such as using fire-rated safes for critical physical backups or installing water detection ropes under raised floors.
The Role of Control Attributes
A major addition to the ISO 27001:2022 standard is the “Attribute” system. For Annex A 7.5, the control is now officially tagged as a Preventive control. This helps security managers explain the “why” to auditors: we aren’t just reacting to a fire; we are implementing measures to prevent the fire from damaging our information assets in the first place.
These attributes also link the control to Availability. If a flood takes out your server room, your data is no longer available. By tagging 7.5 this way, the standard makes it easier to map your physical security directly to your Business Continuity and Disaster Recovery (BCDR) plans.
Practical Implementation: Modern Expectations
In the 2013 era, many businesses treated this as a generic facilities task. In 2026, the 2022 standard expects a more granular approach. To meet the requirements of Annex A 7.5, you should consider:
- Natural Hazards: Assessing the topography of your site. Are you on a flood plain? Are you near high-risk neighbours like a chemical plant?
- Man-made Threats: Addressing risks like civil unrest or vandalism, especially if your office is in a high-traffic urban area.
- Utility Protection: Ensuring that power supplies are protected from surges and that backup power (like UPS or generators) is sized correctly for a graceful shutdown.
What Will an Auditor Look For?
Transitioning to the 2022 standard means an auditor will be looking for a clear evidence trail of risk assessment. They won’t just look at your fire extinguishers; they will check if those extinguishers are the right type for the equipment they are near. Common check points include:
- The Risk Register: Does it specifically list environmental threats relevant to your location?
- Maintenance Records: Can you prove that your smoke detectors, water pumps, and surge protectors have been tested recently?
- Policy Documentation: Is your “Physical Security Policy” updated to include the specific requirements of the 2022 version?
Why the Transition to 7.5 Matters
The update to Annex A 7.5 reflects a world where “environmental” events are becoming more frequent and severe. By treating these threats as a primary Physical Control, ISO 27001:2022 ensures that your hardware and physical media are protected by the same level of rigour as your digital data.
As suggested by Hightable.io, the best way to handle this transition is to start with a site-specific risk assessment. Don’t use a generic template; look at your building, its surroundings, and its history. By identifying these “unforeseen” risks now, you aren’t just ticking a box for an auditor, you are ensuring your organisation can stay on its feet when the unexpected happens.