ISO 27001 Annex A 7.6 is a control about working in secure areas. You need to set rules for security when you work in these special places. This control focuses on your secure areas. As part of ISO 27001, this stops the people who work there from causing harm or making unauthorised changes.
Table of contents
What is ISO 27001 Annex A 7.6?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Working In Secure Areas “.
What is the ISO 27001 Annex A 7.6 control objective?
The formal definition and control objective in the standard is: “Security measures for working in secure areas should be designed and implemented.“
What is the purpose of ISO 27001 Annex A 7.6?
The purpose of ISO 27001 Annex A 7.6 is “to ensure you protect information and other associated assets in secure areas from damage and unauthorised interference by personnel working in these areas.“
Is ISO 27001 Annex A 7.6 Mandatory?
ISO 27001 Annex A control 7.6 (Working In Secure Areas in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.6 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You need to establish an approach that allows access to secure areas only when necessary. You should oversee any work that takes place in these secure areas when possible. Also, set up a system to lock and check secure areas when they are empty. Think about banning cameras, phones, or recording tools unless you give approval. Make sure you train your staff in all emergency procedures. You must also share these emergency procedures widely. Always follow all health and safety laws, along with other relevant laws and rules. You can find more help on working in secure areas by looking at the guidance in Annex A 7.1, which covers the physical security perimeter.
Health and Safety
Your main goal must be to meet all legal and rule requirements. Be sure to speak with a legal expert. They can help you understand what you can and cannot do and ensure you are not breaking any laws. Health and safety laws are the most important because protecting people is always the top goal. You should think about common safety matters, such as entry doors that open when power fails. While protecting buildings and data is important, your first priority is always to protect people.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for1. :
1. Defining Secure Work Areas
You may not need secure areas in your business. If you do, the auditor will check your work. They will look to see that you defined these areas. They will check your risk assessment. They will confirm you have proper security rules and steps in place.
2. Showing Implemented Controls
Auditors do many checks. They know exactly what to look for. They will test your security rules. They will see what happens when they try. They must see proof that you reviewed and tested these rules. They must work exactly as you planned.
3. Reviewing Documentation
Your auditor will look at your audit trails. They will look at all your documents. They will check maintenance records and logs. They will review reports and system monitors. They will also look at security events and how you fixed them.
