Skip to main content
← All controls
A.7.3 / PE-2 / PE-3 ISO/IEC 27001:2022 Annex A ISO 27001

A.7.3 — Are sensitive offices/rooms (server rooms, finance, HR) secured separately from general office space?

Demonstrate that sensitive offices and rooms containing critical systems or confidential information are physically segregated from general office space with independent access control mechanisms and documented authorization processes.

Description

What this control does

This control requires physical separation and independent access restrictions for areas containing sensitive information or critical systems—such as server rooms, data centers, HR offices, and finance departments—from general office areas accessible to all employees. Implementation typically involves dedicated locked doors with separate access control systems (card readers, biometric scanners, or keypads), controlled entry/exit logging, and restricted key/credential distribution. The separation prevents unauthorized internal personnel from gaining casual or opportunistic access to high-value assets, sensitive data, or systems that could be exploited or compromised. This layered physical security approach complements logical access controls and reduces the attack surface by limiting physical proximity to critical resources.

Control objective

What auditing this proves

Demonstrate that sensitive offices and rooms containing critical systems or confidential information are physically segregated from general office space with independent access control mechanisms and documented authorization processes.

Associated risks

Risks this control addresses

  • Unauthorized employees gaining physical access to servers or networking equipment to install malicious hardware, exfiltrate data via direct system access, or disrupt services
  • Insider threats exploiting unrestricted physical access to HR files containing personally identifiable information (PII), salary data, or disciplinary records for identity theft or blackmail
  • Opportunistic theft or tampering of financial records, payment processing terminals, or accounting systems by personnel without legitimate business need
  • Visitors, contractors, or cleaning staff inadvertently or intentionally accessing server rooms to steal equipment, copy data from unsecured terminals, or cause physical damage
  • Social engineering attacks where attackers tailgate authorized personnel into sensitive areas lacking visible separation or independent entry controls
  • Accidental or deliberate disruption of environmental controls (HVAC, fire suppression) in server rooms by unauthorized personnel unfamiliar with critical infrastructure safeguards
  • Failure to detect or audit physical access events in sensitive areas, allowing undetected breaches or insufficient forensic evidence during security incidents

Testing procedure

How an auditor verifies this control

  1. Obtain the organization's facility layout diagrams and identify all areas designated as sensitive (server rooms, data centers, HR offices, finance departments, executive suites, records storage).
  2. Review the physical access control policy and procedures to verify documented requirements for separate access authorization, credential issuance, and entry restrictions for each sensitive area.
  3. Conduct a physical walkthrough of general office space and each identified sensitive area to observe physical barriers (walls, locked doors, security doors), access control devices (card readers, biometric scanners, cipher locks), and signage restricting entry.
  4. Select a sample of 5-10 employees with varying roles and obtain their access control lists from the physical access control system to verify that general employees lack credentials for sensitive areas.
  5. Review access logs for each sensitive area covering the past 90 days and identify at least 10 entry events to confirm only authorized personnel successfully accessed the space.
  6. Attempt to physically approach sensitive area entry points to verify that general office circulation paths do not provide direct line-of-sight or casual access without encountering access controls.
  7. Interview facilities management and at least two department managers (HR, IT, Finance) to confirm processes for requesting, approving, issuing, and revoking access credentials to their respective sensitive areas.
  8. Verify that visitor and contractor escort policies explicitly require continuous accompaniment in sensitive areas and review visitor logs to confirm compliance with escort requirements.
Evidence required Collect facility floor plans with sensitive areas marked and photographs showing physical barriers and access control devices at entry points. Obtain exports from the physical access control system (PACS) including the access control list (ACL) for each sensitive area, sampled access logs with timestamps and badge IDs, and credential issuance records. Gather policy documents defining sensitive area classifications, access authorization workflows, and visitor escort procedures, along with completed access request forms or tickets demonstrating approval workflows.
Pass criteria All sensitive offices and rooms identified by the organization are physically separated from general office space with independent access control systems, access logs demonstrate only authorized personnel entered during the review period, and documentation confirms formal authorization processes govern credential issuance and revocation.