A.7.1 — Are physical security perimeters defined and used to protect areas containing information and information processing facilities?
Demonstrate that physical security perimeters are formally defined, documented, and actively used to restrict unauthorized physical access to areas containing information assets and processing infrastructure.
Description
What this control does
This control requires organizations to establish and maintain clearly defined physical security perimeters—such as walls, card-controlled entry gates, reception desks, and manned barriers—around areas where sensitive information and information processing facilities are located. These perimeters create defensive layers that prevent unauthorized physical access to data centers, server rooms, communication equipment rooms, and other critical facilities. Effective implementation includes documented perimeter definitions, visible boundaries, and controlled entry/exit points that are actively monitored and enforced.
Control objective
What auditing this proves
Demonstrate that physical security perimeters are formally defined, documented, and actively used to restrict unauthorized physical access to areas containing information assets and processing infrastructure.
Associated risks
Risks this control addresses
- Unauthorized individuals gain physical access to server rooms or data centers, enabling theft of hardware containing sensitive data
- Malicious actors physically tamper with or install malicious devices on network equipment, servers, or telecommunications infrastructure
- Theft or destruction of backup media, portable storage devices, or paper records containing confidential information
- Uncontrolled visitor or contractor access results in social engineering attacks, reconnaissance, or opportunistic data exposure
- Physical access by terminated employees or unauthorized third parties leads to sabotage of critical systems or infrastructure
- Environmental hazards or security incidents in adjacent unsecured areas propagate into sensitive zones due to lack of physical separation
- Covert installation of surveillance equipment, keyloggers, or rogue wireless access points within trusted physical boundaries
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's physical security policy and site security documentation identifying all defined physical security perimeters.
- Request facility maps, floor plans, or diagrams showing the locations and boundaries of each physical security perimeter protecting information processing facilities.
- Conduct physical site inspections of a representative sample of secured areas, verifying the presence and integrity of perimeter controls (walls, doors, locks, gates, barriers).
- Observe and document access control mechanisms at perimeter entry points, including badge readers, biometric systems, mantraps, or manned reception desks.
- Select a sample of access log entries and verify that only authorized personnel entered secured perimeters, cross-referencing against access authorization records.
- Interview facility security personnel and site managers to confirm operational procedures for perimeter monitoring, visitor escort, and breach response.
- Review surveillance camera coverage and alarm system configurations to confirm they monitor all perimeter entry/exit points and critical boundaries.
- Test perimeter effectiveness by attempting to identify gaps, such as unsecured doors, unmonitored loading docks, or shared walls with unrestricted adjacent spaces.