ISO 27001 A.7 — Physical Controls

About this program

Controls (10)

1. A.7.1 — Are physical security perimeters defined and used to protect areas containing information and information processing facilities?

   Medium

   A.7.1 — Are physical security perimeters defined and used to protect areas containing information and information processing facilities?

   How to test + evidence

   Risk: Multi-layer (reception → office → secure area) gives defence in depth. A single perimeter is one tail-gate away from the server room.

   Testing procedure: Walk the perimeter. Identify reception, badge-controlled doors, secure-area boundaries (server room, data centre, finance), and any tail-gating risk. Compare against the documented site security plan.

   Evidence to collect: Site security plan / floor plan with perimeters marked Photos / video walkthrough showing physical layers Access control system zone configuration

2. A.7.2 — Are entry controls (badges, escorts, visitor logs) in place for secure areas?

   Medium

   A.7.2 — Are entry controls (badges, escorts, visitor logs) in place for secure areas?

   How to test + evidence

   Risk: Defence in depth (multiple controls, all logged) makes social-engineering tail-gating harder and produces an evidence trail when something goes wrong.

   Testing procedure: Test the visitor process: arrive unannounced. Inspect the visitor log for the audit period — sample 25 entries and verify each has signed in, was escorted, and signed out. Compare badge access logs to schedules.

   Evidence to collect: Visitor log sample (25 entries) Badge access log for sensitive areas CCTV footage retention configuration Reception SOP document

3. A.7.3 — Are sensitive offices/rooms (server rooms, finance, HR) secured separately from general office space?

   Medium

   A.7.3 — Are sensitive offices/rooms (server rooms, finance, HR) secured separately from general office space?

   How to test + evidence

   Risk: Auditors specifically test that "everyone with a building badge can't walk into the server room" — co-located badge zones are a common finding.

   Testing procedure: Walk the office and identify sensitive rooms. For each, verify a separate badge zone or key control with a documented holder list. Sample badge access logs to confirm only authorised people enter.

   Evidence to collect: List of sensitive rooms + badge zones Authorised holder list per zone Sample of badge access logs Key register if physical keys are used

4. A.7.4 — Is physical security monitored continuously (cameras, intrusion detection, alarms)? (NEW in 2022)

   Medium

   A.7.4 — Is physical security monitored continuously (cameras, intrusion detection, alarms)? (NEW in 2022)

   How to test + evidence

   Risk: A.7.4 is new in 2022 — auditors specifically test that monitoring is active, not just installed. Cameras with no review are common findings.

   Testing procedure: Inspect the camera system, intrusion detection, and any alarm response. Verify retention period for footage (typically 30+ days) and that alerts route to a monitored 24/7 location.

   Evidence to collect: CCTV camera coverage map Footage retention policy + actual retention Intrusion detection alarm history Response SLA + tested response

5. A.7.5 / A.7.11 — Are environmental threats (fire, water, power loss) and supporting utilities protected?

   Medium

   A.7.5 / A.7.11 — Are environmental threats (fire, water, power loss) and supporting utilities protected?

   How to test + evidence

   Risk: Environmental controls only matter if they're tested. UPS that has never been load-tested fails when the lights go out.

   Testing procedure: Walk the server room / data centre. Inspect UPS test logs, fire suppression service records, water sensor placement, and dual power feeds where applicable.

   Evidence to collect: UPS service + test reports Fire suppression certification (recent) Water leak sensor locations + alerts Power redundancy diagram

6. A.7.7 — Is a clear-desk and clear-screen policy in place and enforced?

   Medium

   A.7.7 — Is a clear-desk and clear-screen policy in place and enforced?

   How to test + evidence

   Risk: Auto-lock alone is necessary but not sufficient — auditors look for active enforcement (walkthroughs, follow-ups) because most data leaks at the desk are paper-based.

   Testing procedure: Inspect the clear-desk policy. Walk the office at lunch / end of day. Note unattended sensitive paper, unlocked screens, sticky notes with passwords. Compare against periodic walkthrough records.

   Evidence to collect: Clear-desk + clear-screen policy MDM/GPO showing screen auto-lock at 5 minutes Walkthrough records / spot-check log Disciplinary record if violations found

7. A.7.8 / A.7.13 — Are equipment siting, protection and maintenance schedules documented and applied?

   Medium

   A.7.8 / A.7.13 — Are equipment siting, protection and maintenance schedules documented and applied?

   How to test + evidence

   Risk: Equipment that fails because of skipped maintenance is a security event when it carries sensitive data. The register + schedule is the auditor's starting point.

   Testing procedure: Inspect the equipment register. Sample 10 critical equipment items (servers, network kit, printers handling sensitive data) and verify siting is appropriate and maintenance is current.

   Evidence to collect: Equipment register with location + owner Maintenance schedule + completed work orders Vendor maintenance contracts where applicable Photos showing protected siting (no public access, etc.)

8. A.7.9 — Are off-site assets (laptops, mobile devices) protected with documented controls?

   Medium

   A.7.9 — Are off-site assets (laptops, mobile devices) protected with documented controls?

   How to test + evidence

   Risk: Stolen laptops are the most common physical security incident. MDM + encryption + wipe is the standard expectation; any gap is a finding.

   Testing procedure: Sample 10 employee laptops. Verify each is enrolled in MDM, has full-disk encryption enabled, and has remote-wipe capability. Inspect lost/stolen device records for the period and confirm wipe occurred.

   Evidence to collect: MDM enrolment report Encryption coverage report (BitLocker / FileVault) Lost device register + remote-wipe logs Off-site asset issue procedure

9. A.7.10 — Is removable media (USB, portable drives) controlled, encrypted and tracked?

   Medium

   A.7.10 — Is removable media (USB, portable drives) controlled, encrypted and tracked?

   How to test + evidence

   Risk: Block by default + exception list is the only practical control. "Don't copy data to USBs" as a policy with no enforcement is consistently violated.

   Testing procedure: Inspect endpoint policy. Test by inserting an unapproved USB on a sample device — confirm it is blocked. For approved devices, verify encryption is enforced.

   Evidence to collect: Endpoint policy showing USB block by default Approved encrypted device list + register Test result showing unapproved USB blocked DLP rules covering removable media

10. A.7.14 — Is equipment securely disposed of or re-used (data wiped, certificates of destruction)?

    Medium

    A.7.14 — Is equipment securely disposed of or re-used (data wiped, certificates of destruction)?

    How to test + evidence

    Risk: Disposal is a recurring audit finding: equipment leaves the building with data still on it. Certified destruction with serial-matching is the only defensible position.

    Testing procedure: Sample 10 disposed devices from the asset register. For each, request the certificate of destruction or wipe log + serial number match. Auditors specifically look for unmatched serial numbers.

    Evidence to collect: Disposal procedure + standard (NIST SP 800-88 r1 or equivalent) Certificates of destruction with serial numbers Asset register marking disposed items + date Vendor contract for certified destruction