ISO 27001 Information Security - Annex A 7 Physical Controls

Physical controls
Annex A 7 Physical controls

26th April 2023 - ISO 27001 Information Security in plain English - Post #20 in the series.

ISO 27001 - Annex A 7 Physical Controls

Something that sets ISO 27001 apart from all the other ISO management system standards is its Annex A. This is a table of controls that are derived from the detailed guidelines published in ISO 27002 (which provides a reference and guidance on information security).

What is a control? A control is defined by ISO as a measure that modifies or maintains risk. Those measures might include policies, processes, practices, devices or other conditions or actions.

There are 93 controls specified in Annex A, and they are spread over 4 categories - each of which deals with a different facet of information security. Annex A is actually longer than the regular clauses.

In previous articles in this series, we have looked at the first category in Annex A 5 Organizational controls and the second category Annex A 6 People controls. In case you are wondering why that first category was numbered as 5, it's to maintain numbering compatibility with ISO 27002.  That is a very handy reference standard for determining and implementing risk treatment controls in an ISMS.

This article is about Annex A 7 Physical controls. The objective of this category is to prevent unauthorised physical access to information held by the organization and to avoid damage, theft or compromise of the assets and processing facilities. For the convenience of those looking to update their ISMS from the previous version of ISO 27001, we have included the relevant control numbers from that standard in brackets. Here goes...

Find out about Qudos 3 IMS software

This article on Annex A 7 Physical Controls is based on an extract from the Guide Book in the Qudos ISO 27001 InfoSec Toolkit - exclusively available as an integrated component of Qudos 3 software.

7.1 Physical security perimeters (11.1.1)

The purpose of this control is to prevent unauthorised access, damage or tampering with assets. To that end, Security perimeters must be defined and protected for areas that contain information assets.

7.2 Physical entry (11.1.2 / 11.1.6)

The intent here is to ensure that there is only authorized access to areas containing information.

7.3 Securing offices, rooms and facilities (11.1.3)

This control requires the design an implementation of physical security for those areas.

7.4 Physical security monitoring

This is a new control in ISO 27001:2022.

The requirement here is for continuous monitoring to be implemented to detect and deter intruders.

7.5 Protecting against external and environmental threats (11.1.4)

Protection needs to be implemented against both forces of nature and man-made threats (whether they be intentional or otherwise). Some of the typical examples to consider may include: Fire, Flood, Storm, and Power surges. Depending on the nature of your business and geography, this may include terrorist threats or more general criminal activity.

7.6 Working in secure areas (11.1.5)

Rules for working in secure areas need to be established. What is a secure area? Well, it's not clearly defined in the Terms and Definitions section of ISO 27001, or the Vocabulary and Overview standard, ISO 27000.
Where an organization has an on-premise server room, that is normally considered to be a secure area.

7.7 Clear desk and clear screen (11.2.9)

As the title suggests, the objective is prevent unauthorised access to information by maintaining a clear desk and a clear screen. There are some very simple steps that can be taken here. However, there can be some costs incurred in facilitating the implementation of the policy.

The standard requires that rules are defined, and these are typically expressed in a 'Clear desk and clear screen policy'.

7.8 Equipment siting and protection (11.2.1)

The objective here is to prevent loss, damage, theft or compromise of assets and interruption to operations. Such provisions may include:

Equipment (such as computers, printers, or photocopiers) that may display sensitive information should be located so as to avoid that
information being viewed by an unauthorised person.

7.9 Security of assets off-premises (11.2.6)

This control requires the protection of any information devices that used off-premise. That includes corporate-owned devices and those belonging to workers but used for business purposes. That last category is often referred to as BYOD of Bring-Your-Own-Device. Some organizations choose to have a BYOD policy or include it in their User Endpoint Device or Mobile Device policy.

7.10 Storage media (8.3.1 to 8.3.3 / 11.2.5)

Unauthorized disclosure, modification, removal or destruction of information stored on media should be prevented. This means that procedures should be developed to manage any removable media including control of its transportation and disposal.

Removable media (such as external hard drives, DVDs etc.) should be managed in accordance with the information classification scheme developed for Annex A control 5.12.

Media shall be disposed of securely when no longer required. That applies to removable media such as that as described above, but also to another very common type of media...paper!

7.11 Supporting utilities (11.2.2)

These may include power, telecoms, air conditioning etc. They need to have adequate capacity and redundancy as appropriate, be regularly checked, properly maintained, and monitored as applicable. It may be necessary for them to have error detection with appropriate alarm indications.

7.12 Cabling security (11.2.3)

Power and data cables should be protected against interception, interference, or damage. The routing of network cabling through insecure areas should be avoided. Access to wiring cabinets etc. should be suitably protected and restricted to authorised personnel.

7.13 Equipment maintenance (11.2.4)

All equipment should be maintained in accordance with the relevant manufacturer's instructions in order to ensure continued functionality and
maintain warranty.

7.14 Secure disposal or reuse of equipment (11.2.7)

A known area of information security failure can occur when equipment containing sensitive information is carelessly disposed of or re-purposed.
Appropriate controls should be implemented to ensure that disposal or reuse of equipment does not lead to a security breach.

This article on Annex A 7 Physical Controls is based on an extract from the Guide Book in the Qudos ISO 27001 InfoSec Toolkit - exclusively available as an integrated component of Qudos 3 software.

That concludes our brief introduction to ISO 27001 Annex A 7 Physical Controls. The next article in this series will look at Annex A 8 Technological Controls.

Click the LinkedIn Follow button below to receive notification of its release.


See previous articles on ISO 27001 Annex A controls:

Annex A 5 Organizational controls and

Annex A 6 People controls.

There's nothing like word of mouth to share creative content. So, if you found this blog informative, please share it with a colleague or business associate.

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Now updated for the latest version of the standard - ISO 27001:2022.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!

Contact us