Implementing ISO 27001 Annex A 7.1 is a foundational security mandate requiring the establishment of physically defined barriers and access-controlled zones to protect sensitive information assets. This control ensures the primary implementation requirement of defense-in-depth perimeters, providing the business benefit of preventing unauthorized physical entry and opportunistic theft.
ISO 27001 Annex A Physical Security Perimeters Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.1. This control requires the establishment of physically defined barriers and perimeters to protect areas that contain sensitive information and information processing facilities, ensuring that security starts at the boundary and not just at the server rack.
1. Define and Map Physical Security Zones
Control Requirement: Security perimeters must be defined to protect sensitive areas. Required Implementation Step: Open your building floor plans and explicitly colour-code your security zones (e.g., Public, Controlled, Restricted, and Secure). Define the exact physical boundaries—walls, doors, or windows—that separate these zones, ensuring that high-sensitivity areas like server rooms or data archives are nested within multiple perimeters.
Minimum Requirement: A dated site map showing clearly defined physical boundaries for different security tiers.
2. Inspect External Boundary Structural Integrity
Control Requirement: Perimeters must be physically sound and capable of resisting unauthorised entry. Required Implementation Step: Walk the external perimeter and inspect the physical shell. Verify that all external walls are of solid construction, windows at ground level are fitted with security film or internal bars, and that there are no gaps in the ceiling voids or raised floors that bypass the perimeter.
Minimum Requirement: A structural survey report or maintenance log confirming the physical ‘hardness’ of the perimeter.
3. Implement Access-Controlled Entry Points
Control Requirement: Access to perimeters must be restricted to authorised personnel only. Required Implementation Step: Install electromagnetic locks or heavy-duty strikes on all perimeter doors. Configure your Access Control System (ACS) so that entry requires a unique identifier (RFID fob, biometric, or PIN) and ensure that the controller is located on the secure side of the door to prevent tampering.
Minimum Requirement: A functioning ACS that logs ‘Who, When, and Where’ for every entry attempt.
4. Enforce Tailgating and Piggybacking Defences
Control Requirement: Prevent multiple persons entering on a single authorisation. Required Implementation Step: For high-security zones, install physical barriers such as full-height turnstiles or ‘mantraps’ (interlocking doors). In standard office perimeters, deploy overhead ‘people counting’ sensors that trigger an alarm if two individuals pass through a door during a single valid badge swipe.
Minimum Requirement: Documented ‘Anti-Tailgating’ policy reinforced by physical barriers or sensor-driven alerting.
5. Shield Delivery and Loading Areas
Control Requirement: Delivery areas must be isolated to prevent unauthorised access to the internal perimeter. Required Implementation Step: Designate a specific ‘Loading Zone’ that is physically separated from the main office or server room. Ensure that delivery personnel are held in this isolated area and that internal doors remain locked while external loading bay doors are open, creating a buffer zone.
Minimum Requirement: A physical ‘Air Lock’ or buffer zone for all incoming goods and external couriers.
6. Install Perimeter Surveillance Coverage
Control Requirement: Monitor boundaries to detect and record unauthorised access. Required Implementation Step: Mount CCTV cameras at all entry and exit points, including emergency exits. Ensure the recording server (NVR) is secured in a locked rack and that footage is retained for at least 30-90 days; verify that camera angles cover the ‘blind spots’ often used by intruders to tamper with locks.
Minimum Requirement: A CCTV coverage map and verified logs of 31+ days of video retention.
7. Secure Unmanned Exit Points
Control Requirement: Emergency exits and unmanned doors must be secured against external entry. Required Implementation Step: Fit emergency exits with ‘Alarmed Panic Bars’ that trigger a loud local siren and a notification to the security team when opened. Ensure these doors have no external hardware (handles or cylinders) that could be picked or forced from the outside.
Minimum Requirement: Monthly testing logs of door contact sensors on all unmanned exits.
8. Harden Reception and Public Areas
Control Requirement: Publicly accessible areas must not provide a path to the internal perimeter. Required Implementation Step: Physically bolt down furniture in reception to prevent its use as a ladder. Ensure the reception desk acts as a physical barrier and that no network ports or sensitive documents are accessible to visitors waiting in the lobby.
Minimum Requirement: Verification that guest Wi-Fi is physically and logically air-gapped from the internal perimeter.
9. Audit Perimeter Alarms and Sensors
Control Requirement: Detect physical intrusions via automated alerting. Required Implementation Step: Install Passive Infrared (PIR) motion sensors and glass-break detectors on the internal side of the perimeter. Connect these to a Grade 3 Intruder Alarm System that is monitored 24/7 by an Alarm Receiving Centre (ARC) with a defined police or security guard response.
Minimum Requirement: A valid maintenance certificate from an accredited alarm installer (e.g., NSI or SSAIB).
10. Conduct Quarterly ‘Red Team’ Physical Tests
Control Requirement: Periodically review the effectiveness of the physical perimeter. Required Implementation Step: Task a staff member unknown to the reception team to attempt ‘Social Engineering’ their way past the perimeter (e.g., carrying a large box or faking a maintenance call). Document the failure points—such as doors left propped open or staff holding doors for strangers—and remediate with physical hardware changes.
Minimum Requirement: A quarterly physical penetration test report with documented remediation actions.
ISO 27001 Annex A 7.1 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Boundary Definition | Uploading a PDF of the ‘Physical Security Policy’. | A policy doesn’t stop an intruder. You need a site map that identifies exactly which walls are rated for security. |
| Access Control | Ticking a box that says ‘We use keycards’. | Are the badge readers ‘Wiegand’ protocol? If so, they are trivial to hack with a £15 device. GRC tools miss technical vulnerabilities. |
| Intrusion Detection | Recording the name of the alarm company. | When was the last time the sensors were tested? GRC tools don’t track the physical battery health or sensor sensitivity. |
| Tailgating | Assigning a ‘Security Awareness’ video to staff. | Training is ignored in the ‘real world’. Only physical barriers (turnstiles) or active sensor alerts stop tailgating. |
| Structural Integrity | Assuming the landlord is responsible for security. | Landlords care about fire safety, not ISO 27001. You must verify if the ‘security’ walls go all the way to the true ceiling. |
| Surveillance | Taking a photo of a CCTV camera as evidence. | Is the camera actually recording? Is the timestamp correct? GRC tools don’t verify NVR uptime or footage clarity. |
| Emergency Exits | Stating that all exits are ‘Monitored’. | Staff often prop fire exits open for smoking or deliveries. Without physical ‘Door-Ajar’ alarms, your perimeter is non-existent. |
About the author
