Implementing ISO 27001 Annex A 7.2 Physical Entry Controls is a mandatory security measure requiring the enforcement of authenticated, logged entry points for secure zones to prevent breaches. This implementation provides the Business Benefit of mitigating unauthorized access and providing a verifiable audit trail for regulatory compliance.
ISO 27001 Annex A Physical Entry Controls Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.2. This control demands that all entry points into secure areas are protected by physical barriers and authentication mechanisms that ensure only authorised personnel gain access, verified by real-world physical audits rather than digital dashboard promises.
1. Conduct a Physical Entry Point Audit
Control Requirement: Secure areas must be protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Required Implementation Step: Walk every square inch of your perimeter and internal secure zones. Map every door, window, delivery hatch, and service duct; assign a unique ID to each and document the current locking mechanism (e.g., Euro-cylinder, Mag-lock, or Solenoid) to identify vulnerabilities.
Minimum Requirement: A comprehensive asset register of all physical entry points with their associated hardware types.
2. Deploy Multi-Factor Authentication for Secure Zones
Control Requirement: Access to sensitive areas should be restricted based on business requirements. Required Implementation Step: Install card readers and PIN pads on all “Restricted” and “Secure” zone doors. For high-sensitivity areas like the primary server room, implement dual-authentication (e.g., HID iClass badge plus a biometric scan or unique PIN) to prevent unauthorised entry via stolen or cloned fobs.
Minimum Requirement: Verified two-factor physical authentication active on at least one internal high-security perimeter.
3. Implement a Managed Visitor Log
Control Requirement: All visitors should be recorded and supervised while in secure areas. Required Implementation Step: Maintain a physical or digital logbook at the primary entry point that captures Name, Organisation, Purpose, Time-In, Time-Out, and the Internal Host. Issue distinct “Visitor” lanyards that must be worn at all times, and ensure the host takes physical responsibility for the visitor’s movements.
Minimum Requirement: A continuous, tamper-evident record of all external visitors spanning the previous 12 months.
4. Establish a Key and Fob Management Register
Control Requirement: Access rights to secure areas should be reviewed and updated regularly. Required Implementation Step: Create a master database of every physical key and digital fob in circulation. Perform a monthly reconciliation: if a key cannot be physically produced by the owner, or a fob has not been used in 30 days, revoke the access rights and, if necessary, re-key the physical lock.
Minimum Requirement: An up-to-date register showing exactly who holds access to which specific entry points.
5. Install Tamper-Evident CCTV at Entry Points
Control Requirement: Entry points should be monitored to detect and record unauthorised access. Required Implementation Step: Mount high-resolution cameras at eye-level at every entry point to capture clear facial imagery. Ensure the Network Video Recorder (NVR) is secured in a locked rack and that footage is cryptographically signed or stored on WORM (Write Once Read Many) media to prevent forensic tampering.
Minimum Requirement: Footage retention of at least 31 days with verified “dark-spot” coverage analysis.
6. Enforce Tailgating and Anti-Passback Logic
Control Requirement: Entry controls should prevent unauthorised access through ‘tailgating’. Required Implementation Step: Configure your Access Control System (ACS) with “Anti-Passback” rules (preventing a badge from being used twice to enter without an intervening exit). Physically install floor-to-ceiling turnstiles or “Mantraps” in high-risk zones where the risk of an unauthorised person following an authorised person is critical.
Minimum Requirement: Documented evidence of anti-passback configuration or physical barrier enforcement.
7. Secure Unmanned and Emergency Exits
Control Requirement: Unmanned entry points and emergency exits must be secured. Required Implementation Step: Fit all fire exits and service doors with local alarms and magnetic reed switches. These must trigger a loud local siren and a high-priority alert in the security office if the door is opened or propped ajar for more than 30 seconds.
Minimum Requirement: Monthly test logs of emergency exit sensors and associated alarm triggers.
8. Hard-Wire the Door Hardware
Control Requirement: Entry control mechanisms must be robust and protected from tampering. Required Implementation Step: Ensure all door strikes and magnetic locks are installed on the secure side of the door. Use armored cable loops for door-mounted hardware and ensure that the “Request to Exit” (REX) sensors cannot be tripped from the outside using canned air or a wire under the door.
Minimum Requirement: Physical inspection report confirming “Secure Side” installation of all locking hardware.
9. Implement Post-Termination Revocation Procedures
Control Requirement: Access rights must be removed upon termination of employment. Required Implementation Step: Integrate your HR “Leaver” workflow directly with the physical ACS. The moment an employee is terminated, the fob must be disabled in the system before the exit interview. If physical master keys were held, the locks in their specific zone must be changed immediately.
Minimum Requirement: Audit logs showing fob deactivation occurring within 1 hour of the termination timestamp.
10. Conduct Quarterly ‘Red Team’ Door Tests
Control Requirement: Entry controls should be reviewed for effectiveness. Required Implementation Step: Hire an external specialist or use an internal “Red Team” to attempt physical entry. They should try propping doors, “shimming” latches, and social engineering their way past reception. Document the failures and physically upgrade the hardware or revise the procedures based on the results.
Minimum Requirement: A quarterly physical penetration test report with documented remediation steps.
ISO 27001 Annex A 7.2 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Entry Point Security | Uploading a photo of a locked door to a dashboard. | A photo doesn’t show if the hinges are on the outside or if the latch can be bypassed with a credit card. |
| Visitor Logs | Using a SaaS visitor app with no physical enforcement. | Visitors can easily “skip” the app or enter via a propped side door. Compliance requires physical barriers. |
| Access Revocation | Marking a user as “Deactivated” in a GRC portal. | Unless that portal is hard-synced to the local door controller, the former employee’s fob still works. |
| Hardware Integrity | Assuming “Industrial Grade” locks are secure. | Most “Smart” locks are vulnerable to simple magnet attacks or RF replay. GRC tools never check the hardware firmware. |
| Anti-Tailgating | Assigning an “Awareness Video” to staff. | Videos don’t stop a determined intruder. Only Mantraps, turnstiles, or active guards provide a “Pass” on this control. |
| Emergency Exits | Relying on a “Fire Safety Certificate”. | Fire certificates check if you can get out. Annex A 7.2 checks if an intruder can get in via that same door. |
| Monitoring | Checking a box that says “CCTV Active”. | GRC tools don’t alert you when the NVR hard drive fails or when a camera is covered by a sticker. |
About the author
