In this ultimate how to implement guide to ISO 27001 Annex A 7.2 Physical Entry Controls, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A Physical Entry Controls Implementation Checklist
- 1. Conduct a Physical Entry Point Audit
- 2. Deploy Multi-Factor Authentication for Secure Zones
- 3. Implement a Managed Visitor Log
- 4. Establish a Key and Fob Management Register
- 5. Install Tamper-Evident CCTV at Entry Points
- 6. Enforce Tailgating and Anti-Passback Logic
- 7. Secure Unmanned and Emergency Exits
- 8. Hard-Wire the Door Hardware
- 9. Implement Post-Termination Revocation Procedures
- 10. Conduct Quarterly ‘Red Team’ Door Tests
- ISO 27001 Annex A 7.2 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 7.2 Physical Entry Controls is a mandatory security measure requiring the enforcement of authenticated, logged entry points for secure zones to prevent breaches. This implementation provides the Business Benefit of mitigating unauthorized access and providing a verifiable audit trail for regulatory compliance.
ISO 27001 Annex A Physical Entry Controls Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.2. This control demands that all entry points into secure areas are protected by physical barriers and authentication mechanisms that ensure only authorised personnel gain access, verified by real-world physical audits rather than digital dashboard promises.
1. Conduct a Physical Entry Point Audit
Control Requirement: Secure areas must be protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Required Implementation Step: Walk every square inch of your perimeter and internal secure zones. Map every door, window, delivery hatch, and service duct; assign a unique ID to each and document the current locking mechanism (e.g., Euro-cylinder, Mag-lock, or Solenoid) to identify vulnerabilities.
Minimum Requirement: A comprehensive asset register of all physical entry points with their associated hardware types.
2. Deploy Multi-Factor Authentication for Secure Zones
Control Requirement: Access to sensitive areas should be restricted based on business requirements. Required Implementation Step: Install card readers and PIN pads on all “Restricted” and “Secure” zone doors. For high-sensitivity areas like the primary server room, implement dual-authentication (e.g., HID iClass badge plus a biometric scan or unique PIN) to prevent unauthorised entry via stolen or cloned fobs.
Minimum Requirement: Verified two-factor physical authentication active on at least one internal high-security perimeter.
3. Implement a Managed Visitor Log
Control Requirement: All visitors should be recorded and supervised while in secure areas. Required Implementation Step: Maintain a physical or digital logbook at the primary entry point that captures Name, Organisation, Purpose, Time-In, Time-Out, and the Internal Host. Issue distinct “Visitor” lanyards that must be worn at all times, and ensure the host takes physical responsibility for the visitor’s movements.
Minimum Requirement: A continuous, tamper-evident record of all external visitors spanning the previous 12 months.
