Implementing ISO 27001 Annex A 7.3 Securing Offices, Rooms and Facilities is a critical physical security strategy that ensures the hardening of internal workspaces against unauthorized access. This control provides the Business Benefit of safeguarding sensitive assets and meeting rigorous compliance standards through layered physical protections.
ISO 27001 Annex A Securing Offices, Rooms and Facilities Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.3. This control mandates the physical protection of internal work areas and facilities to prevent unauthorised access, damage, and interference, moving beyond the perimeter to secure the specific rooms where data is processed.
1. Conduct a Physical Entry Point Audit
Control Requirement: Physical security for offices, rooms, and facilities must be designed and applied. Required Implementation Step: Categorise every room in your facility based on the sensitivity of the data handled within. Identify “Secure Areas” such as server rooms, comms closets, post rooms, and executive boardrooms. Physically mark these boundaries on a floor plan and ensure they are walled from floor-to-slab (not just to the suspended ceiling).
Minimum Requirement: A classified floor plan identifying all “Secure Areas” and their specific physical requirements.
2. Implement ‘Need-to-Access’ Internal Permissions
Control Requirement: Access to secure areas must be restricted to authorised personnel. Required Implementation Step: Configure your physical access control system (PACS) to deny general staff access to “Secure Areas” by default. Use a Role-Based Access Control (RBAC) model where only IT personnel can enter comms rooms and only HR can enter the file archive. Audit the user list in the door controller software monthly.
Minimum Requirement: A physical access matrix reconciled against current HR/IT department lists.
3. Harden Infrastructure Comms Rooms
Control Requirement: Information processing facilities managed by the organisation must be physically protected. Required Implementation Step: Ensure comms rooms have no windows and are fitted with solid-core doors and Grade 3 security locks. Install “Ajar” sensors that trigger an immediate alert to the IT team if the door is held open for more than 20 seconds, preventing accidental or intentional bypassing of the lock.
Minimum Requirement: Physical verification that all comms room doors are solid-core and equipped with functional door-open alarms.
4. Manage Key and Badge Inventory
Control Requirement: Physical access keys and badges must be controlled. Required Implementation Step: Establish a master log of every physical key and RFID badge in circulation. Perform a “Flash Audit” quarterly where a sample of staff must physically produce their assigned keys/badges. Revoke any “ghost” badges that have not been used to enter the facility for more than 30 days.
Minimum Requirement: A central key/badge register with evidence of quarterly reconciliation audits.
5. Shield External-Facing Windows
Control Requirement: Protection against unauthorised viewing or overhearing. Required Implementation Step: Apply frosted or mirrored privacy film to all windows of ground-floor offices and secure rooms to prevent “shoulder surfing” from the street. In boardrooms where sensitive data is discussed, install acoustic damping or heavy curtains to prevent laser-microphone eavesdropping or visual capture of screens through windows.
Minimum Requirement: Privacy film or blinds installed and functional on all ground-floor secure facility windows.
6. Secure Shared Multi-Tenancy Spaces
Control Requirement: Protection of facilities in shared environments. Required Implementation Step: If you operate in a managed office, verify the landlord’s physical controls. Ensure your specific server racks are in a locked cage and that your internal office doors are on a separate, privately managed access control system that the building’s general cleaning staff cannot bypass without an escort.
Minimum Requirement: Documented agreement or configuration showing independent lock control for multi-tenanted spaces.
7. Enforce Supervised Entry for Visitors
Control Requirement: Unauthorised personnel must be prevented from entering secure areas unsupervised. Required Implementation Step: Establish a policy where external contractors (cleaners, HVAC engineers) must be escorted at all times within secure rooms. Use a physical “Visitor Badge” system that requires the visitor to be “badged in” by their internal host, ensuring the PACS log shows exactly who was responsible for the guest.
Minimum Requirement: A visitor logbook or PACS report showing visitor/host pairing for every “Secure Area” entry.
8. Monitor Secure Rooms with Surveillance
Control Requirement: Secure areas should be monitored to detect unauthorised access. Required Implementation Step: Install high-resolution CCTV cameras inside and outside every secure room entry point. Ensure the Network Video Recorder (NVR) is secured in a separate locked room or rack, and that footage is retained for at least 90 days to allow for forensic investigation of historical breaches.
Minimum Requirement: Functioning CCTV coverage for all comms rooms with verified 90-day retention logs.
9. Lock Down Unattended Workstations
Control Requirement: Protect facilities when rooms are left unoccupied. Required Implementation Step: Configure a Group Policy Object (GPO) or MDM profile to force screen locks after 5 minutes of inactivity. For offices left unoccupied at night, mandate that “Clear Desk” procedures are followed, with all laptops secured in docking stations or locked drawers, and office doors physically locked by the last person leaving.
Minimum Requirement: Technical verification of GPO screen-lock settings and a “last person out” checklist.
10. Conduct Annual Physical Penetration Tests
Control Requirement: Regularly review the effectiveness of facility security. Required Implementation Step: Perform a “Red Team” walk-through. Attempt to tail-gate into the comms room, check for propped-open fire exits, and look for “keys under mats” or passwords on sticky notes. Document every failure and physically remediate the hardware (e.g., adding self-closing hinges) rather than just updating a policy.
Minimum Requirement: An internal report detailing the results of an unannounced physical security sweep.
ISO 27001 Annex A 7.3 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Physical Perimeter | Uploading a photo of the front door. | A photo doesn’t show if the door is actually locked or if the hinges can be unscrewed from the outside. |
| Access Logs | Ticking “Yes” to “Are logs reviewed?”. | Unless you are actively comparing door logs to HR leaver lists, the logs are just noise. GRC tools don’t audit the accuracy of the logs. |
| Comms Room Security | Marking “Secure” because the room has a lock. | Does the wall go all the way up to the concrete slab? If it’s just a stud wall to the drop ceiling, an intruder can climb over the top. |
| Surveillance | Recording the name of the CCTV vendor. | If the NVR hard drive failed three weeks ago, your “compliance” is a fantasy. GRC platforms don’t monitor camera uptime. |
| Visitor Management | Using a SaaS app for visitor sign-ins. | Digital logs are useless if the visitor isn’t physically escorted. A dashboard cannot watch a guest in the server room. |
| Key Management | A spreadsheet list of who has keys. | Spreadsheets don’t account for lost keys. Only a physical “Show me the key” audit provides real assurance. |
| Environmental Protection | Checking a box for “Fire Suppression”. | Is the gas cylinder full? Has the sensor been tested this year? GRC tools don’t smell smoke or check pressure gauges. |
About the author
