Implementing ISO 27001 Annex A 7.6 Working in Secure Areas is a behavioral security protocol requiring the enforcement of disciplined operational procedures within sensitive zones to minimize leakages. This control provides the Business Benefit of securing restricted environments against insider threats by ensuring continuous oversight and technical restrictions.
ISO 27001 Annex A Working in Secure Areas Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.6. This control focuses on the behavioural and procedural rules required for personnel operating within sensitive zones, ensuring that physical barriers are supported by disciplined human activity to prevent data leakage or unauthorised interference.
1. Formally Designate Secure Area Boundaries
Control Requirement: Working in secure areas must be designed and applied to protect information. Required Implementation Step: Physically mark the entry and exit points of sensitive zones (e.g. server rooms, HR archives, executive suites) with signage that dictates the specific security tier. Ensure these areas are physically separated from general office space by floor-to-ceiling partitions to prevent overhead entry.
Minimum Requirement: A site map and physical signage identifying specific zones as “Secure Areas” with restricted access.
2. Prohibit Unsupervised External Contractors
Control Requirement: External support personnel must be supervised while in secure areas. Required Implementation Step: Implement a mandatory “Chaperone Policy” for all third-party engineers, cleaners, or maintenance staff. Assign a specific internal staff member to remain physically present with the contractor at all times; do not simply “badge them in” and leave them to work in the comms room alone.
Minimum Requirement: A visitor log showing the entry/exit times and the name of the internal escort for every contractor visit.
3. Enforce Personal Device Bans in High-Security Zones
Control Requirement: Unauthorised photographic, video, or audio recording equipment must be controlled. Required Implementation Step: Install signal-blocking lockers outside the entrance of the primary server room or data centre. Mandate that all staff leave personal mobile phones, smartwatches, and cameras in these lockers before entering; use physical searches or “no-phone” signage to reinforce compliance.
Minimum Requirement: A physical storage solution outside secure zones and a policy explicitly banning personal recording devices.
4. Establish ‘Two-Person Integrity’ for Critical Tasks
Control Requirement: Work in secure areas should be carried out by at least two people to mitigate insider threats. Required Implementation Step: For high-risk operations (e.g. hardware decommissioning, master key rotations), require a minimum of two authorised employees to be present. This “four-eyes” principle ensures that no single individual has the opportunity to tamper with equipment or exfiltrate physical media unobserved.
Minimum Requirement: An operational log for the server room showing dual-sign-in for high-risk maintenance windows.
5. Implement Mandatory Clear Desk and Screen Protocols
Control Requirement: Information in secure areas must be protected from unauthorised viewing. Required Implementation Step: Enforce a strict “Clear Desk” policy specifically for secure zones, where no sensitive documents or storage media can be left unattended. Use Group Policy (GPO) to force screen locks after 60 seconds of inactivity on workstations located within these areas.
Minimum Requirement: Active GPO settings for short-duration screen timeouts and evidence of “end-of-day” desk inspections.
6. Restrict Visual Access to Sensitive Monitors
Control Requirement: Screens and displays must be shielded from unauthorised viewing from outside the secure area. Required Implementation Step: Physically position monitors so they do not face windows or glass partitions. Apply privacy filters to all screens within the secure area and install frosted window film or heavy blinds on any glass surfaces that would allow a person in a lower-security zone to “shoulder surf” sensitive operations.
Minimum Requirement: Physical verification of monitor orientation and the presence of privacy film on all interior glass.
7. Control the Introduction of External Media
Control Requirement: The use of unauthorised removable media in secure areas must be prohibited. Required Implementation Step: Physically disable or block USB ports on all hardware located in secure areas using Endpoint Protection (EDR) or physical port locks. If data transfer is required, use a dedicated “sheep dip” terminal to scan media before it enters the secure environment.
Minimum Requirement: Technical logs showing blocked USB mounting attempts on servers and workstations in secure zones.
8. Schedule Periodic ‘Hidden Device’ Sweeps
Control Requirement: Secure areas must be monitored to detect unauthorised devices. Required Implementation Step: Conduct quarterly manual inspections of server racks and under-floor voids to search for “rogue” devices such as unauthorised Wi-Fi hotspots, keyloggers, or hidden cameras. Use a handheld RF detector to identify unexpected wireless transmissions within the secure perimeter.
Minimum Requirement: A signed log of quarterly physical security sweeps with no unauthorised devices found.
9. Define Restricted Working Hours
Control Requirement: Access to and work within secure areas should be limited to authorised times. Required Implementation Step: Set “Hard” access schedules in your physical access control system (PACS) that disable staff badges outside of core business hours. Any out-of-hours work must require an approved Change Request and a temporary override from the Security Manager.
Minimum Requirement: PACS configuration reports showing badge deactivation between 19:00 and 07:00 for non-essential staff.
10. Conduct unannounced Behavioural Audits
Control Requirement: Compliance with secure area rules must be regularly verified. Required Implementation Step: Perform unannounced “walk-throughs” to catch staff leaving doors propped open, sharing badges, or bringing personal phones into restricted zones. Treat every violation as a security incident and trigger the formal disciplinary process to maintain a culture of high discipline.
Minimum Requirement: Internal audit notes documenting at least two unannounced spot-checks per year.
ISO 27001 Annex A 7.6 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Supervision | A digital “Contractor Policy” stored in a dashboard. | A PDF doesn’t watch a contractor. If nobody is physically standing in the server room with them, the policy is moot. |
| Recording Devices | Ticking “Yes” to having a phone ban. | Without physical lockers and signage, staff will bring phones in. GRC tools don’t check pockets. |
| Visual Privacy | Uploading a photo of a privacy screen. | A photo doesn’t show if the screen is actually used or if the monitor was moved yesterday to face the window. |
| Two-Person Integrity | Assigning a “Task” to two people in a GRC tool. | The tool records completion, not presence. Real security requires a physical log signed by both parties at the rack. |
| Clear Desk | Accepting a “Self-Attestation” from employees. | Employees lie to avoid friction. Only unannounced physical sweeps by a Security Officer provide a true pass. |
| Physical Sweeps | Marking a recurring task as “Done” every quarter. | GRC tools don’t find hidden keyloggers. Only an engineer with an RF detector and a torch can do this work. |
| Door Security | Logging that the door has an “Electronic Lock”. | The software says it’s locked, but is it propped open with a fire extinguisher? A dashboard will never show you the door wedge. |
About the author
