In this ultimate how to implement guide to ISO 27001 Annex A 7.6 Working in Secure Areas, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A Working in Secure Areas Implementation Checklist
- 1. Formally Designate Secure Area Boundaries
- 2. Prohibit Unsupervised External Contractors
- 3. Enforce Personal Device Bans in High-Security Zones
- 4. Establish ‘Two-Person Integrity’ for Critical Tasks
- 5. Implement Mandatory Clear Desk and Screen Protocols
- 6. Restrict Visual Access to Sensitive Monitors
- 7. Control the Introduction of External Media
- 8. Schedule Periodic ‘Hidden Device’ Sweeps
- 9. Define Restricted Working Hours
- 10. Conduct unannounced Behavioural Audits
- ISO 27001 Annex A 7.6 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 7.6 Working in Secure Areas is a behavioural security protocol requiring the enforcement of disciplined operational procedures within sensitive zones to minimise leakages. This control provides the Business Benefit of securing restricted environments against insider threats by ensuring continuous oversight and technical restrictions.
ISO 27001 Annex A Working in Secure Areas Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.6. This control focuses on the behavioural and procedural rules required for personnel operating within sensitive zones, ensuring that physical barriers are supported by disciplined human activity to prevent data leakage or unauthorised interference.
1. Formally Designate Secure Area Boundaries
Control Requirement: Working in secure areas must be designed and applied to protect information. Required Implementation Step: Physically mark the entry and exit points of sensitive zones (e.g. server rooms, HR archives, executive suites) with signage that dictates the specific security tier. Ensure these areas are physically separated from general office space by floor-to-ceiling partitions to prevent overhead entry.
Minimum Requirement: A site map and physical signage identifying specific zones as “Secure Areas” with restricted access.
2. Prohibit Unsupervised External Contractors
Control Requirement: External support personnel must be supervised while in secure areas. Required Implementation Step: Implement a mandatory “Chaperone Policy” for all third-party engineers, cleaners, or maintenance staff. Assign a specific internal staff member to remain physically present with the contractor at all times; do not simply “badge them in” and leave them to work in the comms room alone.
Minimum Requirement: A visitor log showing the entry/exit times and the name of the internal escort for every contractor visit.
3. Enforce Personal Device Bans in High-Security Zones
Control Requirement: Unauthorised photographic, video, or audio recording equipment must be controlled. Required Implementation Step: Install signal-blocking lockers outside the entrance of the primary server room or data centre. Mandate that all staff leave personal mobile phones, smartwatches, and cameras in these lockers before entering; use physical searches or “no-phone” signage to reinforce compliance.
Minimum Requirement: A physical storage solution outside secure zones and a policy explicitly banning personal recording devices.
