In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.3 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.3 Securing Offices, Rooms, and Facilities
ISO 27001 Annex A 7.3 requires organizations to design and implement physical security for offices, rooms, and facilities. While general building access is covered in other controls, this control focuses on the internal security architecture, ensuring that sensitive areas (like server rooms or HR archives) are partitioned and protected from unauthorised access, damage, or interference. The goal is to apply a “Defence in Depth” strategy to physical spaces.
Core requirements for compliance include:
- Zoning Strategy: You must divide your physical premises into security zones based on the sensitivity of the data or equipment within them. Access should become more restrictive as you move from public zones to sensitive zones.
- Access Points: All entry and exit points to restricted areas must be controlled (e.g., via badge readers, keypads, or biometric scanners) and logged for audit purposes.
- Environmental Protection: Facilities must be protected against physical threats like fire, flood, and electrical surges. This includes maintaining fire suppression systems and water leak detection in critical areas.
- Confidentiality Measures: Sensitive activities should be sited where they cannot be overlooked or overheard by the public. This may include using privacy film on windows or acoustic padding in meeting rooms.
- Safety & Law: Physical security must always comply with local health and safety laws. For example, fire exit doors must “fail open” to allow escape, regardless of the security level.
Audit Focus: Auditors will look for “The Sub-Zone Proof”:
- Walkthrough Inspection: They will walk through your facility. If a server room door is propped open with a fire extinguisher, it’s an automatic non-conformity.
- Access Logs: “Show me the log of everyone who entered the server room or evidence locker in the last 30 days.”
- Signage & Camouflage: They will check if external signage unnecessarily advertises the location of high-value assets, which could attract unwanted attention.
Zone Definition Matrix (Audit Prep):
| Security Zone | Access Level | Example Area | Standard Control Measure | ISO 27001:2022 Control |
|---|---|---|---|---|
| Zone 1: Public | Open / Monitored. | Reception / Lobby. | CCTV + Guest Sign-in Book. | 7.2 (Physical Entry) |
| Zone 2: Private | Staff Only. | Open Plan Office. | Keycard (Badge) Access. | 7.3 (Securing Offices) |
| Zone 3: Restricted | Authorised Only. | Server Room / HR. | Biometrics or PIN + Access Log. | 7.3 (Securing Offices) |
| Zone 4: Sensitive | High-Security. | Safe / Vault. | Steel Door + Two-Person Rule. | 7.3 (Securing Offices) |
Table of contents
- Key Takeaways: ISO 27001 Annex A 7.3 Securing Offices, Rooms, and Facilities
- What is ISO 27001 Annex A 7.3?
- ISO 27001 Annex A 7.3 Free Training Video
- ISO 27001 Annex A 7.3 Explainer Video
- ISO 27001 Annex A 7.3 Podcast
- ISO 27001 Annex A 7.3 Implementation Guide
- How to implement ISO 27001 Annex A 7.3
- Zone Definition Matrix
- ISO 27001 Securing Offices, Rooms and Facilities Template
- How to pass the ISO 27001 Annex A 7.3 audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 7.3 mistakes and how to avoid them
- Applicability of ISO 27001 Annex A 7.3 across different business models.
- Fast Track ISO 27001 Annex A 7.3 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 7.3 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Annex A 7.3 Attribute Table
What is ISO 27001 Annex A 7.3?
The focus for this ISO 27001 Control is your physical security for offices, rooms and your facilities. As one of the ISO 27001 controls this is about giving the right people the right level of physical access so they can go about their business whilst keeping out people that you don’t want to have access.
ISO 27001 Annex A 7.3 Securing Offices, Rooms and Facilities is an ISO 27001 control that requires an organisation to protect offices, rooms and facilities with physical security.
ISO 27001 Annex A 7.3 Purpose
ISO 27001 Annex A 7.3 is a preventive control that ensures you prevent unauthorised physical access, damage and interference to the organisations information and other associated assets in offices, rooms and facilities.
ISO 27001 Annex A 7.3 Definition
ISO 27001 defines ISO 27001 Securing Offices, Rooms and Facilities as:
Physical security for offices, rooms and facilities should be designed and implemented.
ISO27001:2022 Annex A 7.3 Securing Offices, Rooms and Facilities
ISO 27001 Annex A 7.3 Free Training Video
In the video ISO 27001 Securing Offices, Rooms and Facilities Explained – ISO27001:2022 Annex A 7.3 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.3 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.3 Securing Offices, Rooms And Facilities, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.3 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.3 Securing Offices, Rooms And Facilities. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 7.3 Implementation Guide
General Guidance
You are going to have to
- consult a legal professional to ensure you operate within the law and regulation
- only allow people you authorise into buildings, sites and physical locations
- implement physical security controls based on risk and business need
Considerations
There are considerations that may be appropriate
- consider putting confidential and sensitive information processing where it cannot be accessed by the public
- being aware of external building signage so as not to highlight information processing
- stopping people outside the physical boundary from seeing in or listening in
- electromagnetic shielding if you are NASA
- restricting access to internal contact directories and maps to those that need to know
The implementation of securing offices, rooms and facilities is in the context of the physical security perimeter where you can find guidance in the Ultimate guide to ISO 27001 Annex A 7.1 Physical Security Perimeter.
Health and Safety
Your number one priority is to meet the requirements of law and regulation. Be sure to engage with a legal professional to understand what you can and cannot do and to check that you are not breaking any laws. The most significant laws are those around health and safety as the protection of human life and wellbeing is always our number priority. There are common things that should be considered such as entry point doors that fail open. Whilst we want to protect buildings and information our absolute priority is to protect people.
Define your access control requirements
Start by understanding your risk and doing a risk assessment. For guidance on how, read The Complete Guide to ISO 27001 Risk Assessment. This is going to be based on the needs of the business and the risks that you are managing. As a starting point there are basics such as having locks on doors but you can asses the strength of those locks and if other additional controls such as bio metrics or gates are required. Do what is right for you. Consider the environment around the location and the threats that may be posed and be sensible in addressing them.
Topic specific physical and environmental security policy
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.
Secure Areas
The standard gives the guidance that a secure area can be an office that is locked or some internal area that has an internal security barrier. It takes into account that your physical locations maybe internal sub divided based on protection requirements. Usually this is implemented when you have a file room, an archive room, or a room where you store old IT equipment. On premises data centres and data rooms fall into this category as well but in this day and age they are few and far between with most people adopting a cloud based strategy.
How to implement ISO 27001 Annex A 7.3
Implementing ISO 27001 Annex A 7.3 requires a tiered approach to internal physical security, ensuring that sensitive offices and rooms are protected by perimeters that are proportionate to the risks identified. This technical guide outlines the action-result workflow for hardening internal facilities and managing access to critical information processing areas.
1. Categorise and Map Internal Secure Areas
Conduct a physical site survey to identify and classify rooms based on the sensitivity of the data or hardware they contain.
- Identify high-value areas such as server rooms, communications cupboards, and executive offices.
- Define the required security perimeter for each zone based on a formal Risk Assessment.
- Document the boundaries of these “Secure Areas” within the Physical Security Policy.
- Ensure that internal walls extend from floor to ceiling (slab-to-slab) to prevent unauthorised overhead access.
2. Provision Multi-Layered Access Controls
Deploy physical and electronic barriers to ensure that only authorised personnel with a verified business need can enter restricted zones.
- Install electronic Physical Access Control Systems (PACS) using encrypted fobs or biometric scanners.
- Provision Multi-Factor Authentication (MFA) for entry into high-criticality areas like the primary data centre.
- Assign access rights based on specific IAM roles, ensuring the principle of least privilege is applied to the physical site.
- Configure automated alerts for “door held open” or “forced entry” events.
3. Implement Environmental and Hazard Protection
Integrate protective measures to shield internal facilities from accidental or natural environmental threats that could compromise equipment availability.
- Install automatic fire detection and gas-based suppression systems in server rooms to mitigate thermal risks without water damage.
- Deploy water leak detection sensors beneath raised floors or near AC units.
- Utilise fire-rated doors and partitions for all rooms designated as secure zones.
- Maintain a maintenance log for all environmental sensors to serve as audit evidence.
4. Formalise Visitor Management and Supervision Protocols
Establish strict rules for the movement of unvetted individuals within internal facilities to prevent opportunistic data theft or tampering.
- Maintain a formal Register of Entrants (ROE) for all visitors, contractors, and third-party maintenance staff.
- Mandate constant supervision (escorting) for any visitor entering a secure room.
- Issue visually distinct temporary ID badges that must be displayed at all times.
- Record the purpose of the visit and the identity of the internal host for every entry event.
5. Revoke Access and Audit Physical Logs
Perform regular reviews of physical access rights and logs to ensure the continued integrity of secure offices and facilities.
- Revoke physical badge access immediately upon staff termination or role change.
- Audit PACS logs monthly to identify anomalous entry patterns or attempted unauthorised access.
- Conduct quarterly “floor walks” to verify that doors are not being propped open and locks remain functional.
- Document all findings and corrective actions within the ISMS continuous improvement log.
Zone Definition Matrix
| Zone | Access Level | Example | Control Measure |
| Zone 1: Public | Open | Reception / Lobby | CCTV + Receptionist. |
| Zone 2: Private | Staff Only | Open Plan Office | Pass Card (Badge) access. |
| Zone 3: Restricted | Authorized Only | Server Room / HR Files | Biometrics / Keypad + Log. |
| Zone 4: Sensitive | Highly Secure | Evidence Room / Safe | Two-Person Rule + Steel Door. |
ISO 27001 Securing Offices, Rooms and Facilities Template
For ISO 27001 Annex A 7.3 Securing Offices, Rooms and Facilities you need a topic specific Physical and Environmental Security Policy Template.
How to pass the ISO 27001 Annex A 7.3 audit
To comply with ISO 27001 Annex A 7.3 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Define your physical access requirements
- Define your internal sub zone physical perimeter requirements
- Consult with a legal professional to ensure you are meeting legal and regulatory requirements
- Implement your physical security access
- Write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy
- Write, sign off, implement and communicate your perimeter incident response procedures
- Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. That you have a physical entry control
One of the easier things for an auditor to check is the physical entry controls as it is usually the first thing they will encounter when they come to audit you if you have a physical location. For all the physical locations in scope they are going to visit and check.
2. The strength of the physical security access
They have been doing this a long time and done many audits so they know what to look for. They will test the controls and see what happens. They will try to open doors, open cupboards, gain access to areas they should not.
3. Documentation
They are going to look at audit trails and all your documentation. They will look at appropriate access reviews, logs of monitors and reports, incidents and how you managed them.
Top 3 ISO 27001 Annex A 7.3 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 7.3 are
1. Your physical security perimeter is turned off
What do I mean by turned off? In simple terms it means that you have a lockable door that should be locked and it not locked. You have a fire door that should be closed and locked but you have propped it open because it is a hot day.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Have access reviews taken place? Who gets informed about about the alarm and do they still work here?
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 7.3 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Highly applicable for businesses with a physical office presence, focusing on basic internal partitioning. The goal is to ensure that sensitive areas like the office manager’s desk or local backup drives are not accessible to visitors or delivery drivers. |
|
| Tech Startups | Critical for startups with on-site development labs or small server rooms. Compliance involves implementing a tiered zoning strategy to protect proprietary hardware and high-value research tools. |
|
| AI Companies | Vital for protecting on-premise GPU clusters and rooms where proprietary model weights are stored. Focus is on high-security restricted zones and maintaining absolute physical confidentiality. |
|
Fast Track ISO 27001 Annex A 7.3 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.3 (Securing offices, rooms and facilities), the requirement is to design and implement physical security for offices, rooms, and facilities. This is a common-sense physical security control that focuses on real-world access: locks, badges, and biometrics.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your facility rules; if you cancel the subscription, your documented zone definitions and badge rules vanish. | Permanent Assets: Fully editable Word/Excel Physical and Environmental Security Policies that you own forever. | A localized “Physical Security Policy” defining restricted zones and visitor escort requirements. |
| Infrastructure Governance | Attempts to “automate” site security via dashboards that cannot physically lock a door or verify a visitor is escorted. | Governance-First: Formalizes facility management and real-world infrastructure into an auditor-ready framework. | A completed “Zone Definition Matrix” proving that high-security areas (like server rooms) are identified and protected. |
| Cost Efficiency | Charges a “Physical Facility Tax” based on the number of locations or square footage monitored. | One-Off Fee: A single payment covers your governance documentation for one small office or a global facility network. | Allocating budget to physical security hardware (e.g., biometric locks or steel doors) rather than monthly software fees. |
| Operational Freedom | Mandates rigid reporting structures that may not align with unique office layouts or specialized industrial environments. | 100% Agnostic: Procedures adapt to any environment—high-security server rooms or standard open-plan offices—without limits. | The ability to evolve your physical security strategy without reconfiguring a rigid SaaS compliance module. |
Own Your ISMS, Don’t Rent It
Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit
Summary: For Annex A 7.3, the auditor wants to see that you have a formal policy for office security and proof that you follow it (e.g., site walkthrough logs and defined security zones). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 7.3 FAQ
What is ISO 27001 Annex A 7.3?
ISO 27001 Annex A 7.3 is a physical security control that requires organisations to design and implement security for offices, rooms, and facilities to prevent unauthorised access and environmental threats.
- Focuses on internal perimeters beyond the main building entry.
- Requires a risk-based approach to securing sensitive areas like server rooms.
- Mandates that security measures should be proportionate to the value of the assets protected.
- Includes protection against fire, flood, and other physical hazards.
Does ISO 27001 require internal locks on all office doors?
No, the standard does not mandate locks on every door but requires that “secure areas” containing sensitive information or hardware are physically restricted.
- Access must be limited to authorised personnel only via keys, fobs, or biometrics.
- Internal partitions and walls must be of adequate strength to prevent forced entry.
- Unoccupied secure areas should be locked and periodically alarmed.
- A risk assessment should determine which specific rooms require higher levels of protection.
How do you secure a server room for ISO 27001 compliance?
Securing a server room requires a multi-layered approach combining physical access controls, environmental monitoring, and restricted visibility.
- Install biometric or high-security electronic access control systems.
- Ensure the room is windowless or uses reinforced glass and privacy film.
- Implement fire suppression and water leak detection systems.
- Maintain an access log to track every entry and exit.
What are the requirements for physical site signage?
ISO 27001 recommends that secure areas are not overtly identified with prominent signage that could attract unauthorised attention or malicious intent.
- Internal directories should avoid specific labels like “Central Server Hub.”
- Signage should be discreet and only provide necessary information for authorised staff.
- Danger or hazard signs (e.g., fire risks) should be placed as required by law but not used to signal data locations.
Should visitors be supervised in secure rooms?
Yes, all visitors and unvetted third-party contractors must be supervised at all times when working within or moving through secure areas.
- Record visitor entry and exit times in a formal register.
- Issue temporary badges that are visually distinct from staff IDs.
- Ensure visitors do not have access to keys or entry codes.
- Escort guests to ensure they do not view sensitive “clear desk” information.
What does an auditor look for in office security?
Auditors look for verifiable evidence that physical perimeters are effective, including logs, maintenance records, and visible adherence to security policies.
- Verification of locked doors and functional badge readers during a site tour.
- Records of periodic testing for alarms and physical sensors.
- Evidence that only specific IAM roles have physical access to critical infrastructure.
- Checks for “tailgating” awareness among employees.
Related ISO 27001 Controls
ISO 27001 Annex A 7.6 Working In Secure Areas
ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats
Further Reading
ISO 27001 Physical Asset Register Beginner’s Guide
ISO 27001 Physical Security Controls When You Have No Office
ISO 27001 Annex A 7.3 Attribute Table
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical security | Protection |
| Integrity | Asset Management | |||
| Availability |
