ISO 27001:2022 Annex A 7.1 Physical security perimeters

/ By
ISO 27001 Annex A 7.1 Physical security perimeter

In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.1 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 7.1 Physical Security Perimeters

ISO 27001 Annex A 7.1 requires organizations to establish physical security perimeters to prevent unauthorised physical access, damage, and interference to the organization’s information and assets. It is a foundational “preventive” control that treats your office or data centre like a series of concentric circles, each layer providing a higher level of protection. The goal is to ensure that even if one layer is breached, multiple others remain to protect your most sensitive data.

Core requirements for compliance include:

  • Layered Defense: You must implement multiple “rings” of security. This typically starts at the site perimeter (fences/gates) and moves inward to the building shell (locks/reception) and finally to high-security zones (biometric server rooms).
  • Physical Hardening: Perimeters must be physically robust. This includes ensuring walls are of solid construction, windows are locked or reinforced, and ceilings/floors cannot be bypassed.
  • Controlled Access Points: All entry and exit points must be secured. This includes not just the front door, but also delivery bays, fire exits, and roof hatches.
  • Topic-Specific Policy: You must document your approach in a Physical and Environmental Security Policy that defines your security zones and the rules for each.
  • Safety & Compliance: Physical security must always align with local Health and Safety laws. For example, fire doors must be secure from the outside but allow for an emergency exit from the inside.

Audit Focus: Auditors will look for “The Perimeter Proof”:

  1. The Walk-Through: They will walk around your facility to look for “weak links”, like a propped-open fire door or a server rack located next to an unshielded ground-floor window.
  2. Access Logs: “Show me the log of who entered the building after 6 PM last Friday.”
  3. The Sub-Zone Test: They will check if your “Restricted Zones” (like the IT room) have a higher level of authentication than your “Public Zones” (like the lobby).

The 4 Layers of Physical Security (Audit Cheat Sheet):

Security Layer Technical Definition Common Control Measure ISO 27001:2022 Control
1. Site Perimeter The outer property boundary. Fencing, Gates, Bollards, or Signage. 7.1 (Physical Perimeters)
2. Building Shell The external walls and doors. Receptionist, Turnstiles, or Badge Readers. 7.2 (Physical Entry)
3. Secure Zone Internal staff-only areas. Locked office doors or keycard access. 7.3 (Securing Offices)
4. High Security Sensitive assets (e.g., Server Room). Biometric Scanners, PIN Pads, and Alarms. 7.3 (Securing Rooms)

Table of contents

What is ISO 27001 Annex A 7.1?

The focus for this ISO 27001 Control is your physical security perimeter. As one of the ISO 27001 controls this is about stopping people that you don’t want to gain entry from gaining entry.

ISO 27001 Annex A 7.1 Physical Security Perimeters is an ISO 27001 control that requires an organisation to have a physical security perimeter to protect offices and processing facilities.

ISO 27001 Annex A 7.1 Purpose

The purpose of Annex A 7.1 is to ensure physical security is in place to stop people you don’t want to allow from gaining physical access to property and assets.

ISO 27001 Annex A 7.1 Definition

The ISO 27001 standard defines Annex A 7.1 as:

To prevent unauthorised physical access, damage and interference to the organisations information and other associated assets.

ISO 27001:2022 Annex A 7.1 Physical Security Perimeters

ISO 27001 Annex A 7.1 Free Training Video

In the video ISO 27001 Physical Security Perimeters Explained – ISO27001:2022 Annex A 7.1 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 7.1 Explainer Video

In this beginner’s guide to IISO 27001 Annex A 7.1 Physical Security Perimeters, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 7.1 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.1 Physical Security Perimeters. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 7.1 Implementation Guide

General Guidance

You are going to have to

  • define your physical security requirements based on business need and risk
  • implement a topic specific Physical and Environmental Security Policy
  • have a physical security perimeter for any physical location that processes information
  • consider the floor, walls, ceiling and external roof and having a solid construction
  • have external doors that have locks
  • have alarms and monitors
  • have an intruder response process
  • meet all laws and regulations including those for fire and health and safety

Health and Safety

Your number one priority is to meet the requirements of law and regulation. Be sure to engage with a legal professional to understand what you can and cannot do and to check that you are not breaking any laws. The most significant laws are those around health and safety as the protection of human life and wellbeing is always our number priority. There are common things that should be considered such as fire suppression, fire doors, fire alarms, doors that fail open. Whilst we want to protect buildings and information our absolute priority is to protect people.

Define physical security requirements

The standard is vague as it refers to information processing facilities which implies data centres and offices but you will find that home working / remote working is often covered by the auditor for this clause. Either way you start by defining the your requirements. This is going to be based on the needs of the business and the risks that you are managing. As a starting point there are basics such as having locks on doors but you can asses the strength of those locks and if other additional controls such as bio metrics or gates are required. Do what is right for you. Consider the environment around the location and the threats that may be posed and be sensible in addressing them.

Topic specific physical and environmental security policy

To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.

Alarms and Monitors

When looking at alarms and monitors you are looking at a preventive control to alert you when something has occurred. We all know what alarms are and getting alarms fitted is a very good idea. You want to define your response process and make sure that contacts of who is informed is up to date. Who is getting that call at 2am in the morning and what are they going to do when they get it?

CCTV

You can consider the use of CCTV but be aware that comes with some additional overheads with laws on data protection and the likes of GDPR. You should seek some legal advice before installing CCTV and be sure to do it in a way that is compliant if it is something that you do want to do. There are considerations such as how, how long, where, in what format you store the recordings. Then how do you get access to it, who can get access to it and how do you destroy it. It is not as simple as just banging up a Ring camera.

Secure Areas

The standard gives the guidance that a secure area can be an office that is locked or some internal area that has an internal security barrier. It takes into account that your physical locations maybe internal sub divided based on protection requirements. Usually this is implemented when you have a file room, an archive room, or a room where you store old IT equipment. On premises data centres and data rooms fall into this category as well but in this day and age they are few and far between with most people adopting a cloud based strategy.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. For Annex A 7.1 you need a topic specific Physical and Environmental Security Policy Template. In addition, you could save months of effort with the ISO 27001 toolkit that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness so you can DIY your ISO 27001 certification. Not interested in ISO 27001 templates, then you can skip to the next section.

How to implement ISO 27001 Annex A 7.1

Implementing ISO 27001 Annex A 7.1 requires a multi-layered approach to physical security, establishing clear boundaries between public areas and restricted information processing facilities. This technical workflow details the actions required to harden your physical perimeter and ensure compliance with international security standards.

1. Conduct a Physical Site Risk Assessment

Perform a comprehensive survey of the facility to identify all potential entry points, structural weaknesses, and high-sensitivity zones.

  • Identify critical assets and map them to specific physical zones.
  • Evaluate the structural integrity of external walls, windows, and roof access points.
  • Document the “First Line of Defence” requirements based on the value of the information stored within.
  • Establish a baseline for required physical barriers and authentication technology.

2. Formalise the Physical Security Perimeter Policy

Develop a documented framework that defines the rules for establishing and maintaining physical boundaries across the organisation.

  • Define the criteria for “Secure Areas” and the specific controls required for each level of sensitivity.
  • Assign formal ownership for each physical zone to a designated asset owner.
  • Specify the construction standards required, such as slab-to-slab walls for high-security rooms.
  • Ensure the policy includes requirements for external perimeters, such as fencing or manned reception desks.

3. Provision Structural Barriers and Secure Enclosures

Install physical hardware and architectural controls to create a continuous and resilient barrier against unauthorised entry.

  • Erect slab-to-slab partitions for server rooms to prevent bypass via false ceilings or floor voids.
  • Fit all perimeter doors with industrial-grade locks and automatic closing mechanisms.
  • Apply security film or reinforced glass to ground-floor windows and accessible entry points.
  • Install anti-ram bollards or perimeter fencing where external vehicle threats are identified.

4. Implement Technical Access Controls and Monitoring

Deploy electronic systems to verify identities and monitor the integrity of the defined perimeters in real-time.

  • Provision Physical Access Control Systems (PACS) using encrypted fobs or biometric authentication.
  • Install High-Definition CCTV at all perimeter boundaries with motion-triggered recording.
  • Integrate intrusion detection sensors (IDS) that alert a 24/7 Monitoring Centre upon breach.
  • Configure automated health alerts for all surveillance hardware to detect tampering or failure.

5. Execute Regular Compliance Audits and Maintenance

Perform periodic reviews of physical perimeters to ensure they remain effective and that all technical controls are functional.

  • Conduct quarterly “floor walks” to verify that fire exits are not propped open and barriers are intact.
  • Review Physical Access Control logs monthly to identify anomalous entry patterns.
  • Document all maintenance activities for locks, cameras, and sensors in a formal logbook.
  • Revoke physical access rights immediately upon a change in staff role or termination of employment.

Perimeter Layers Table

LayerDefinitionControl Example
Layer 1: Site PerimeterThe outer boundary of the property.Fence / Gate / Bollards.
Layer 2: Building ShellThe walls/doors of the office.Turnstile / Reception / Card Reader.
Layer 3: Secure ZoneInternal working areas.Pass Card on Office Door.
Layer 4: High SecuritySensitive assets (Server Room).Biometric Scanner / PIN Pad.

How to pass the ISO 27001 Annex A 7.1 audit

To comply with ISO 27001 Annex A 7.1 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Define your external physical perimeter requirements
  • Define your internal sub zone physical perimeter requirements
  • Consult with a legal professional to ensure you are meeting legal and regulatory requirements
  • Implement your physical security perimeters
  • Write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy
  • Write, sign off, implement and communicate your perimeter incident response procedures
  • Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

To pass an audit of ISO 27001 Annex A 7.1 you are going to make sure that you have followed the steps above in how to comply.

What will the auditor will check

The audit is going to check a number of areas. Lets go through them

1. That you have a physical security perimeter

One of the easier things for an auditor to check is the physical security perimeter as it is usually the first thing they will encounter when they come to audit you if you have a physical location. For all the physical locations in scope they are going to visit and check.

2. The strength of the physical security perimeter

They have been doing this a long time and done many audits so they know what to look for. They will test the controls and see what happens. They will try to open doors, open cupboards, gain access to areas they should not.

3. Documentation

They are going to look at audit trails and all your documentation. They will look at appropriate access reviews, logs of monitors and reports, incidents and how you managed them.

Top 3 ISO 27001 Annex A 7.1 mistakes and how to avoid them

The top 3 mistakes people make for ISO 27001 Annex A 7.1 are

1. Your physical security perimeter is turned off

What do I mean by turned off? In simple terms it means that you have a lockable door that should be locked and it not locked. You have a fire door that should be closed and locked but you have propped it open because it is a hot day.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Have access reviews taken place? Who gets informed about about the alarm and do they still work here?

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 7.1 across different business models.

Business Type Applicability Examples of Control Implementation
Small Businesses Applies if the business has a physical office or small retail space. The focus is on basic boundaries to prevent unauthorized persons from entering private areas where client data or hardware is stored.
  • Ensuring all external office doors have high-quality deadbolts and are locked when the office is unoccupied.
  • Using a simple “Staff Only” sign on the door leading from the reception area to the private office space.
  • Conducting a visual check at the end of each day to ensure all windows are closed and latched.
Tech Startups Critical for startups with on-site development labs or server rooms. Compliance involves establishing a tiered perimeter strategy to protect proprietary hardware and high-value prototypes.
  • Implementing a “Building Shell” perimeter using RFID badge readers for all employee entry points.
  • Ensuring that internal walls for the server room or hardware lab extend from the floor to the actual ceiling slab to prevent overhead bypass.
  • Installing an alarm system with motion sensors that cover the primary office perimeter and send alerts to the IT lead’s mobile device.
AI Companies Vital for protecting on-premise GPU clusters and high-value research assets. Focus is on high-security perimeters and multi-layered physical defense-in-depth.
  • Establishing a “Site Perimeter” with gated entry and bollards to protect against unauthorized vehicle approach.
  • Using biometric scanners (fingerprint or iris) for the final “High Security” perimeter surrounding the main model training cluster.
  • Implementing 24/7 CCTV monitoring of the entire building perimeter with real-time motion-triggered alerts sent to a security operations center (SOC).

Fast Track ISO 27001 Annex A 7.1 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 7.1 (Physical security perimeters), the requirement is to prevent unauthorised physical access, damage, and interference to the organization’s information and assets. This is a purely physical security control that focuses on real-world boundaries like walls, gates, and locks.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Policy Ownership Rents access to your perimeter rules; if you cancel the subscription, your documented site standards and history vanish. Permanent Assets: Fully editable Word/Excel Physical and Environmental Security Policies that you own forever. A localized “Physical Security Policy” defining fence heights, lock specifications, and gate protocols.
Boundary Governance Attempts to “automate” site security via dashboards that cannot physically build walls or secure a perimeter gate. Governance-First: Formalizes facility management and real-world boundary protection into an auditor-ready framework. A completed “Perimeter Layers Table” proving that multiple security boundaries are identified and maintained.
Cost Efficiency Charges a “Physical Facility Tax” based on the number of sites, locations, or square footage monitored. One-Off Fee: A single payment covers your governance documentation for one small office or a global network. Allocating budget to actual physical protections (e.g., bollards or reinforced doors) rather than monthly software fees.
Strategic Freedom Mandates rigid reporting structures that may not align with unique office layouts or specialized industrial environments. 100% Agnostic: Procedures adapt to any environment—gated facilities, shared offices, or data centers—without limits. The ability to evolve your facility strategy or move locations without reconfiguring a rigid SaaS compliance module.

Summary: For Annex A 7.1, the auditor wants to see that you have a formal policy for physical perimeters and proof that you follow it (e.g., site walkthrough logs and defined security layers). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 7.1 FAQ

What is ISO 27001 Annex A 7.1?

ISO 27001 Annex A 7.1 is a physical security control that mandates the use of defined perimeters to protect areas containing sensitive information and information processing facilities.

  • It establishes clear physical boundaries between public and secure zones.
  • It requires the use of physical barriers like walls, card-controlled gates, and manned reception desks.
  • It prevents unauthorised physical access, damage, and interference to organisational assets.
  • It forms the “first line of defence” in an Integrated Security Management System.

What qualifies as a physical security perimeter?

A physical security perimeter is any continuous barrier that restricts access to a secure area, ranging from external building shells to internal partitions.

  • External perimeters: Building walls, perimeter fencing, and entry gates.
  • Internal perimeters: Locked server rooms, secure office suites, and communications cupboards.
  • Technological perimeters: Reception-controlled turnstiles and biometric access points.
  • Slab-to-slab construction: Walls extending from the true floor to the true ceiling to prevent overhead intrusion.

Does ISO 27001 require “slab-to-slab” construction?

Yes, for high-security areas, ISO 27001 recommends slab-to-slab construction to ensure perimeters cannot be bypassed via false ceilings or floor voids.

  • Prevents unauthorised entry through the space above suspended ceilings.
  • Increases the fire rating and acoustic privacy of secure rooms.
  • Ensures that the physical barrier is continuous and structurally sound.
  • Reduces the risk of eavesdropping and physical tampering with overhead cabling.

How do you define a perimeter for a home office?

A home office perimeter is defined by the physical boundaries that restrict unauthorised household members or visitors from accessing company hardware and data.

  • Ideally involves a separate room with a lockable door.
  • Requires secure storage (e.g., lockable cabinets) for sensitive physical documents.
  • Involves procedural controls to ensure screens are not visible to unauthorised persons.
  • Must be proportionate to the risk identified in the organisation’s remote working policy.

Is CCTV mandatory for a physical security perimeter?

No, CCTV is not strictly mandatory, but it is the industry-standard detective control used to monitor the integrity of physical perimeters.

  • CCTV provides a verifiable audit trail of entry and exit events.
  • It acts as a deterrent to opportunistic physical breaches.
  • Alarms and sensors are often used in conjunction with cameras for real-time alerting.
  • The requirement depends on the risk assessment of the specific site and asset value.

What is the difference between Annex A 7.1 and 7.2?

The primary difference is that Annex A 7.1 focuses on the physical barrier (the wall), while Annex A 7.2 focuses on the point of entry (the door).

  • Annex A 7.1 (Perimeters): Concentrates on the robustness and continuity of the barrier.
  • Annex A 7.2 (Physical Entry): Concentrates on authentication and authorisation at access points.
  • Both must work in tandem to create a secure environment.

Can a shared office space comply with Annex A 7.1?

Yes, organisations in shared spaces can comply by defining their specific “Secure Area” perimeter within the larger building structure.

  • Use of internal partitions and lockable doors to separate company space from other tenants.
  • Verification that the building’s main perimeter (reception/lobby) meets security standards.
  • Documenting shared responsibilities with the landlord in a formal agreement.
  • Implementation of additional internal controls for sensitive server or comms rooms.

ISO 27001 Annex A 7.4 Physical Security Monitoring

ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats

ISO 27001 Annex A 7.3 Securing Offices, Rooms And Facilities

Further Reading

ISO 27001 Physical Asset Register Beginner’s Guide

ISO 27001 controls and attribute values

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
Preventive
Confidentiality
Integrity
Availability		ProtectPhysical_securityProtection
, , , , , ,
Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top