Auditing ISO 27001 Annex A 7.2 Physical Entry Controls is a rigorous technical assessment of the mechanisms securing physical perimeters and high-security zones. The Primary Implementation Requirement is the enforcement of authenticated, logged entry points, providing the Business Benefit of mitigating unauthorized access risks and ensuring site-wide accountability.
ISO 27001 Annex A 7.2 Physical Entry Controls Audit Checklist
This technical verification tool is designed for lead auditors to establish the integrity of physical access points to secure areas. Use this checklist to validate compliance with ISO 27001 Annex A 7.2 (Physical entry controls) by verifying that access to buildings and rooms is restricted to authorised personnel.
1. Physical Access Policy Formalised and Approved
Verification Criteria: A documented policy exists defining the authorisation levels and entry requirements for different physical zones (e.g. public, office, and high-security areas).
Required Evidence: Formally approved Physical Security Policy with version history and management sign-off.
Pass/Fail Test: If the organisation relies on verbal agreements rather than a documented policy for determining who can enter secure zones, mark as Non-Compliant.
2. Visitor Logging Integrity Verified
Verification Criteria: All visitors are recorded in a log containing date, time of entry/exit, name, organisation, and the identity of the host.
Required Evidence: Physical or electronic visitor register showing complete entries for the previous 90-day period.
Pass/Fail Test: If visitor logs contain significant gaps, missing exit times, or illegible entries, mark as Non-Compliant.
3. Physical Identification and Badge Usage Confirmed
Verification Criteria: All personnel, contractors, and visitors are required to wear visible identification badges that distinguish between different access categories.
Required Evidence: On-site visual verification of staff and visitors wearing badges; badge issuance procedure documentation.
Pass/Fail Test: If personnel are observed inside secure perimeters without visible ID badges, mark as Non-Compliant.
4. Access Token Issuance and Control Validated
Verification Criteria: Physical access tokens (e.g. smart cards, keys) are only issued based on the principle of least privilege and are tracked in a centralised inventory.
Required Evidence: Master Key/Token Register cross-referenced against active employee and contractor lists.
Pass/Fail Test: If the number of active smart cards exceeds the number of current authorised personnel without justification, mark as Non-Compliant.
5. Immediate Revocation of Physical Access Verified
Verification Criteria: Access rights and tokens are deactivated or collected immediately upon termination of employment or change in role.
Required Evidence: HR leavers log cross-referenced against the access control system’s “Deactivation” timestamps for the last 5 leavers.
Pass/Fail Test: If a terminated employee’s badge remains active in the physical access system for more than 24 hours post-exit, mark as Non-Compliant.
6. Secure Area Tailgating Controls Confirmed
Verification Criteria: Technical or organisational measures are in place to prevent “tailgating” (unauthorised entry by following an authorised person) at high-security points.
Required Evidence: Visual verification of turnstiles, man-traps, or security guard observation points at primary entrances.
Pass/Fail Test: If an auditor can successfully tailgate an employee into a secure office area without being challenged or blocked by hardware, mark as Non-Compliant.
7. Visitor Escorting Protocols Validated
Verification Criteria: Visitors are required to be escorted at all times within secure areas and are prohibited from unmonitored wandering.
Required Evidence: Documented visitor procedure and observational confirmation of visitor/host proximity during the site tour.
Pass/Fail Test: If a visitor is found unescorted in a secure office zone or server room, mark as Non-Compliant.
8. Delivery and Loading Bay Segregation Verified
Verification Criteria: Delivery areas and loading bays are designed to prevent unauthorised access to the rest of the building by delivery personnel.
Required Evidence: Physical inspection of the loading bay showing isolation from internal office corridors; access control on internal-facing doors.
Pass/Fail Test: If a delivery driver can walk from the loading dock directly into an internal server room or office area, mark as Non-Compliant.
9. Secondary Authentication for High-Security Rooms Confirmed
Verification Criteria: Entry to high-security rooms (e.g. server rooms or archive stores) requires a secondary level of authentication beyond the main building badge.
Required Evidence: Access control system configuration report showing “Two-factor” or “Distinct Group” access for specific high-risk zones.
Pass/Fail Test: If a general office badge grants unrestricted access to the primary server room, mark as Non-Compliant.
10. Physical Access Rights Periodically Audited
Verification Criteria: Management performs a periodic review of physical access rights to ensure that only current, authorised personnel retain entry permissions.
Required Evidence: Minutes from the most recent “Access Rights Review” meeting or a signed system report confirming the audit.
Pass/Fail Test: If there is no evidence of a formal physical access review being conducted in the last 12 months, mark as Non-Compliant.
| Control Requirement | The “Checkbox Compliance” Trap | The Reality Check |
|---|---|---|
| Access Authorisation | GRC tool identifies that an “Access Matrix” PDF exists in the repository. | Auditors must perform a live “Badge Test” to see if the matrix is actually enforced at the door. |
| Visitor Monitoring | Tool shows a digital visitor management app is “Integrated.” | Verify if the app is actually used. Many organisations bypass the app for “VIPs” or frequent contractors. |
| Token Management | Platform syncs with HR and assumes all badges are collected. | Check the physical “Key Box.” Unused physical keys are often left in drawers or unmonitored cupboards. |
| Tailgating Prevention | Tool marks “Compliant” because a policy forbids tailgating. | Policies don’t stop physics. Verify turnstiles or alert sensors that trigger on multiple entries. |
| Revocation Timeliness | SaaS tool shows “User Disabled” in Active Directory. | Physical locks are often non-integrated. Verify the standalone lock systems for leaver deactivation. |
| Zone Segregation | GRC tool identifies “Server Room” as an asset. | Inspect the ceiling. Are there gaps above the partition walls that allow entry from adjacent rooms? |
| Audit Trail | Tool generates an automated “Physical Access Report.” | Verify “Unknown Cards.” GRC reports often hide cards assigned to “Building Management” or “Security.” |
About the author
