4. Access Token Issuance and Control Validated

Verification Criteria: Physical access tokens (e.g. smart cards, keys) are only issued based on the principle of least privilege and are tracked in a centralised inventory. Required Evidence: Master Key/Token Register cross-referenced against active employee and contractor lists.

5. Immediate Revocation of Physical Access Verified

Verification Criteria: Access rights and tokens are deactivated or collected immediately upon termination of employment or change in role. Required Evidence: HR leavers log cross-referenced against the access control system's "Deactivation" timestamps for the last 5 leavers.

6. Secure Area Tailgating Controls Confirmed

Verification Criteria: Technical or organisational measures are in place to prevent "tailgating" (unauthorised entry by following an authorised person) at high-security points. Required Evidence: Visual verification of turnstiles, man-traps, or security guard observation points at primary entrances.

7. Visitor Escorting Protocols Validated

Verification Criteria: Visitors are required to be escorted at all times within secure areas and are prohibited from unmonitored wandering. Required Evidence: Documented visitor procedure and observational confirmation of visitor/host proximity during the site tour.

8. Delivery and Loading Bay Segregation Verified

Verification Criteria: Delivery areas and loading bays are designed to prevent unauthorised access to the rest of the building by delivery personnel. Required Evidence: Physical inspection of the loading bay showing isolation from internal office corridors; access control on internal-facing doors.

9. Secondary Authentication for High-Security Rooms Confirmed

Verification Criteria: Entry to high-security rooms (e.g. server rooms or archive stores) requires a secondary level of authentication beyond the main building badge. Required Evidence: Access control system configuration report showing "Two-factor" or "Distinct Group" access for specific high-risk zones.

10. Physical Access Rights Periodically Audited

Verification Criteria: Management performs a periodic review of physical access rights to ensure that only current, authorised personnel retain entry permissions. Required Evidence: Minutes from the most recent "Access Rights Review" meeting or a signed system report confirming the audit.

ISO 27001 Annex A 7.2 Audit Checklist [+ Templates]

Q: 1. Physical Access Policy Formalised and Approved

Verification Criteria: A documented policy exists defining the authorisation levels and entry requirements for different physical zones (e.g. public, office, and high-security areas). Required Evidence: Formally approved Physical Security Policy with version history and management sign-off.

Q: 2. Visitor Logging Integrity Verified

Verification Criteria: All visitors are recorded in a log containing date, time of entry/exit, name, organisation, and the identity of the host. Required Evidence: Physical or electronic visitor register showing complete entries for the previous 90-day period.

Q: 3. Physical Identification and Badge Usage Confirmed

Verification Criteria: All personnel, contractors, and visitors are required to wear visible identification badges that distinguish between different access categories. Required Evidence: On-site visual verification of staff and visitors wearing badges; badge issuance procedure documentation.

In this ultimate how to audit guide to ISO 27001 Annex A 7.2 Physical Entry Controls, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 7.2 Physical Entry Controls Audit Checklist

ISO 27001 Annex A 7.2 Physical Entry Controls Audit Checklist

Auditing ISO 27001 Annex A 7.2 Physical Entry Controls is a rigorous technical assessment of the mechanisms securing physical perimeters and high-security zones. The Primary Implementation Requirement is the enforcement of authenticated, logged entry points, providing the Business Benefit of mitigating unauthorized access risks and ensuring site-wide accountability.

This technical verification tool is designed for lead auditors to establish the integrity of physical access points to secure areas. Use this checklist to validate compliance with ISO 27001 Annex A 7.2 (Physical entry controls) by verifying that access to buildings and rooms is restricted to authorised personnel.

1. Physical Access Policy Formalised and Approved

Verification Criteria: A documented policy exists defining the authorisation levels and entry requirements for different physical zones (e.g. public, office, and high-security areas).

Required Evidence: Formally approved Physical Security Policy with version history and management sign-off.

Pass/Fail Test: If the organisation relies on verbal agreements rather than a documented policy for determining who can enter secure zones, mark as Non-Compliant.

2. Visitor Logging Integrity Verified

Verification Criteria: All visitors are recorded in a log containing date, time of entry/exit, name, organisation, and the identity of the host.

Required Evidence: Physical or electronic visitor register showing complete entries for the previous 90-day period.

Pass/Fail Test: If visitor logs contain significant gaps, missing exit times, or illegible entries, mark as Non-Compliant.

3. Physical Identification and Badge Usage Confirmed

Verification Criteria: All personnel, contractors, and visitors are required to wear visible identification badges that distinguish between different access categories.

Required Evidence: On-site visual verification of staff and visitors wearing badges; badge issuance procedure documentation.

Pass/Fail Test: If personnel are observed inside secure perimeters without visible ID badges, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

ISO 27001 Annex A 7.2 Physical Entry Controls Audit Checklist

1. Physical Access Policy Formalised and Approved

2. Visitor Logging Integrity Verified

3. Physical Identification and Badge Usage Confirmed