Auditing ISO 27001 Annex A 7.3 Securing Offices, Rooms and Facilities is a critical physical assessment of internal workspace integrity and sensitive processing areas. The Primary Implementation Requirement is the establishment of secure perimeters and structural hardening, providing the Business Benefit of protecting critical assets from unauthorized access.
ISO 27001 Annex A 7.3 Securing Offices, Rooms and Facilities Audit Checklist
This technical verification tool is designed for lead auditors to establish the physical integrity of internal workspaces and sensitive processing areas. Use this checklist to validate compliance with ISO 27001 Annex A 7.3.
1. Internal Secure Area Perimeters Formalised
Verification Criteria: Specific offices and rooms containing sensitive information or critical assets are clearly designated as secure areas with defined physical boundaries.
Required Evidence: Physical site maps or floor plans demarcating “Secure Zones” (e.g. Server Rooms, HR archives, Executive boardrooms).
Pass/Fail Test: If sensitive assets (e.g. production servers) are located in general-access open-plan offices without dedicated physical partitioning, mark as Non-Compliant.
2. Floor-to-Ceiling Structural Integrity Verified
Verification Criteria: Walls of secure rooms (especially server rooms) are constructed to the true ceiling or slab to prevent unauthorised entry via the plenum or false ceiling.
Required Evidence: Physical inspection above suspended ceiling tiles in secure rooms or technical architectural drawings.
Pass/Fail Test: If a gap exists between the top of the secure room wall and the structural slab that allows a person to climb over, mark as Non-Compliant.
3. Physical Access Control at Internal Boundaries Confirmed
Verification Criteria: Entry points to designated secure offices and rooms are protected by electronic access control or mechanical locks that are restricted to authorised personnel only.
Required Evidence: Physical sighting of badge readers or locks; Access Control List (ACL) export for specific sensitive rooms.
Pass/Fail Test: If a general office badge grants unrestricted access to the primary server room or high-sensitivity archive, mark as Non-Compliant.
4. Unattended Secure Area Locking Protocols Validated
Verification Criteria: Secure areas are locked when not in use or when personnel are not present to maintain the integrity of the perimeter.
Required Evidence: Physical verification of locked doors during non-operational hours or “Always Locked” door closer configurations.
Pass/Fail Test: If an internal secure room door is found propped open or the magnetic lock is disabled during the audit walkthrough, mark as Non-Compliant.
5. Fire and Emergency Exit Security Integrity Verified
Verification Criteria: Fire exits within secure perimeters are configured to allow emergency egress while preventing unauthorised ingress and triggering an alarm upon use.
Required Evidence: Physical inspection of one-way “push-bar” mechanisms and alarm logs showing “Door Forced” or “Emergency Open” event triggers.
Pass/Fail Test: If a fire exit in a secure room can be opened from the outside using a standard handle or if it lacks an audible alarm, mark as Non-Compliant.
6. Internal Intruder Detection System (IDS) Coverage Confirmed
Verification Criteria: Sensitive offices and rooms are fitted with motion sensors or contact switches integrated into a centrally monitored alarm system.
Required Evidence: Intruder alarm system configuration report or recent maintenance/test certificates for internal PIR sensors.
Pass/Fail Test: If the IDS is active for the external perimeter but bypassed for internal secure rooms like the server room, mark as Non-Compliant.
7. Visual Surveillance of Internal Secure Zones Validated
Verification Criteria: CCTV or other monitoring tools are positioned to provide clear visual coverage of entry/exit points for all high-security internal rooms.
Required Evidence: Review of live CCTV feeds and overlapping fields of view at secure room entrances; footage retention logs.
Pass/Fail Test: If “blind spots” exist at the entrance to the server room or if the camera resolution prevents facial identification, mark as Non-Compliant.
8. Environmental Control Redundancy and Monitoring Verified
Verification Criteria: Offices and facilities housing critical ICT equipment have environmental controls (AC, fire suppression) that are monitored for failure.
Required Evidence: Temperature/humidity log exports and fire suppression system service records (e.g. FM200 or Inergen).
Pass/Fail Test: If a server room lacks temperature alerting or uses standard water sprinklers instead of a gaseous suppression system, mark as Non-Compliant.
9. Restricted Access to Support Facilities Confirmed
Verification Criteria: Areas housing support utilities (UPS, generators, telecommunications racks) are secured to the same level as the primary secure offices.
Required Evidence: Physical inspection of utility rooms and verification that access is limited to authorised facilities personnel.
Pass/Fail Test: If the UPS or patch panels are located in a public-access basement or unmonitored cupboard, mark as Non-Compliant.
10. Secure Area Signage Deterrence Validated
Verification Criteria: Internal secure zones lack obvious external signage identifying the sensitive nature of the contents (to avoid attracting unauthorised attention).
Required Evidence: Physical verification of room labelling; presence of discrete “Authorised Personnel Only” signs instead of “Main Server Room.”
Pass/Fail Test: If a room is clearly labelled “Global Crypto Key Vault” or “Confidential HR Records,” attracting undue interest, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Secure Area Definition | GRC tool marks “Compliant” because a “Physical Security Policy” is uploaded. | The auditor must verify the site map. A policy is not a wall. Verify that high-risk areas are physically separated. |
| Access Control | SaaS tool records that “Smart Locks” are active. | Check the Authorization Matrix. Often, “Reception” badges have the same rights as “Admins” in the GRC tool’s logic. |
| Structural Integrity | Tool identifies “Concrete Building” as a construction type. | Look up. GRC tools cannot see if a server room has a 3-foot gap above the suspended ceiling tiles. |
| Environmental Safety | Platform logs a “Pass” for Fire Safety because an extinguisher is present. | Verify the Alerting. Does the temperature sensor actually trigger a remote alert at 2 AM, or just a local beep? |
| Unattended Areas | Tool assumes rooms are locked based on a “Maintenance Task” completion. | Perform a walkthrough. “Policies” don’t stop doors being propped open with fire extinguishers. |
| Visual Monitoring | SaaS tool confirms “CCTV is Online” via a ping. | Verify the Angle. A camera that’s “online” but pointed at the floor provides zero security value. |
| Support Utilities | Platform identifies “UPS” as a managed asset. | Verify Physical Access. Is the UPS in an unlocked basement where any tenant in the building can switch it off? |
About the author
