Auditing ISO 27001 Annex A 7.5 Physical Security of Working Areas is the systematic verification of internal workspace controls and restricted zones. The Primary Implementation Requirement is the clear delineation of security perimeters and clean desk adherence, providing the Business Benefit of preventing unauthorized information disclosure and physical tampering.
ISO 27001 Annex A 7.5 Physical Security of Working Areas Audit Checklist
This technical verification tool is designed for lead auditors to establish the security integrity of internal workspaces and sensitive processing zones. Use this checklist to validate compliance with ISO 27001 Annex A 7.5.
1. Working Area Security Policy Formalisation Verified
Verification Criteria: A documented policy exists that defines the security requirements for different types of working areas, including open-plan offices and restricted zones.
Required Evidence: Approved Physical Security Policy or Working Area Standard Operating Procedure (SOP).
Pass/Fail Test: If the organisation cannot produce a formal document defining the security rules for general vs. restricted working areas, mark as Non-Compliant.
2. Restricted Zone Designation and Delineation Confirmed
Verification Criteria: High-risk working areas (e.g. HR, Finance, or R&D) are clearly designated and physically separated from general-access areas.
Required Evidence: Physical site map showing “Restricted Zones” and visual confirmation of physical barriers (walls/locked doors).
Pass/Fail Test: If sensitive departments like HR or Finance are located in open-access areas without a secondary physical perimeter, mark as Non-Compliant.
3. “Clean Desk” Operational Adherence Validated
Verification Criteria: Working areas are free from sensitive paper documents and removable storage media when unattended.
Required Evidence: Physical inspection reports from “out-of-hours” security sweeps or photographic evidence of compliance.
Pass/Fail Test: If a physical walkthrough reveals sensitive PII or passwords on sticky notes in an unattended workspace, mark as Non-Compliant.
4. Working Area Visitor Escorting Verified
Verification Criteria: All visitors within secure working areas are escorted at all times to prevent unauthorised access to information on screens or desks.
Required Evidence: Visitor Management Procedure and observational verification of visitor tags/hosts during the audit.
Pass/Fail Test: If a visitor is found unescorted within a restricted working zone (e.g. the development floor), mark as Non-Compliant.
5. Working Area Surveillance Monitoring Confirmed
Verification Criteria: Restricted working areas are monitored via CCTV or alarm sensors to detect and record unauthorised entry during non-business hours.
Required Evidence: CCTV coverage map and NVR (Network Video Recorder) logs for sensors in restricted zones.
Pass/Fail Test: If a designated high-risk working area lacks either 24/7 CCTV coverage or an active intruder alarm, mark as Non-Compliant.
6. Privacy Screen Implementation for Sensitive Areas Verified
Verification Criteria: Monitors in areas accessible to visitors or non-cleared staff are fitted with privacy filters or positioned to prevent “shoulder surfing.”
Required Evidence: Visual confirmation of privacy screens on HR/Finance workstations or physical partitioning.
Pass/Fail Test: If an HR workstation monitor is visible from a public corridor or reception area, mark as Non-Compliant.
7. Secure Document Storage Availability Confirmed
Verification Criteria: Locking cabinets or pedestals are provided and utilised in working areas to secure sensitive information during breaks or at the end of the day.
Required Evidence: Physical sighting of lockable storage and verification of key management (i.e., keys are not left in the locks).
Pass/Fail Test: If the organisation mandates a clean desk policy but fails to provide lockable storage for sensitive files at the desk, mark as Non-Compliant.
8. Unattended Device Locking Enforcement Validated
Verification Criteria: Workstations in working areas are configured to automatically lock after a defined period of inactivity (typically 5-15 minutes).
Required Evidence: GPO (Group Policy Object) configuration settings or MDM (Mobile Device Management) profiles for idle-lock timeouts.
Pass/Fail Test: If an auditor can access an unattended workstation in a secure working area that has been idle for >15 minutes without a password prompt, mark as Non-Compliant.
9. Shared Working Space (Hot-Desking) Security Confirmed
Verification Criteria: In hot-desking environments, procedures ensure that no sensitive data is left behind on desks or shared peripherals (printers/scanners).
Required Evidence: Hot-desking policy and inspection of shared storage/print trays for “orphaned” documents.
Pass/Fail Test: If uncollected sensitive printouts are found in a shared printer tray in a communal working area, mark as Non-Compliant.
10. Periodic Physical Security Inspections Verified
Verification Criteria: Regular, documented checks are performed to ensure working area security standards (Clean Desk/Clear Screen) are being maintained.
Required Evidence: Completed inspection checklists or “After-Hours Security Audit” logs from the current audit cycle.
Pass/Fail Test: If there is no evidence of a physical security check being conducted on the working areas within the last six months, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Working Area Delineation | Tool records “Yes” for “Are offices secure?”. | Auditor must verify the physical barrier. A GRC tool cannot tell if a partition wall stops at the suspended ceiling (allowing crawl-over). |
| Clean Desk Adherence | GRC platform identifies that a “Policy” was read by staff. | Physical sweep required. GRC tools cannot detect a password written on a post-it note under a keyboard. |
| Device Idle-Lock | Platform confirms a GPO policy exists to lock screens. | Verify Exceptions. GRC tools often miss technical “bypass” groups where the idle-lock is disabled for certain users. |
| Visitor Escorting | Tool logs that a visitor “checked in” via an app. | Check the exit time. GRC apps show they arrived, but only a physical audit proves they were never left alone. |
| Secure Storage | SaaS tool marks “Compliant” because lockers were purchased. | Test the locks. Many GRC-certified offices have cabinets that are left unlocked or have keys taped to the side. |
| Shoulder Surfing | Tool assumes privacy because staff work from home. | Check the Office Floorplan. Verify if guest seating is positioned directly behind HR or Finance workstation screens. |
| Audit Integrity | Platform generates an automated “Physical Compliance” report. | Review the Raw Evidence. GRC reports are often just self-attestations from managers rather than verified security sweeps. |
About the author
