In this ultimate how to audit guide to ISO 27001 Annex A 7.6 Working in Secure Areas, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 7.6 Working in Secure Areas Audit Checklist
- 1. Working Area Security Policy Formalisation Verified
- 2. Restricted Zone Designation and Delineation Confirmed
- 3. “Clean Desk” Operational Adherence Validated
- 4. Working Area Visitor Escorting Verified
- 5. Working Area Surveillance Monitoring Confirmed
- 6. Privacy Screen Implementation for Sensitive Areas Verified
- 7. Secure Document Storage Availability Confirmed
- 8. Unattended Device Locking Enforcement Validated
- 9. Shared Working Space (Hot-Desking) Security Confirmed
- 10. Periodic Physical Security Inspections Verified
ISO 27001 Annex A 7.6 Working in Secure Areas Audit Checklist
Auditing ISO 27001 Annex A 7.5 Physical Security of Working Areas is the systematic verification of internal workspace controls and restricted zones. The Primary Implementation Requirement is the clear delineation of security perimeters and clean desk adherence, providing the Business Benefit of preventing unauthorized information disclosure and physical tampering.
This technical verification tool is designed for lead auditors to establish the security integrity of internal workspaces and sensitive processing zones. Use this checklist to validate compliance with ISO 27001 Annex A 7.5.
1. Working Area Security Policy Formalisation Verified
Verification Criteria: A documented policy exists that defines the security requirements for different types of working areas, including open-plan offices and restricted zones.
Required Evidence: Approved Physical Security Policy or Working Area Standard Operating Procedure (SOP).
Pass/Fail Test: If the organisation cannot produce a formal document defining the security rules for general vs. restricted working areas, mark as Non-Compliant.
2. Restricted Zone Designation and Delineation Confirmed
Verification Criteria: High-risk working areas (e.g. HR, Finance, or R&D) are clearly designated and physically separated from general-access areas.
Required Evidence: Physical site map showing “Restricted Zones” and visual confirmation of physical barriers (walls/locked doors).
Pass/Fail Test: If sensitive departments like HR or Finance are located in open-access areas without a secondary physical perimeter, mark as Non-Compliant.
3. “Clean Desk” Operational Adherence Validated
Verification Criteria: Working areas are free from sensitive paper documents and removable storage media when unattended.
Required Evidence: Physical inspection reports from “out-of-hours” security sweeps or photographic evidence of compliance.
Pass/Fail Test: If a physical walkthrough reveals sensitive PII or passwords on sticky notes in an unattended workspace, mark as Non-Compliant.
