In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.5 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats
ISO 27001 Annex A 7.5 requires organizations to design and implement protection against physical and environmental threats, such as natural disasters, fire, flood, and civil unrest. While digital security often takes the spotlight, this control addresses the physical reality that a server can be destroyed by a leaking pipe just as easily as it can be hacked. The goal is to prevent or reduce the impact of unforeseen events that could compromise the Availability and Integrity of your information.
Core requirements for compliance include:
- Risk-Based Siting: You must assess the specific environment of your facilities. For example, if your office is on a flood plane, you must have controls to prevent water damage (e.g., raising racks off the floor).
- Fire Detection and Suppression: Facilities, especially server rooms, must have adequate fire detection (smoke alarms) and suppression systems (automated gas suppression or correctly maintained extinguishers).
- Utility Protection: You must protect against environmental issues like lightning strikes and power surges using surge protectors and Uninterruptible Power Supplies (UPS).
- Physical Hardening: In high-risk areas, this may include installing bomb-blast film on windows or seismic bracing for racks in earthquake-prone zones.
- Safety First: Physical security must always align with Health and Safety laws. For example, fire doors must fail “open” to allow people to escape, even if it compromises the security of the building.
Audit Focus: Auditors will look for “The Environmental Risk Assessment”:
- Obvious Risks: “You are located next to a major river. Show me your flood protection measures.”
- Maintenance Proof: “Show me the service records for your server room’s fire suppression system and AC units.”
- The “Cupboard” Test: They will look for messy wiring or flammable materials (like cardboard boxes) stored in server rooms, which are major fire hazards.
Physical Hazard Checklist (Audit Prep):
| Threat Factor | Protection Measure (Best Practice) | ISO 27001:2022 Control Mapping |
|---|---|---|
| Fire | Gas Suppression (Server Room) & Professional Smoke Detectors. | 7.5 (Environmental Threats) |
| Flood / Leak | Water Detection Ropes & racks raised at least 15cm off the floor. | 7.5 (Environmental Threats) |
| Lightning | Surge Protection on main power lines & Lightning Rods. | 7.11 (Supporting Utilities) |
| Power Failure | UPS (Uninterruptible Power Supply) & Backup Generators. | 7.11 (Supporting Utilities) |
| Civil Unrest | Bomb Blast Film on windows and reinforced entry points. | 7.5 (Physical Threats) |
Table of contents
- What is ISO 27001 Annex A 7.5?
- ISO 27001 Annex A 7.5 Free Training Video
- ISO 27001 Annex A 7.5 Explainer Video
- ISO 27001 Annex A 7.5 Podcast
- ISO 27001 Annex A 7.5 Implementation Guidance
- How to implement ISO 27001 Annex A 7.5
- Physical Hazard Checklist
- ISO 27001 Physical Security Policy Template
- How to pass the ISO 27001 Annex A 7.5 audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 7.5 mistakes and how to avoid them
- Applicability of ISO 27001 Annex A 7.5 across different business models.
- Fast Track ISO 27001 Annex A 7.5 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 7.5 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Annex A 7.5 Attribute Table
What is ISO 27001 Annex A 7.5?
The focus for this ISO 27001 Control is physical protection from natural disasters and physical threats. As one of the ISO 27001 controls this is about reducing damage and impact from things that cannot be planned and are out of your control.
ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats is an ISO 27001 control that requires an organisation to protect against physical and environmental threats.
ISO 27001 Annex A 7.5 Purpose
ISO 27001 Annex A 7.5 is a preventive control that ensures you prevent or reduce the consequences of events originating from physical and environmental threats.
ISO 27001 Annex A 7.5 Definition
ISO 27001 defines ISO 27001 Annex A 7.5 as:
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.
ISO 27001:2022 Annex A 7.5 Protecting Against Physical and Environmental Threats
ISO 27001 Annex A 7.5 Free Training Video
In the video ISO 27001 Protecting Against Physical & Environmental Threats Explained – ISO27001:2022 Annex A 7.5 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.5 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.5 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 7.5 Implementation Guidance
You are going to have to
- conduct a risk assessment
- consult a professional for specialist advice where required – for example fire, flood, theft, civil unrest, earthquake, explosions
- install and configure systems to detect fire, flood, electrical surges explosive and weapons
- implement physical security controls based on risk and business need
The implementation of securing offices, rooms and facilities is in the context of the physical security perimeter where you can find guidance in the Ultimate guide to ISO 27001 Annex A 7.1 Physical Security Perimeter.
Health and Safety
Your number one priority is to meet the requirements of law and regulation. Be sure to engage with a legal professional to understand what you can and cannot do and to check that you are not breaking any laws. The most significant laws are those around health and safety as the protection of human life and wellbeing is always our number priority. There are common things that should be considered such as entry point doors that fail open. Whilst we want to protect buildings and information our absolute priority is to protect people.
Define your protection requirements
Start by understanding your risk and doing a risk assessment. For guidance on how, read The Complete Guide to ISO 27001 Risk Assessment. This is going to be based on the needs of the business and the risks that you are managing. As a starting point there are basics such as protection from fire and flood. It maybe that the physical environment brings with it other threats such as electrical surges, local civil unrest, explosives, tectonic fault lines. Do what is right for you. Consider the environment around the location and the threats that may be posed and be sensible in addressing them.
How to implement ISO 27001 Annex A 7.5
Implementing ISO 27001 Annex A 7.5 requires a multi-layered approach to physical security, ensuring that information processing facilities are resilient against natural disasters, environmental accidents, and malicious human activity. This technical guide outlines the action-result workflow for fortifying your premises to maintain the continuity of your Information Security Management System (ISMS).
1. Conduct a Physical and Environmental Risk Assessment
Perform a site-specific survey to identify local hazards such as flood plains, seismic activity zones, or proximity to high-risk industrial facilities.
- Identify critical assets and their vulnerability to fire, water, and extreme temperature fluctuations.
- Document external threats, including potential for vandalism or proximity to shared utility hubs.
- Establish a risk treatment plan that prioritises controls based on the geographic and structural profile of the facility.
2. Provision Automated Fire Detection and Suppression Systems
Deploy industrial-grade fire safety technology to ensure the rapid detection and neutralisation of thermal threats without damaging electronic hardware.
- Install Very Early Smoke Detection Apparatus (VESDA) for high-sensitivity monitoring in server rooms.
- Provision non-water-based fire suppression systems, such as FM-200 or Novec 1230 gas, to prevent electrical short circuits.
- Formalise a monthly inspection routine for all portable extinguishers and emergency exit routes.
3. Implement Water Leak Detection and Flood Mitigation
Establish physical barriers and sensors to protect data processing equipment from plumbing failures or external flooding events.
- Install moisture detection cables beneath raised floors in all critical server environments.
- Position server racks on plinths to provide a minimum clearance of 150mm from the floor level.
- Ensure that IT equipment is not sited directly beneath water pipes or air conditioning drainage units.
4. Configure Environmental Monitoring and HVAC Redundancy
Apply technical monitoring to maintain optimal temperature and humidity levels, preventing hardware degradation or sudden thermal shutdown.
- Provision N+1 redundancy for Heating, Ventilation, and Air Conditioning (HVAC) systems to ensure climate stability during maintenance.
- Link temperature and humidity sensors to a centralised alerting system with real-time notifications for the IT Operations team.
- Maintain automated logging of environmental metrics to provide evidence for ISMS compliance audits.
5. Formalise Protective Siting and Structural Hardening
Review the physical placement of equipment to reduce the profile of sensitive assets against malicious observation or impact.
- Locate critical processing facilities away from ground-floor windows and high-traffic public access points.
- Apply security film to windows and install bollards to protect against vehicle-borne threats or impact.
- Ensure that all utility entry points (power and telecommunications) are buried or enclosed in armoured conduits.
6. Establish an Environmental Maintenance Audit Trail
Document all service activities to verify that protective controls are functioning correctly and remain reliable under duress.
- Formalise a Register of Entrants (ROE) for third-party maintenance staff performing utility repairs.
- Archive maintenance certificates for UPS systems, generators, and suppression systems for at least 12 months.
- Review incident logs monthly to identify recurring environmental anomalies that require corrective action.
Physical Hazard Checklist
| Threat | Protection Measure |
| Fire | Gas Suppression (Server Room) + Smoke Detectors. |
| Flood / Leak | Water Detection Rope (under raised floors) + raised racks. |
| Lightning | Surge Protection on power lines + Lightning Rods. |
| Power Surge | UPS (Uninterruptible Power Supply) + Voltage Regulators. |
| Civil Unrest | Bomb Blast Film on windows (if high risk). |
ISO 27001 Physical Security Policy Template
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.
How to pass the ISO 27001 Annex A 7.5 audit
To pass the audit of ISO 27001 Annex A 7.5 you are going to
- Define your physical protection requirements
- Consult with a legal professional to ensure you are meeting legal and regulatory requirements
- Consult with appropriate professionals who specialise in the identified protection requirements
- Implement your physical threat protection
- Write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy
- Write, sign off, implement and communicate your perimeter incident response procedures
- Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. That you have considered physical and environmental threats
The audit will do some research and identify any obvious physical and environmental threats and that you have addressed them. If you are in a flood plane, have you considered and implemented protection against flooding. If you are in an area to susceptible to civil unrest do your controls address this. Are the basics such as fire protection covered and are they appropriate. A common one to check here is that fire extinguishers are legal and maintained and evidenced as being maintained.
2. The you have implemented controls
They have been doing this a long time and done many audits so they know what to look for. They will test the controls and see what happens where they can. They will want to see evidence that the controls have been reviewed and tested and are working as intended.
3. Documentation
They are going to look at audit trails and all your documentation. They will look at appropriate maintenance, reviews, logs of monitors and reports, incidents and how you managed them.
Top 3 ISO 27001 Annex A 7.5 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 7.5 are
1. Your fire extinguishers are not up to date
This one feels a bit random but as they walk around they will check fire extinguishers and look for evidence that they are operational and maintained. An example would be a fire extinguisher that works on pressure and the pressure gauge is at zero or in the red. Also that there is no evidence of them being maintained.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Have control reviews taken place? Who gets informed about about the alarms and notification and do they still work here?
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 7.5 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Applies to ensuring the basic office environment is safe from environmental damage. The focus is on low-cost, effective measures like fire safety and protecting against power surges that could damage critical office hardware. |
|
| Tech Startups | Critical for startups with small server rooms or dedicated hardware labs. Compliance involves identifying specific local risks (like flooding) and implementing professional detection and backup systems. |
|
| AI Companies | Vital for protecting expensive high-performance computing (HPC) and GPU clusters. Focus is on industrial-grade environmental monitoring and suppression to protect high-value research assets. |
|
Fast Track ISO 27001 Annex A 7.5 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.5 (Protecting against physical and environmental threats), the requirement is to protect against natural disasters and other physical threats to your infrastructure. This is a common-sense, physical protection control that focuses on real-world hazards like fire, flood, and power surges.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your environmental rules; if you cancel the subscription, your documented hazard response and standards vanish. | Permanent Assets: Fully editable Word/Excel Physical and Environmental Security Policies that you own forever. | A localized “Physical Protection Standard” defining UPS maintenance and fire suppression testing intervals. |
| Hazard Governance | Attempts to “automate” site security via dashboards that cannot install gas suppression or water detection ropes. | Governance-First: Formalizes facility management and environmental risk mitigation into an auditor-ready framework. | A completed “Physical Hazard Checklist” proving that infrastructure is protected from flood, fire, and power surges. |
| Cost Efficiency | Charges a “Physical Site Tax” based on the number of locations or square footage monitored. | One-Off Fee: A single payment covers your governance documentation for one office or a global network. | Allocating budget to physical safeguards (e.g., surge protectors or window film) rather than monthly software fees. |
| Operational Freedom | Mandates rigid reporting structures that may not align with unique industrial environments or niche office setups. | 100% Agnostic: Procedures adapt to any environment—high-security server rooms or standard office spaces—without limits. | The ability to evolve your facility resilience strategy without reconfiguring a rigid SaaS compliance module. |
Summary: For Annex A 7.5, the auditor wants to see that you have a formal policy for physical and environmental protection and proof that you follow it (e.g., risk assessments and maintenance logs for fire equipment). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 7.5 FAQ
What is ISO 27001 Annex A 7.5?
ISO 27001 Annex A 7.5 is a physical security control that requires organisations to design and apply protections against natural disasters, malicious attacks, and environmental accidents.
- It focuses on the resilience of the physical site where information is processed.
- It mandates proactive risk assessments for fire, flood, and seismic threats.
- It requires the implementation of technical barriers like fire suppression and flood sensors.
- The goal is to prevent data loss or service disruption caused by external physical factors.
What are considered physical and environmental threats?
Under ISO 27001, these threats are external factors that can damage hardware, disrupt utilities, or compromise the safety of a secure facility.
- Natural Disasters: Flooding, earthquakes, lightning strikes, and wind damage.
- Environmental Hazards: Fire, smoke, water leaks (plumbing), and extreme temperatures.
- Malicious Threats: Terrorist attacks, physical vandalism, and explosive devices.
- Utility Failures: Extended power outages or telecommunications line cuts.
Is fire suppression mandatory for ISO 27001 Annex A 7.5?
Yes, fire detection and suppression systems are essential controls to mitigate the risk of data destruction and ensure the continued availability of IT assets.
- Automatic smoke and heat detectors must be installed in all secure areas.
- Non-water-based suppression (e.g., gas or FM-200) is preferred for server rooms.
- Portable fire extinguishers must be accessible and regularly maintained.
- Fire escape routes must be clearly marked and kept unobstructed.
How do you protect against water and flood damage?
Protecting against water damage involves a combination of site selection, structural engineering, and automated detection systems.
- Avoid placing server rooms in basements or directly under water pipes.
- Install moisture and leak detection sensors beneath raised floors.
- Ensure critical hardware is raised on plinths or racks to avoid low-level flooding.
- Regularly inspect the building’s exterior for structural integrity and drainage efficiency.
Should server rooms be located on the ground floor?
No, it is generally recommended to avoid ground-floor locations for server rooms due to higher risks of physical intrusion, vehicle impact, and surface flooding.
- Upper-floor locations provide better protection against opportunistic physical theft.
- Internal rooms without windows are preferred to reduce the risk of visual eavesdropping.
- Ground-floor windows in secure areas must be reinforced with security film or bars.
What are the redundancy requirements for climate control?
Annex A 7.5 implies that climate control systems must be redundant (N+1) to prevent hardware failure caused by overheating during primary system maintenance or failure.
- HVAC systems should be monitored by automated temperature and humidity alarms.
- Independent backup power should be available to keep cooling systems active during outages.
- Regular maintenance logs are required to prove the reliability of the system to auditors.
What documentation is needed for an Annex A 7.5 audit?
Auditors require verifiable evidence that physical and environmental risks have been assessed and that mitigating controls are functional.
- Risk Assessment: A document identifying local environmental threats.
- Maintenance Logs: Evidence of fire alarm, UPS, and HVAC testing.
- Site Floor Plans: Showing the location of secure zones and utility entry points.
- Emergency Procedures: Documented responses to fire, flood, or power failure.
Related ISO 27001 Controls
ISO 27001 Annex A 7.6 Working In Secure Areas
ISO 27001 Annex A 7.4 Physical Security Monitoring
Further Reading
ISO 27001 Physical Asset Register Beginner’s Guide
How To Create an ISO 27001 Threat Intelligence Process and Report
ISO 27001 Annex A 7.5 Attribute Table
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality Integrity Availability | Protect | Physical_security | Protection |
