ISO 27001:2022 Annex A 7.6 Working in secure areas

In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.6 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 7.6 Working in Secure Areas

ISO 27001 Annex A 7.6 requires organizations to design and implement security measures specifically for personnel working within secure areas (e.g., server rooms, high-security zones, or sensitive processing facilities). While other controls focus on getting into the building, this control focuses on what happens once you are inside. The goal is to prevent unauthorized interference, damage, or data leakage by those authorized to be in the space.

Core requirements for compliance include:

Need-to-Know Access: Personnel should only work in secure areas if it is strictly necessary for their role. Access should be restricted to the specific times required to perform the task.
Prohibiting Recording Devices: You must consider banning or restricting the use of cameras, mobile phones, and recording equipment within secure zones to prevent the photographing of sensitive data or hardware configurations.
Supervision & Lone Working: Where practicable, work in high-security areas should be supervised. If lone working is necessary, additional security or safety monitoring should be implemented.
Clear Desk & Screen: Just because an area is “secure” doesn’t mean information can be left exposed. Personnel must follow clean desk and clear screen practices within the zone.
Safety First: Security measures must never compromise human safety. Emergency exits must be clearly marked, and fail-safe mechanisms (like doors that “fail open” during a fire alarm) must be in place.

Audit Focus: Auditors will look for “The Rules of the Room”:

Policy Awareness: They will interview staff to see if they know the specific rules for the secure area (e.g., “Are you allowed to take photos in here?”).
Visual Evidence: They will look for signage at the entrance of secure zones outlining prohibited items and behavior.
The “Tailgating” Test: They may observe entry points to see if authorized personnel are letting others in without following proper badge-in or escort procedures.

Secure Area Rules Checklist (Audit Prep):

Conduct Rule	Technical Requirement	Compliance Justification	ISO 27001:2022 Control
Escorted Guests	Visitors must be supervised at all times.	Prevents unauthorised tampering or theft by non-staff.	7.6 (Working in Secure Areas)
No Photography	Mobile phones/cameras should be restricted.	Stops data leakage via photos of screens or hardware.	7.6 (Working in Secure Areas)
Visible ID	Lanyards or badges must be displayed.	Allows for rapid identification of unauthorised persons.	7.2 (Physical Entry)
Lock on Exit	Doors must never be propped open.	Prevents the physical perimeter from being bypassed.	7.2 (Physical Entry)
Supervised Work	High-risk tasks should be “two-man” jobs.	Reduces the risk of accidental or malicious damage.	7.6 (Working in Secure Areas)

What is ISO 27001 Annex A 7.6?
ISO 27001 Annex A 7.6 Free Training Video
ISO 27001 Annex A 7.6 Explainer Video
ISO 27001 Annex A 7.6 Podcast
ISO 27001 Annex A 7.6 Implementation Guidance
Health and Safety
How to implement ISO 27001 Annex A 7.6
Secure Area Rules Checklist
ISO 27001 Physical Security Policy
How to pass the audit
What the auditor will check
Top 3 ISO 27001 Annex A 7.6 mistakes and how to avoid them
Applicability of ISO 27001 Annex A 7.6 across different business models.
Fast Track ISO 27001 Annex A 7.6 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 7.6 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 Annex A 7.6 Attribute Table

What is ISO 27001 Annex A 7.6?

The focus for this ISO 27001 Control are your secure areas. As one of the ISO 27001 controls this is about stopping people who work in these secure areas from causing damage and unauthorised interference.

ISO 27001 Annex A 7.6 Working In Secure Areas is an ISO 27001 control that requires an organisation to put measures in place for security when working in secure areas.

ISO 27001 Annex A 7.6 Purpose

ISO 27001 Annex A 7.6 is a preventive control that ensures you protect information and other associated assets in secure areas from damage and unauthorised interference by personnel working in these areas.

ISO 27001 Annex A 7.6 Definition

The ISO 27001 standard defines ISO 27001 Annex A 7.6 as:

Security measures for working in secure areas should be designed and implemented.
ISO27001:2022 Annex A 7.6 Working In Secure Areas

ISO 27001 Annex A 7.6 Free Training Video

In the video ISO 27001 Working In Secure Areas Explained – ISO27001:2022 Annex A 7.6 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 7.6 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 7.6 Working In Secure Areas, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 7.6 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.6 Working In Secure Areas. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 7.6 Implementation Guidance

You are going to have to

Implement a need to know approach to the existence, operation and working processes of secure areas
Where practicable ensure that work in secure areas is supervised
Put in a process of locking and inspecting vacant secure areas
Consider preventing the use of cameras, phones, recording equipment unless you authorise it
Train people in emergency procedures
Communicate emergency procedures
Follow all health and safety laws as well as all laws and regulations

The implementation of working in secure areas is in the context of the physical security perimeter where you can find guidance in the Ultimate guide to ISO 27001 Annex A 7.1 Physical Security Perimeter.

Health and Safety

Your number one priority is to meet the requirements of law and regulation. Be sure to engage with a legal professional to understand what you can and cannot do and to check that you are not breaking any laws. The most significant laws are those around health and safety as the protection of human life and wellbeing is always our number priority. There are common things that should be considered such as entry point doors that fail open. Whilst we want to protect buildings and information our absolute priority is to protect people.

How to implement ISO 27001 Annex A 7.6

Implementing ISO 27001 Annex A 7.6 requires a combination of physical barriers and strict behavioural protocols to ensure that sensitive information remains protected while personnel are active within secure zones. This technical guide outlines the action-result workflow for managing conduct, supervision, and recording restrictions in high-security environments.

1. Formalise Secure Area Operating Procedures

Develop and approve a formal set of rules that govern how personnel must behave when inside a secure zone to ensure consistency and auditability.

Define the specific boundaries of the secure area and the activities permitted within it.
Establish a “Need to Know” criteria for anyone requesting access to the zone.
Document the process for opening and closing the area, including alarm deactivation and activation.
Distribute these procedures as part of the mandatory security induction for all staff.

2. Restrict and Manage Recording Equipment

Provision physical and technical barriers to prevent the unauthorised capture of sensitive data via cameras, mobile phones, or other recording devices.

Install secure lockers outside the perimeter for the storage of personal mobile devices.
Implement a “No Photography” policy enforced by prominent signage at all entry points.
Utilise MDM (Mobile Device Management) profiles to logically disable camera functions on corporate devices used within the zone.
Conduct random spot checks to ensure compliance with device restrictions.

3. Enforce Continuous Supervision for Unvetted Personnel

Establish a strict “shadowing” protocol to ensure that visitors, contractors, and unvetted staff are never left alone with sensitive assets.

Assign a designated “Host” for every visitor who has been background-vetted by the organisation.
Mandate that visitors are kept within the visual line of sight of the host at all times.
Ensure all third-party maintenance work is supervised by a staff member with appropriate technical knowledge.
Revoke access immediately if a visitor is found unattended in a restricted zone.

4. Implement Visual Privacy and Clean Area Controls

Apply physical safeguards to prevent accidental visual eavesdropping and ensure that sensitive data is not left exposed when the area is vacant.

Position monitors away from windows and entry doors to prevent “shoulder surfing” from outside the zone.
Enforce a strict “Clean Desk” policy for secure areas, requiring all sensitive documents to be locked away when not in use.
Utilise privacy screen filters on all workstations within the secure area.
Ensure that whiteboards are cleared of all sensitive diagrams or data immediately after meetings.

5. Maintain a Formal Register of Entrants

Document every entry and exit to create a verifiable audit trail of who was present in the secure area and for what duration.

Utilise a physical or digital Register of Entrants (ROE) to log name, organisation, purpose, and time.
Cross-reference the ROE with electronic badge logs to identify any discrepancies.
Retain access logs for at least twelve months to support forensic investigations or audit requests.
Review the ROE monthly to identify unusual patterns of access that may indicate a security threat.

Secure Area Rules Checklist

Rule	Description	Why?
No Unaccompanied Guests	Visitors must be escorted at all times.	Prevents unauthorized access/theft.
No Photography	Cameras/Phones are banned (or covered).	Prevents data leakage via photos.
Wear ID	Badges must be visible.	rapid identification of intruders.
Need to Know	Only enter if you have work to do here.	Minimizes foot traffic/risk.
Lock on Exit	Never prop the door open.	Maintains the physical perimeter.

ISO 27001 Physical Security Policy

To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.

ISO 27001 Physical and Environmental Security Policy - ISO 27001 Annex A 7.6 Template — ISO 27001 Physical and Environmental Security Policy Template

How to pass the audit

To pass the audit of ISO 27001 Annex A 7.6 you are going to

Define your physical protection requirements
Consult with a legal professional to ensure you are meeting legal and regulatory requirements
Consult with appropriate professionals who specialise in the identified protection requirements
Implement your physical threat protection
Write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy
Write, sign off, implement and communicate your secure working procedures
Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

What the auditor will check

The audit is going to check a number of areas. Lets go through them

1. That you have defined secure working areas

Not every business or organisation requires secure areas but if you do the audit will check that you have defined what they are, done a risk assessment and put in place the appropriate controls and processes.

2. The you have implemented controls

They have been doing this a long time and done many audits so they know what to look for. They will test the controls and see what happens where they can. They will want to see evidence that the controls have been reviewed and tested and are working as intended.

3. Documentation

They are going to look at audit trails and all your documentation. They will look at appropriate maintenance, reviews, logs of monitors and reports, incidents and how you managed them.

Top 3 ISO 27001 Annex A 7.6 mistakes and how to avoid them

The top 3 mistakes people make for ISO 27001 Annex A 7.6 are

1. Your fire extinguishers are not up to date

This one feels a bit random but as they walk around they will check fire extinguishers and look for evidence that they are operational and maintained. An example would be a fire extinguisher that works on pressure and the pressure gauge is at zero or in the red. Also that there is no evidence of them being maintained.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Have control reviews taken place? Who gets informed about about the alarms and notification and do they still work here? Have you done periodic checks of vacant secure areas.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 7.6 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Applies if the business has a small comms room, server closet, or a safe for physical documents. The goal is to ensure that even trusted staff or visitors don’t accidentally compromise security while inside these spaces.	Implementing a “No Unaccompanied Guests” rule for the office server closet. Requiring that the server closet door is never propped open and is visually inspected at the end of each day. Training staff on the “Need to Know” rule, ensuring only the owner and IT lead have access keys to the document safe.
Tech Startups	Critical for startups with dedicated development labs or high-security data centers. Focus is on preventing data leakage via unauthorized photography and ensuring that technical work is supervised.	Enforcing a “No Photography” policy in the development lab to prevent photos of proprietary hardware or screen configurations. Requiring that all third-party AC or power technicians are supervised by a vetted staff member at all times. Using digital access logs to maintain a verifiable audit trail of everyone who entered the server room and for how long.
AI Companies	Vital for protecting GPU clusters and rooms where high-value proprietary model weights are processed. Focus is on preventing insider interference and maintaining absolute visual privacy.	Mandating a “Two-Man Rule” for high-risk maintenance tasks within the GPU cluster room to reduce the risk of accidental damage. Using MDM (Mobile Device Management) to logically disable camera functions on corporate devices used within the secure AI research zone. Positioning all monitors within the secure area away from windows to prevent “shoulder surfing” or long-range visual interception.

Fast Track ISO 27001 Annex A 7.6 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 7.6 (Working in secure areas), the requirement is to design and implement security measures for personnel working in secure areas to protect against damage and unauthorised interference. This is a purely physical and procedural control.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Policy Ownership	Rents access to your physical security rules; if you cancel the subscription, your documented “no-photography” and badge rules vanish.	Permanent Assets: Fully editable Word/Excel Physical and Environmental Security Policies that you own forever.	A localized “Secure Area Policy” defining escort requirements for visitors and mobile phone bans in data centers.
Behavioral Governance	Attempts to “automate” site security via dashboards that cannot physically enforce badge wearing or door locking.	Governance-First: Formalizes employee behavior and specialized zone protocols into an auditor-ready framework.	A completed “Secure Area Rules Checklist” proving that personnel are trained on restricted zone behavior.
Cost Efficiency	Charges a “Physical Facility Tax” based on the number of locations or tracked high-security zones.	One-Off Fee: A single payment covers your governance documentation for one server room or a global network.	Allocating budget to physical security hardware (e.g., biometric locks or CCTV) rather than monthly software fees.
Operational Freedom	Mandates rigid reporting structures that may not align with modern co-working or high-density facility models.	100% Agnostic: Procedures adapt to any environment—server rooms, secure office suites, or vault storage—without limits.	The ability to evolve your physical workspace security without reconfiguring a rigid SaaS compliance module.

Summary: For Annex A 7.6, the auditor wants to see that you have a formal policy for working in secure areas and proof that you follow it (e.g., site walkthrough logs and clear signage). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 7.6 FAQ

What is ISO 27001 Annex A 7.6?

ISO 27001 Annex A 7.6 is a physical security control that establishes mandatory procedures and rules for personnel performing activities within defined secure areas.

It ensures that work in secure areas is supervised and managed.
It restricts unauthorised recording, photography, or data capture.
It mandates that personnel are aware of the specific security protocols of the zone.
It aims to prevent the compromise of sensitive information and physical assets.

Are mobile phones and cameras allowed in secure areas?

No, the use of recording equipment, including mobile phones and cameras, is generally prohibited or strictly controlled within secure areas to prevent unauthorised data exfiltration.

Personnel should store personal mobile devices in secure lockers outside the perimeter.
Authorised photography requires a written business justification and supervision.
MDM (Mobile Device Management) policies may be used to disable camera functions.
Physical signage must clearly state the prohibition of recording devices.

Do visitors require constant supervision in secure areas?

Yes, all visitors and unvetted third-party personnel must be supervised at all times when working within or moving through secure areas.

Visitors must be assigned an internal “host” responsible for their actions.
Their access must be logged, and their identity verified before entry.
Unsupervised access is only permitted for personnel who have passed relevant background checks.
Supervision ensures visitors do not stray into restricted zones or view sensitive data.

What is the difference between Annex A 7.2 and 7.6?

While Annex A 7.2 focuses on the physical entry and access controls to the building, Annex A 7.6 specifically governs the behaviour and activities of people once they are inside the secure zone.

7.2 deals with locks, badges, and perimeter security.
7.6 deals with supervision, clean desk habits, and recording restrictions.
7.2 prevents unauthorised entry; 7.6 prevents insider threats or accidental disclosures.

How should unannounced maintenance be handled in secure areas?

Unannounced maintenance should be treated as a high-risk event requiring strict identity verification and constant visual oversight by a designated staff member.

Verify the technician’s identity and work order before allowing entry.
Ensure a staff member “shadows” the technician for the duration of the work.
Log the entry and exit times specifically in the secure area access log.
Ensure the technician only accesses the specific equipment required for repair.

Should secure areas be left vacant while unlocked?

No, secure areas must never be left vacant and unlocked; they must be physically secured or continuously occupied by authorised personnel.

Implement auto-locking doors to prevent human error.
Last-person-out procedures must include a sweep and lock verification.
Sensitive data must be cleared from desks if the area is to be left.
Intrusion detection systems should be active when the area is unoccupied.

ISO 27001 Annex A 7.4 Physical Security Monitoring

ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats

ISO 27001 Annex A 7.6 Attribute Table

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Protect	Physical security	Protection
	Integrity
	Availability

Confidentiality, Physical Security, Preventive, Protect, Protection

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 7.6?

ISO 27001 Annex A 7.6 Purpose

ISO 27001 Annex A 7.6 Definition

ISO 27001 Annex A 7.6 Free Training Video

ISO 27001 Annex A 7.6 Explainer Video

ISO 27001 Annex A 7.6 Podcast

ISO 27001 Annex A 7.6 Implementation Guidance

Health and Safety

How to implement ISO 27001 Annex A 7.6

1. Formalise Secure Area Operating Procedures

2. Restrict and Manage Recording Equipment

3. Enforce Continuous Supervision for Unvetted Personnel

4. Implement Visual Privacy and Clean Area Controls

5. Maintain a Formal Register of Entrants

Secure Area Rules Checklist

ISO 27001 Physical Security Policy

How to pass the audit

What the auditor will check

1. That you have defined secure working areas

2. The you have implemented controls

3. Documentation

Top 3 ISO 27001 Annex A 7.6 mistakes and how to avoid them

1. Your fire extinguishers are not up to date

2. One or more members of your team haven’t done what they should have done

3. Your document and version control is wrong

Applicability of ISO 27001 Annex A 7.6 across different business models.

Fast Track ISO 27001 Annex A 7.6 Compliance with the ISO 27001 Toolkit

ISO 27001 Annex A 7.6 FAQ

What is ISO 27001 Annex A 7.6?

Are mobile phones and cameras allowed in secure areas?

Do visitors require constant supervision in secure areas?

What is the difference between Annex A 7.2 and 7.6?

How should unannounced maintenance be handled in secure areas?

Should secure areas be left vacant while unlocked?

Related ISO 27001 Controls

Further Reading

ISO 27001 Annex A 7.6 Attribute Table

Stuart Barker