ISO 27001 A.7.1-7.14: Physical Security - What the Standard Requires

Why Physical Security Still Matters

There is a joke among penetration testers: "Why would I attack your firewall when I can just walk through the open back door into the server room?" As funny as that sounds, in practice, physical access to systems is one of the most effective attack vectors. Anyone with physical access to a server can remove hard drives, plug in USB sticks, reconnect network cables, or simply pull the plug.

Controls A.7.1 through A.7.14 comprehensively address physical security. ISO 27001:2022 groups them under "Physical controls" and covers everything: from protecting the building perimeter through access control to the secure disposal of data media and the protection of cabling.

For a company with around 100 employees, this is not about Fort Knox-level security. It is about appropriate measures that match the protection need. An office building in a commercial district needs different measures than a data center, but it does need measures.

The Zone Concept

The foundation of physical security is the zone concept. You divide your building into zones with different protection needs, and for each zone you define access restrictions and protective measures.

Zone 0: Public Area

The area in front of the building, the parking lot, the reception area. In principle, anyone has access here. Protective measures are limited to general security: lighting, video surveillance (where legally permissible), fencing of the premises if needed.

Zone 1: General Office Area

The area where employees work. Access only for employees and registered visitors. Visitors are escorted. Protective measures: access control at the entrance (transponder, key, code), visitor management, clean desk policy.

Zone 2: Sensitive Areas

Areas with elevated protection needs: server room, network distribution rooms, archive rooms with confidential documents, executive offices. Access only for authorized persons. Protective measures: separate access control, access logging, secured windows, door with automatic lock.

Zone 3: High-Security Area

If applicable: vault rooms, specially protected data centers, rooms for classified projects. Access control with two-factor authentication (transponder + PIN or biometric), complete logging, video surveillance.

For most companies with around 100 employees, three zones (0 through 2) suffice. Zone 3 is typically relevant only if you operate your own data center or process particularly sensitive information.

A.7.1-A.7.2: Perimeter and Physical Entry

What the Standard Requires

A.7.1 requires the definition and protection of security perimeters. A.7.2 requires that physical entry points are protected by appropriate access control mechanisms.

Implementation for Around 100 Employees

Building entrance: A controlled main entrance with a transponder system or key. Outside business hours, the building is locked. An intercom or doorbell system for visitors.

Side exits and delivery entrances: Emergency exits must not be openable from the outside (panic bar from inside only). Delivery entrances are opened only when needed and not left permanently open.

Ground floor windows: Windows in sensitive areas (server room, archive) on the ground floor should be secured, e.g., with security glazing or grilles. At minimum, they should be closed after business hours.

Key and transponder management: A documented register of who holds which keys and transponders. Immediate deactivation and replacement upon loss. Return of all access media upon employee departure.

A.7.3-A.7.4: Offices, Rooms, and Monitoring

A.7.3: Securing offices, rooms, and facilities

Offices and rooms should be appropriately secured. This does not mean every office needs a security door, but sensitive areas must be protected.

Server room: Dedicated room with a solid door (not a drywall partition you can climb over) and separate access control. No windows, or if present, secured windows. Smoke detectors and potentially a fire alarm system. Air conditioning. No through-traffic. No storage of combustible materials.

Network distribution: Distribution rooms or cabinets must be locked. Open patch panels in corridors where anyone can connect a device are a classic audit finding.

Meeting rooms: If confidential information is regularly discussed in meeting rooms, they should be acoustically adequate, and whiteboards with confidential notes should not be left visible for visitors.

A.7.4: Physical security monitoring

Protection should be supplemented by monitoring measures. In Germany, video surveillance in the workplace is a sensitive topic (DSGVO/GDPR, Works Constitution Act). What is generally permissible and sensible:

• Video surveillance of entrances and exterior areas (with signage and appropriate retention periods)
• Intrusion detection system with alerting to a security service or police
• Access logs from the transponder system

What is problematic and must be carefully reviewed:

• Video surveillance in office areas (only in justified exceptional cases)
• Covert surveillance (only upon concrete suspicion of a criminal offense and after consultation with the data protection officer and works council)

A.7.5-A.7.6: Environmental Threats and Working in Secure Areas

A.7.5: Protecting against physical and environmental threats

In addition to human threats, environmental hazards must also be addressed: fire, water, overheating, power failure.

Fire protection: Smoke detectors in all rooms, fire extinguishers within reach, fire protection regulations, regular evacuation drills. In the server room, ideally an early fire detection system and a suppression system that does not damage IT equipment (gas suppression or pre-action sprinkler system).

Water protection: Do not place servers in the basement (flooding risk) or directly under water pipes. Water sensors in the server room.

Climate control: The server room needs air conditioning that maintains a constant temperature (ideally 18-24 degrees C). Temperature sensors with alerting when thresholds are exceeded.

Power supply: UPS (uninterruptible power supply) for the server room, providing enough time for a controlled server shutdown in case of power failure. For higher availability requirements, a generator.

A.7.6: Working in secure areas

Additional rules apply in sensitive areas:

• No unaccompanied visitors
• No photography without permission
• No personal recording devices (smartphones), if the protection need warrants it
• Maintenance work by external service providers only under supervision

For a company with around 100 employees, these rules are mainly relevant for the server room. A smartphone ban in the general office area would be disproportionate.

A.7.7: Clear Desk and Clear Screen

What the Standard Requires

Rules for clearing the desk and locking the screen when away.

Why This Control Is So Frequently Cited

Clean desk and clear screen sound trivial but are difficult to enforce in practice. The rules are simple:

Clear desk: Confidential documents must not be left open on the desk when the employee leaves the workspace. They belong in locked cabinets or drawers. At the end of the workday, the desk is cleared.

Clear screen: The screen is locked when the employee leaves the workspace, even if it is just for a coffee. Automatic screen lock after a maximum of 5 to 10 minutes of inactivity serves as a technical safeguard.

The problem: many employees find these rules bothersome and forget them in daily work. The auditor then likes to do a "walkthrough" and check whether screens are unlocked and documents are lying around.

Implementation Tips

• Enforce automatic screen lock technically (Group Policy, MDM)
• Provide lockable pedestals or cabinets for every workspace
• Regular awareness in training sessions
• Spot-check inspections by the CISO, friendly and not as a "police patrol"
• Positive reinforcement: praise rather than only criticize

A.7.8: Equipment Siting and Protection

Equipment must be sited and protected to minimize risks from environmental threats and unauthorized access.

Specifically, this means:

• Servers are in the server room, not under the admin's desk
• Printers with confidential printouts are in protected areas, not in the corridor
• Network switches are in locked cabinets, not sitting openly on the floor
• Laptops are secured against theft (Kensington lock, lockable cabinet)

A.7.9-A.7.10: Off-Premises Assets and Storage Media

A.7.9: Security of assets off-premises

Devices and information used outside the building (laptops in the home office, mobile devices on business trips) need additional protection:

• Full-disk encryption on all mobile devices
• No storage in an unattended car (at least not visibly)
• No use in public places without a privacy screen
• Mandatory reporting upon loss or theft

A.7.10: Storage media

Storage media (USB sticks, external hard drives, backup tapes) must be protected throughout their entire lifecycle:

• Classification and labeling by protection need
• Encryption during transport or storage outside secured areas
• Secure storage
• Documented issuance and return
• Secure disposal at end of life (see A.7.14)

A.7.11-A.7.12: Supporting Utilities and Cabling

A.7.11: Supporting utilities

Supporting utilities such as power, air conditioning, telecommunications, and water must be protected against failure and sabotage.

Power supply: UPS for the server room, regular UPS tests (at least semi-annually), documented maintenance. UPS capacity must be sufficient to either bridge the time until the generator starts or allow a controlled server shutdown.

Climate control: Redundant air conditioning in the server room for high availability requirements. At minimum, temperature monitoring with alerting.

A.7.12: Cabling security

Cabling is an often underestimated aspect of physical security. Network cables running openly through corridors can be tapped. Damaged cables can cause outages.

Network cables: Cables should run in cable ducts, raised floors, or suspended ceilings and not be freely accessible. Network outlets in publicly accessible areas should be deactivated when not needed.

Power cables: Separate routing of network and power cables to avoid electromagnetic interference.

Patch panels and distribution: In locked cabinets, documented patching, no unlabeled cables.

A.7.13-A.7.14: Maintenance and Secure Disposal

A.7.13: Equipment maintenance

Equipment must be regularly maintained to ensure its availability and integrity. This primarily concerns UPS systems, air conditioning, fire alarm systems, and access control systems. Maintenance contracts with defined intervals and documented maintenance logs are the evidence for the auditor.

Important: When external service providers perform maintenance, the rules for working in secure areas (A.7.6) apply. For maintenance on IT systems, it must be ensured that the service provider does not gain unauthorized access to data.

A.7.14: Secure disposal or re-use of equipment

The secure disposal of equipment and data media is the last link in the chain of physical security — and one where surprisingly many companies fail.

Hard drives and SSDs: Before disposal or transfer, all data must be irreversibly erased. A simple format is not sufficient. For HDDs: multiple overwriting or physical destruction. For SSDs: secure erase via manufacturer tool or physical destruction (shredding). Document the erasure process with serial number, date, and method used.

Paper: Confidential paper documents belong in the shredder, not the waste paper bin. DIN 66399 defines security levels for destruction. For most business documents, security level P-4 (particle cut, max 160 mm2 particle size) is appropriate.

Other data media: CDs, DVDs, USB sticks, backup tapes, smartphone memory cards. All must be securely erased or physically destroyed before disposal.

Legacy devices: When devices are passed to employees, donated, or sold, a complete data erasure must take place beforehand. Ideally with documentation.

Typical Audit Findings for A.7

Finding 1: Server Room Insufficiently Secured

The server room has a simple interior door, no separate access control, and multiple persons have uncontrolled access.

Finding 2: No Visitor Policy

Visitors move freely through the building without being registered, logged, or escorted — a functioning visitor management process is missing.

Finding 3: Clear Desk Not Followed

During the walkthrough, the auditor finds confidential documents on desks, unlocked screens, and sticky notes with passwords on monitors.

Finding 4: No Documented Disposal

Hard drives are disposed of, but there is no documentation of the secure erasure. It cannot be proven that data was irreversibly erased before disposal.

Finding 5: Key Management Not Documented

There is no overview of who holds which keys or transponders. In case of loss or departure, the basis for a complete recall is missing.

How ISMS Lite Supports A.7

Controls with implementation guidance: ISMS Lite includes controls A.7.1 through A.7.14 with practical recommendations that show you which measures are appropriate for your organization — from perimeter to disposal.

AI-generated policies: The local AI generates a physical security policy covering zone concepts, access rules, and responsibilities — as a starting point that you adapt to your specific setup.

Versioning and approval: Every change to your policies is versioned and goes through an approval workflow. In an audit, you can always demonstrate who approved what and when.

Review reminders: Set reminders for regular inspections, UPS tests, or key management reviews so nothing falls through the cracks.

Further Reading

• Access Control Policy: Creating and Implementing
• IT Asset Management in the ISMS: Inventory, Responsibilities, and Lifecycle
• Secure Remote Work and Home Office: Policies and Technical Measures
• Data Backup Using the 3-2-1 Principle: Implementing the BSI Recommendation
• Protection Needs Assessment: Systematically Evaluating What Is Worth Protecting