UnixTime

Research Note

ISO 27001 A.7.1 - Physical Security Perimeters

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area,...

On this page

Requirement

Requirement lens

This control is about defining and using physical boundaries around areas that contain information and associated assets.

“Security perimeters shall be defined and used to protect areas that contain information and other associated assets.”

Plain-language meaning

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area, reception barrier, secure office, server room, records archive, or customer-specific zone.

The perimeter must be real enough to control entry and, where needed, record entry and exit. A wall that stops at a suspended ceiling, a shared landlord master key, or an unmonitored internal door can break the assumed perimeter.

Why this matters

Information security is not only digital. People can steal equipment, view screens, access paper records, tamper with network gear, enter shared offices, or exploit weak reception and fire-door controls.

Physical control should be layered. Do not rely only on the outside door. Larger or higher-risk premises need internal zones so compromise of one area does not automatically expose everything else.

Implementation guidance

Implementer focus

Build a physical zone model from risk, not from the office floorplan alone. The question is what information and assets each area protects.

1. Identify areas containing information and associated assets

Examples include:

  • offices handling confidential information;
  • server rooms and network rooms;
  • records archives;
  • reception areas;
  • delivery and loading areas;
  • print rooms;
  • plant rooms supporting power, cooling, or network services;
  • customer-dedicated areas;
  • shared premises or multi-tenant floors.

2. Define zones and perimeters

Each protected zone should have a clear boundary and purpose.

Zone type Typical protection need
Public area Separate visitors/public from work areas
Reception Verify and control visitor entry
General office Protect business information and devices
Restricted office Protect classified, regulated, or customer-specific work
Server/network room Protect equipment, connectivity, and service availability
Records archive Protect paper records and evidence
Loading/delivery area Separate goods movement from secure areas

A zone model can be a diagram, floorplan, table, or site security model. It should show boundaries and controlled connections between zones.

3. Use risk assessment to select controls

Controls should reflect the risk of the area.

Examples:

  • reception desk or staffed entry;
  • walls, doors, locks, barriers, cages, or cabinets;
  • badge or access card controls;
  • visitor escort requirements;
  • CCTV or monitoring where appropriate;
  • fire-door controls that preserve safety and security;
  • alarms or intrusion detection;
  • after-hours access controls;
  • lone-working authorization or monitoring;
  • landlord/shared-building access controls and risk acceptance where relevant.

4. Check perimeter completeness

Do not assume a perimeter works because it appears on a plan. Check how it can be bypassed.

Examples:

  • internal wall stops at suspended ceiling;
  • shared building management has master keys;
  • fire doors are propped open;
  • reception is unattended;
  • loading bay connects directly to secure areas;
  • visitors can tailgate through staff doors;
  • out-of-hours cleaners or maintenance staff can access secure areas.

5. Define management procedures

Physical security procedures should define:

  • zone owners;
  • access authorization;
  • perimeter inspection;
  • key/card management;
  • out-of-hours and lone-working rules;
  • emergency evacuation handling;
  • visitor and contractor access;
  • exception handling;
  • review frequency.

Audit guidance

Auditor focus

Walk the site. Physical perimeter claims often fail through practical bypass routes that do not appear in policy.

Auditors should verify that physical security perimeters are defined, used, and appropriate for the information and assets they protect.

Audit testing should include:

  • zone/perimeter diagrams or registers;
  • physical security risk assessment;
  • walkthrough of boundaries, doors, walls, reception, fire exits, and shared areas;
  • review of normal and emergency entry/exit handling;
  • out-of-hours and lone-working controls;
  • landlord/building-management access arrangements;
  • evidence of perimeter inspections and reviews;
  • access records for sensitive zones where applicable;
  • interviews with facilities, security, reception, IT, and business owners.

The auditor should ask what each perimeter is intended to achieve, such as separating customer zones, protecting classified information, restricting server-room access, or controlling visitor movement.

Evidence examples

Evidence quality

Strong evidence links zones, assets, risk assessment, physical controls, ownership, and review.

Evidence What it proves
Physical security zone register Protected areas and zone purpose are defined
Site/floor security diagram Perimeters and zone boundaries are documented
Physical security risk assessment Controls are risk-based
Perimeter inspection checklist Boundaries are checked
Access control records Entry to sensitive areas is controlled
Reception/security procedures Public-to-secure transition is controlled
Fire exit/emergency procedure Emergency exits do not undermine security unnecessarily
Landlord/building access agreement Shared-premises access risk is managed
Out-of-hours access records After-hours entry is controlled

Strong evidence

  • Zones are defined based on assets, information classification, business process, and risk.
  • Perimeters are documented and physically complete enough for their purpose.
  • Entry and exit routes are controlled for sensitive zones.
  • Emergency exits preserve life safety while still being managed.
  • Out-of-hours and lone-working access is authorized and monitored where needed.
  • Shared-building and landlord access are risk-assessed.
  • Perimeters are reviewed after layout, tenancy, process, or asset changes.

Weak evidence

  • Building floorplan exists but no security zone model.
  • Perimeter does not reach above a suspended ceiling.
  • Fire doors are routinely propped open.
  • Shared landlord master key exists with no risk assessment.
  • Reception is unattended with no compensating control.
  • Sensitive assets sit in general office space without risk acceptance.
  • No review after office layout or business process changes.

Common failures

Implementation watchouts

The common failure is designing physical security like a coconut: hard outside, soft inside. Sensitive assets often need internal zones.

Failure Why it matters
Single perimeter thinking Insider or visitor access can expose sensitive zones
Shared premises not assessed Landlord/tenant access can bypass organization controls
Incomplete physical boundary Walls, ceilings, and doors may not actually separate zones
Emergency routes ignored Fire exits can become uncontrolled access routes
No out-of-hours controls Access risk changes when reception/security is absent
No zone owner Perimeters decay without accountability
No link to asset classification Physical controls may not match information sensitivity

Exam traps

Exam focus

Physical security perimeters are about defined and used boundaries, not just locked front doors.

Trap Correct interpretation
One building perimeter is always enough Larger or higher-risk environments may need multiple zones
Perimeter means only the outside wall Internal rooms, floors, cages, archives, and customer zones can be perimeters
Physical security protects only against outsiders Internal personnel and visitors can also be threats
Emergency exits can be ignored They must support safety while still being managed as access paths
Floorplan equals perimeter control Auditors need evidence that controls operate and boundaries are complete
Shared building access is the landlord’s problem only Shared access should be risk-assessed and controlled contractually or procedurally

KB-ready summary

  • A.7.1 requires defined and used security perimeters for areas containing information and associated assets.
  • Physical zones should be based on risk, information sensitivity, assets, business process, and occupancy.
  • Perimeters can be external or internal.
  • Multiple zones may be needed for larger or higher-risk premises.
  • Auditors should inspect actual bypass paths, not only diagrams.
  • Shared premises, emergency exits, out-of-hours access, and incomplete walls are common weak points.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Physical security
  • Security perimeters
  • Audit

Note Metadata

Aliases: A.7.1, Physical Security Perimeters

Source: 04 Annex A Physical Controls/A.7.1 Physical Security Perimeters.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.