Requirement
Requirement lens
This control is about defining and using physical boundaries around areas that contain information and associated assets.
“Security perimeters shall be defined and used to protect areas that contain information and other associated assets.”
Plain-language meaning
The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area, reception barrier, secure office, server room, records archive, or customer-specific zone.
The perimeter must be real enough to control entry and, where needed, record entry and exit. A wall that stops at a suspended ceiling, a shared landlord master key, or an unmonitored internal door can break the assumed perimeter.
Why this matters
Information security is not only digital. People can steal equipment, view screens, access paper records, tamper with network gear, enter shared offices, or exploit weak reception and fire-door controls.
Physical control should be layered. Do not rely only on the outside door. Larger or higher-risk premises need internal zones so compromise of one area does not automatically expose everything else.
Implementation guidance
Implementer focus
Build a physical zone model from risk, not from the office floorplan alone. The question is what information and assets each area protects.
1. Identify areas containing information and associated assets
Examples include:
- offices handling confidential information;
- server rooms and network rooms;
- records archives;
- reception areas;
- delivery and loading areas;
- print rooms;
- plant rooms supporting power, cooling, or network services;
- customer-dedicated areas;
- shared premises or multi-tenant floors.
2. Define zones and perimeters
Each protected zone should have a clear boundary and purpose.
| Zone type | Typical protection need |
|---|---|
| Public area | Separate visitors/public from work areas |
| Reception | Verify and control visitor entry |
| General office | Protect business information and devices |
| Restricted office | Protect classified, regulated, or customer-specific work |
| Server/network room | Protect equipment, connectivity, and service availability |
| Records archive | Protect paper records and evidence |
| Loading/delivery area | Separate goods movement from secure areas |
A zone model can be a diagram, floorplan, table, or site security model. It should show boundaries and controlled connections between zones.
3. Use risk assessment to select controls
Controls should reflect the risk of the area.
Examples:
- reception desk or staffed entry;
- walls, doors, locks, barriers, cages, or cabinets;
- badge or access card controls;
- visitor escort requirements;
- CCTV or monitoring where appropriate;
- fire-door controls that preserve safety and security;
- alarms or intrusion detection;
- after-hours access controls;
- lone-working authorization or monitoring;
- landlord/shared-building access controls and risk acceptance where relevant.
4. Check perimeter completeness
Do not assume a perimeter works because it appears on a plan. Check how it can be bypassed.
Examples:
- internal wall stops at suspended ceiling;
- shared building management has master keys;
- fire doors are propped open;
- reception is unattended;
- loading bay connects directly to secure areas;
- visitors can tailgate through staff doors;
- out-of-hours cleaners or maintenance staff can access secure areas.
5. Define management procedures
Physical security procedures should define:
- zone owners;
- access authorization;
- perimeter inspection;
- key/card management;
- out-of-hours and lone-working rules;
- emergency evacuation handling;
- visitor and contractor access;
- exception handling;
- review frequency.
Audit guidance
Auditor focus
Walk the site. Physical perimeter claims often fail through practical bypass routes that do not appear in policy.
Auditors should verify that physical security perimeters are defined, used, and appropriate for the information and assets they protect.
Audit testing should include:
- zone/perimeter diagrams or registers;
- physical security risk assessment;
- walkthrough of boundaries, doors, walls, reception, fire exits, and shared areas;
- review of normal and emergency entry/exit handling;
- out-of-hours and lone-working controls;
- landlord/building-management access arrangements;
- evidence of perimeter inspections and reviews;
- access records for sensitive zones where applicable;
- interviews with facilities, security, reception, IT, and business owners.
The auditor should ask what each perimeter is intended to achieve, such as separating customer zones, protecting classified information, restricting server-room access, or controlling visitor movement.
Evidence examples
Evidence quality
Strong evidence links zones, assets, risk assessment, physical controls, ownership, and review.
| Evidence | What it proves |
|---|---|
| Physical security zone register | Protected areas and zone purpose are defined |
| Site/floor security diagram | Perimeters and zone boundaries are documented |
| Physical security risk assessment | Controls are risk-based |
| Perimeter inspection checklist | Boundaries are checked |
| Access control records | Entry to sensitive areas is controlled |
| Reception/security procedures | Public-to-secure transition is controlled |
| Fire exit/emergency procedure | Emergency exits do not undermine security unnecessarily |
| Landlord/building access agreement | Shared-premises access risk is managed |
| Out-of-hours access records | After-hours entry is controlled |
Strong evidence
- Zones are defined based on assets, information classification, business process, and risk.
- Perimeters are documented and physically complete enough for their purpose.
- Entry and exit routes are controlled for sensitive zones.
- Emergency exits preserve life safety while still being managed.
- Out-of-hours and lone-working access is authorized and monitored where needed.
- Shared-building and landlord access are risk-assessed.
- Perimeters are reviewed after layout, tenancy, process, or asset changes.
Weak evidence
- Building floorplan exists but no security zone model.
- Perimeter does not reach above a suspended ceiling.
- Fire doors are routinely propped open.
- Shared landlord master key exists with no risk assessment.
- Reception is unattended with no compensating control.
- Sensitive assets sit in general office space without risk acceptance.
- No review after office layout or business process changes.
Common failures
Implementation watchouts
The common failure is designing physical security like a coconut: hard outside, soft inside. Sensitive assets often need internal zones.
| Failure | Why it matters |
|---|---|
| Single perimeter thinking | Insider or visitor access can expose sensitive zones |
| Shared premises not assessed | Landlord/tenant access can bypass organization controls |
| Incomplete physical boundary | Walls, ceilings, and doors may not actually separate zones |
| Emergency routes ignored | Fire exits can become uncontrolled access routes |
| No out-of-hours controls | Access risk changes when reception/security is absent |
| No zone owner | Perimeters decay without accountability |
| No link to asset classification | Physical controls may not match information sensitivity |
Exam traps
Exam focus
Physical security perimeters are about defined and used boundaries, not just locked front doors.
| Trap | Correct interpretation |
|---|---|
| One building perimeter is always enough | Larger or higher-risk environments may need multiple zones |
| Perimeter means only the outside wall | Internal rooms, floors, cages, archives, and customer zones can be perimeters |
| Physical security protects only against outsiders | Internal personnel and visitors can also be threats |
| Emergency exits can be ignored | They must support safety while still being managed as access paths |
| Floorplan equals perimeter control | Auditors need evidence that controls operate and boundaries are complete |
| Shared building access is the landlord’s problem only | Shared access should be risk-assessed and controlled contractually or procedurally |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.2 Physical Entry
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.12 Classification of Information
- A.5.15 Access Control
- A.5.18 Access Rights
- A.6.7 Remote Working
- Risk Assessment
- Statement of Applicability
- Physical Security Zone Register
- Physical Security Perimeter Review Checklist
- A.7.1 Audit Evidence Pack
- A.7.1 Audit Checklist
KB-ready summary
- A.7.1 requires defined and used security perimeters for areas containing information and associated assets.
- Physical zones should be based on risk, information sensitivity, assets, business process, and occupancy.
- Perimeters can be external or internal.
- Multiple zones may be needed for larger or higher-risk premises.
- Auditors should inspect actual bypass paths, not only diagrams.
- Shared premises, emergency exits, out-of-hours access, and incomplete walls are common weak points.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Physical security
- Security perimeters
- Audit
Note Metadata
Aliases: A.7.1, Physical Security Perimeters
Source: 04 Annex A Physical Controls/A.7.1 Physical Security Perimeters.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.6 - Working in Secure Areas
- A.7 Physical Controls MOC
- A.7.1 Audit Evidence Pack
- AQ-ISO27001-A.7.1 Physical Security Perimeters
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.1 Physical Security Perimeters
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-020 - Physical Perimeters and Entry
- ISO 27002 Annex A Control Interpretation Map
- A.7.1 Audit Checklist
- Office Room and Facility Security Assessment
- Physical Security Perimeter Review Checklist
- Physical Security Zone Register
- Visitor Access Log
- Annex A Controls MOC