Requirement
Requirement lens
This control is about controlling access points into secure areas. It turns physical perimeters into enforceable entry controls.
“Secure areas shall be protected by appropriate entry controls and access points.”
Plain-language meaning
If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are controlled, and how access records are reviewed.
Secure areas can include the full premises, server rooms, network rooms, records rooms, plant rooms, sensitive clerical areas, delivery/loading areas, and customer-specific spaces.
Why this matters
Physical entry can become the weakest link. A system may require strong authentication, but if someone can walk into the network room, steal equipment, tamper with cabling, view paper records, or tailgate through a door, the logical controls are undermined.
Delivery and loading areas are especially risky because strangers entering and leaving can look normal. Without controls, unauthorized people or goods movement can bypass the secure perimeter.
Implementation guidance
Implementer focus
Treat physical access like system access: authorize it, authenticate it, log it where needed, review it, and remove it when no longer required.
1. Identify secure areas
Secure areas should be determined by risk assessment.
Examples:
- server rooms;
- network equipment rooms;
- power, cooling, and plant rooms;
- records archives;
- areas handling sensitive customer or financial information;
- delivery and loading areas;
- print/mail rooms;
- customer-specific or regulated work areas.
Different secure areas may need different entry controls.
2. Define entry controls
Controls may include:
- staff ID badge checks;
- access cards or keys;
- PIN or password;
- biometric verification where lawful and proportionate;
- locked doors, barriers, turnstiles, or mantraps;
- reception verification;
- visitor registration and escorting;
- visible badges for staff and visitors;
- challenge process for unbadged persons;
- access logs and review.
Badges only work if people wear them and unbadged persons are challenged.
3. Manage physical access rights
Physical access should be authorized and reviewed.
Access rights may be defined in:
- job roles;
- access control systems;
- procedures;
- room access lists;
- door-level restrictions;
- manager approvals.
The organization should review physical access rights when roles change, employment ends, contractors leave, or secure-area requirements change.
4. Control visitors
Visitor controls should cover:
- registration;
- identity check where appropriate;
- badge issue and return;
- escort requirements;
- areas permitted;
- entry and exit logging;
- confidentiality or safety briefing where needed.
Visitors should not be able to become “staff” simply by removing a visitor badge in an environment where staff do not consistently wear identification.
5. Control deliveries and loading areas
Delivery/loading areas should be isolated from secure areas where possible.
Controls should include:
- expected delivery verification;
- authorized collection/despatch;
- delivery driver and vehicle recording;
- inspection of incoming goods for threats;
- controls over movement from loading area into secure areas;
- complete records of deliveries and despatches;
- asset inventory updates for relevant incoming/outgoing assets.
Risks include unauthorized despatch, malicious delivery, theft, tampering, and public access through loading routes.
Audit guidance
Auditor focus
Observe behavior. If staff do not wear badges or challenge unbadged people, the written control is weak.
Auditors should verify that entry controls restrict secure-area access to authorized people and that access records are reviewed.
Audit testing should include:
- secure-area list and risk assessment;
- access authorization rules;
- physical access logs and reviews;
- badge, key, card, PIN, or biometric controls;
- visitor entry/exit records;
- visitor escort practices;
- challenge behavior for unbadged persons;
- delivery/loading area procedures;
- delivery/despatch records;
- asset inventory updates after goods movement;
- emergency access handling.
The auditor should pay attention to whether the delivery/loading route can bypass reception or internal secure-area controls.
Evidence examples
Evidence quality
Strong evidence proves that physical access is authorized, recorded where needed, reviewed, and revoked when no longer required.
| Evidence | What it proves |
|---|---|
| Secure-area register | Areas requiring entry controls are defined |
| Physical access authorization record | Access is approved |
| Access logs | Entry is recorded |
| Physical access review | Access remains appropriate |
| Visitor log | Visitors are registered and tracked |
| Badge procedure | Identification expectations are defined |
| Delivery/despatch log | Goods movement is controlled |
| Loading area procedure | Public/delivery access is separated from secure areas |
| Asset inventory update | Incoming/outgoing assets are reflected in records |
Strong evidence
- Secure areas are identified by risk assessment.
- Entry controls match the sensitivity and risk of each area.
- Staff and visitor badges are consistently used.
- Visitors are registered, escorted, restricted, and logged.
- Unbadged persons are challenged.
- Physical access rights are reviewed and updated.
- Delivery/loading areas are separated from secure zones.
- Delivery/despatch records include driver/vehicle details where appropriate.
- Asset inventory is updated when relevant assets enter or leave.
Weak evidence
- Staff badge policy exists but staff do not wear badges.
- Visitor log exists but visitors move unescorted.
- Physical access rights are never reviewed.
- Old employees or contractors retain access cards.
- Server room keys are shared with no log.
- Delivery drivers can access internal areas.
- Goods are left unattended in secure areas.
- Asset inventory is not updated after deliveries or despatch.
Common failures
Implementation watchouts
Physical entry controls fail when people normalize convenience: propped doors, shared keys, unchallenged visitors, and casual deliveries.
| Failure | Why it matters |
|---|---|
| Badge culture absent | Visitors can blend in |
| No access review | Former staff or old roles retain physical access |
| Shared keys or codes | Accountability is lost |
| Visitor escort not enforced | Visitor movement becomes uncontrolled |
| Loading bay bypass | Delivery routes undermine secure areas |
| No delivery/despatch records | Goods and assets can be lost or stolen |
| Physical access not linked to HR changes | Leavers and movers retain access |
Exam traps
Exam focus
Physical entry is not the same as physical perimeter. A.7.1 defines and uses boundaries; A.7.2 controls access points into secure areas.
| Trap | Correct interpretation |
|---|---|
| Reception desk alone is enough | Secure areas may need door-level, room-level, visitor, and delivery controls |
| Staff badges work even if not worn | Badge discipline and challenge culture are part of control operation |
| Visitors are safe if they sign in | Visitors may need escorting, restrictions, and exit logging |
| Delivery areas are operational, not security | Loading/despatch routes can bypass secure areas |
| Physical access does not need review | Physical access rights should be reviewed and updated like logical access |
| Asset inventory is unrelated | Deliveries/despatches should update inventory where relevant |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.1 Physical Security Perimeters
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.11 Return of Assets
- A.5.15 Access Control
- A.5.18 Access Rights
- A.6.5 Responsibilities After Termination or Change of Employment
- Risk Assessment
- Secure Area Access Register
- Visitor Access Log
- Delivery and Loading Area Security Checklist
- Physical Entry Access Review
- A.7.2 Audit Evidence Pack
- A.7.2 Audit Checklist
KB-ready summary
- A.7.2 requires appropriate entry controls and access points for secure areas.
- Secure areas should be identified by risk assessment.
- Physical access should be authorized, controlled, logged where needed, reviewed, and removed when no longer required.
- Visitor controls should include registration, badges, escorting, restrictions, and exit handling.
- Delivery/loading areas can bypass security if not separated and controlled.
- Auditors should observe behavior, not only review procedures.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Physical entry
- Access control
- Audit
Note Metadata
Aliases: A.7.2, Physical Entry
Source: 04 Annex A Physical Controls/A.7.2 Physical Entry.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Control
ISO 27001 A.7.2 - Physical EntryRequirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.6 - Working in Secure Areas
- A.7 Physical Controls MOC
- A.7.2 Audit Evidence Pack
- AQ-ISO27001-A.7.2 Physical Entry
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.2 Physical Entry
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-020 - Physical Perimeters and Entry
- ISO 27002 Annex A Control Interpretation Map
- A.7.2 Audit Checklist
- Delivery and Loading Area Security Checklist
- Physical Entry Access Review
- Physical Security Zone Register
- Secure Area Access Register
- Secure Area Working Procedure
- Visitor Access Log
- Annex A Controls MOC