UnixTime

Research Note

ISO 27001 A.7.2 - Physical Entry

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are...

On this page

Requirement

Requirement lens

This control is about controlling access points into secure areas. It turns physical perimeters into enforceable entry controls.

“Secure areas shall be protected by appropriate entry controls and access points.”

Plain-language meaning

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are controlled, and how access records are reviewed.

Secure areas can include the full premises, server rooms, network rooms, records rooms, plant rooms, sensitive clerical areas, delivery/loading areas, and customer-specific spaces.

Why this matters

Physical entry can become the weakest link. A system may require strong authentication, but if someone can walk into the network room, steal equipment, tamper with cabling, view paper records, or tailgate through a door, the logical controls are undermined.

Delivery and loading areas are especially risky because strangers entering and leaving can look normal. Without controls, unauthorized people or goods movement can bypass the secure perimeter.

Implementation guidance

Implementer focus

Treat physical access like system access: authorize it, authenticate it, log it where needed, review it, and remove it when no longer required.

1. Identify secure areas

Secure areas should be determined by risk assessment.

Examples:

  • server rooms;
  • network equipment rooms;
  • power, cooling, and plant rooms;
  • records archives;
  • areas handling sensitive customer or financial information;
  • delivery and loading areas;
  • print/mail rooms;
  • customer-specific or regulated work areas.

Different secure areas may need different entry controls.

2. Define entry controls

Controls may include:

  • staff ID badge checks;
  • access cards or keys;
  • PIN or password;
  • biometric verification where lawful and proportionate;
  • locked doors, barriers, turnstiles, or mantraps;
  • reception verification;
  • visitor registration and escorting;
  • visible badges for staff and visitors;
  • challenge process for unbadged persons;
  • access logs and review.

Badges only work if people wear them and unbadged persons are challenged.

3. Manage physical access rights

Physical access should be authorized and reviewed.

Access rights may be defined in:

  • job roles;
  • access control systems;
  • procedures;
  • room access lists;
  • door-level restrictions;
  • manager approvals.

The organization should review physical access rights when roles change, employment ends, contractors leave, or secure-area requirements change.

4. Control visitors

Visitor controls should cover:

  • registration;
  • identity check where appropriate;
  • badge issue and return;
  • escort requirements;
  • areas permitted;
  • entry and exit logging;
  • confidentiality or safety briefing where needed.

Visitors should not be able to become “staff” simply by removing a visitor badge in an environment where staff do not consistently wear identification.

5. Control deliveries and loading areas

Delivery/loading areas should be isolated from secure areas where possible.

Controls should include:

  • expected delivery verification;
  • authorized collection/despatch;
  • delivery driver and vehicle recording;
  • inspection of incoming goods for threats;
  • controls over movement from loading area into secure areas;
  • complete records of deliveries and despatches;
  • asset inventory updates for relevant incoming/outgoing assets.

Risks include unauthorized despatch, malicious delivery, theft, tampering, and public access through loading routes.

Audit guidance

Auditor focus

Observe behavior. If staff do not wear badges or challenge unbadged people, the written control is weak.

Auditors should verify that entry controls restrict secure-area access to authorized people and that access records are reviewed.

Audit testing should include:

  • secure-area list and risk assessment;
  • access authorization rules;
  • physical access logs and reviews;
  • badge, key, card, PIN, or biometric controls;
  • visitor entry/exit records;
  • visitor escort practices;
  • challenge behavior for unbadged persons;
  • delivery/loading area procedures;
  • delivery/despatch records;
  • asset inventory updates after goods movement;
  • emergency access handling.

The auditor should pay attention to whether the delivery/loading route can bypass reception or internal secure-area controls.

Evidence examples

Evidence quality

Strong evidence proves that physical access is authorized, recorded where needed, reviewed, and revoked when no longer required.

Evidence What it proves
Secure-area register Areas requiring entry controls are defined
Physical access authorization record Access is approved
Access logs Entry is recorded
Physical access review Access remains appropriate
Visitor log Visitors are registered and tracked
Badge procedure Identification expectations are defined
Delivery/despatch log Goods movement is controlled
Loading area procedure Public/delivery access is separated from secure areas
Asset inventory update Incoming/outgoing assets are reflected in records

Strong evidence

  • Secure areas are identified by risk assessment.
  • Entry controls match the sensitivity and risk of each area.
  • Staff and visitor badges are consistently used.
  • Visitors are registered, escorted, restricted, and logged.
  • Unbadged persons are challenged.
  • Physical access rights are reviewed and updated.
  • Delivery/loading areas are separated from secure zones.
  • Delivery/despatch records include driver/vehicle details where appropriate.
  • Asset inventory is updated when relevant assets enter or leave.

Weak evidence

  • Staff badge policy exists but staff do not wear badges.
  • Visitor log exists but visitors move unescorted.
  • Physical access rights are never reviewed.
  • Old employees or contractors retain access cards.
  • Server room keys are shared with no log.
  • Delivery drivers can access internal areas.
  • Goods are left unattended in secure areas.
  • Asset inventory is not updated after deliveries or despatch.

Common failures

Implementation watchouts

Physical entry controls fail when people normalize convenience: propped doors, shared keys, unchallenged visitors, and casual deliveries.

Failure Why it matters
Badge culture absent Visitors can blend in
No access review Former staff or old roles retain physical access
Shared keys or codes Accountability is lost
Visitor escort not enforced Visitor movement becomes uncontrolled
Loading bay bypass Delivery routes undermine secure areas
No delivery/despatch records Goods and assets can be lost or stolen
Physical access not linked to HR changes Leavers and movers retain access

Exam traps

Exam focus

Physical entry is not the same as physical perimeter. A.7.1 defines and uses boundaries; A.7.2 controls access points into secure areas.

Trap Correct interpretation
Reception desk alone is enough Secure areas may need door-level, room-level, visitor, and delivery controls
Staff badges work even if not worn Badge discipline and challenge culture are part of control operation
Visitors are safe if they sign in Visitors may need escorting, restrictions, and exit logging
Delivery areas are operational, not security Loading/despatch routes can bypass secure areas
Physical access does not need review Physical access rights should be reviewed and updated like logical access
Asset inventory is unrelated Deliveries/despatches should update inventory where relevant

KB-ready summary

  • A.7.2 requires appropriate entry controls and access points for secure areas.
  • Secure areas should be identified by risk assessment.
  • Physical access should be authorized, controlled, logged where needed, reviewed, and removed when no longer required.
  • Visitor controls should include registration, badges, escorting, restrictions, and exit handling.
  • Delivery/loading areas can bypass security if not separated and controlled.
  • Auditors should observe behavior, not only review procedures.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Physical entry
  • Access control
  • Audit

Note Metadata

Aliases: A.7.2, Physical Entry

Source: 04 Annex A Physical Controls/A.7.2 Physical Entry.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.