Requirement
Requirement lens
This control asks whether physical security has been designed into offices, rooms, and facilities based on the information and assets inside them.
“Physical security for offices, rooms and facilities shall be designed and implemented.”
Plain-language meaning
The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.
Protection should match the value, liability, and importance of information and associated assets in the area. A general meeting room, a finance records room, a call center handling customer data, and a server room do not need the same controls.
Why this matters
Physical areas can expose confidentiality, integrity, and availability. People can view documents, overhear calls, find internal directories, identify target rooms from signage, tamper with equipment, or concentrate too much critical information in one place.
Centralized repositories and critical rooms create higher impact. If one room contains core records, backups, privileged equipment, network connections, or sensitive files, the physical protection around that room needs to be stronger.
Implementation guidance
Implementer focus
Start with what happens in the room and what information/assets are inside. Then decide the physical design and controls.
1. Identify offices, rooms, and facilities requiring controls
Examples include:
- server rooms and network rooms;
- records archives;
- rooms processing classified or regulated information;
- finance, HR, legal, and customer service work areas;
- security operations areas;
- print/mail rooms;
- backup media storage;
- plant rooms supporting ICT services;
- rooms used by different customers or projects.
2. Match controls to value, liability, and importance
Use risk assessment to decide the control level.
| Area factor | Control implication |
|---|---|
| High confidentiality | Stronger access restriction, no visible clues, clear-desk/clear-screen, visitor restrictions |
| High availability | Environmental and physical resilience, controlled plant room access |
| High integrity | Tamper prevention, restricted access, monitoring or logging |
| Legal or contractual liability | Evidence of access control, segregation, and handling rules |
| Centralized information | Stronger protection because impact is concentrated |
The control should not be guessed from room labels. It should be tied to the information and assets present.
3. Avoid unnecessary clues about targets
Do not make sensitive rooms easy to identify.
Examples of weak practice:
- signs pointing to the server room;
- room names exposing purpose, such as “Payroll Records”;
- internal telephone directories accessible to visitors;
- printed internal contact lists at reception;
- door codes written on whiteboards or notice boards.
The goal is not secrecy theatre. It is avoiding unnecessary targeting information for unauthorized persons.
4. Control internal information exposure
Controls may include:
- clear desk and clear screen;
- secure storage for records and media;
- restricted room access;
- visitor escort and movement limits;
- secure disposal bins;
- privacy screens where needed;
- restrictions on notice boards and internal lists;
- rules for room booking and shared spaces.
5. Consider special controls only when justified
Some controls, such as electromagnetic shielding, can be relevant in specific contexts but can also disrupt normal operations, mobile connectivity, emergency communications, and business continuity.
Use risk assessment before applying specialized controls. Strong controls that break business operations are not automatically better.
Audit guidance
Auditor focus
Test whether room protection matches the most sensitive and critical information in the area.
Auditors should verify that physical security requirements have been identified for offices, rooms, and facilities and that implemented controls are adequate for the risk.
Audit testing should include:
- room/facility security assessment;
- classification or asset mapping for rooms;
- secure-area procedures;
- physical walkthrough;
- review of room labels, signs, directories, notice boards, and phone lists;
- access restrictions for sensitive rooms;
- handling procedures for classified information;
- evidence that controls align with risk assessment;
- review of centralized information repositories and high-value rooms.
The auditor should try to identify sensitive room purposes from visible clues and check whether internal directories or access codes are exposed to unauthorized persons.
Evidence examples
Evidence quality
Strong evidence links room purpose, information/assets, risk, implemented controls, and review.
| Evidence | What it proves |
|---|---|
| Room/facility security assessment | Controls are selected based on area risk |
| Asset/classification mapping | Protection matches information sensitivity |
| Secure room control list | Required controls are documented |
| Physical walkthrough evidence | Controls operate in the actual facility |
| Signage review | Sensitive locations are not unnecessarily exposed |
| Directory/contact list control | Internal information is not exposed to outsiders |
| Access control records | Sensitive rooms are restricted |
| Clear desk/clear screen checks | Information exposure is controlled |
Strong evidence
- Controls are based on value, liability, importance, and classification of information/assets.
- Sensitive rooms do not reveal their purpose unnecessarily.
- Internal directories, phone lists, and access codes are not exposed to outsiders.
- Physical controls match the most sensitive and critical information in the area.
- Centralized repositories have stronger protection.
- Specialized controls are risk-assessed before implementation.
- Room security is reviewed after layout, asset, process, or classification changes.
Weak evidence
- Server room or records room is clearly signposted.
- Internal phone lists are visible at reception or public areas.
- Door codes are written on notice boards or whiteboards.
- Room security is based on habit, not risk assessment.
- High-value records are stored in ordinary rooms with no added controls.
- Centralized repositories are not treated as higher impact.
- Specialized controls are implemented without business continuity consideration.
Common failures
Implementation watchouts
The common failure is protecting the building while leaking sensitive room purpose, contact lists, or access clues inside the building.
| Failure | Why it matters |
|---|---|
| Sensitive room signage | Makes targets easier to identify |
| Internal directories exposed | Helps social engineering and targeting |
| Access codes visible | Defeats the access control |
| Room controls not risk-based | Protection may be too weak or unnecessarily disruptive |
| Centralized repositories underestimated | Single compromise can have high impact |
| Shared spaces not controlled | Confidential work can leak through ordinary rooms |
| Specialized controls added blindly | Can impair operations or continuity |
Exam traps
Exam focus
A.7.3 is about designing physical security for offices, rooms, and facilities based on the information and assets inside them.
| Trap | Correct interpretation |
|---|---|
| A.7.3 is the same as A.7.1 | A.7.1 defines perimeters; A.7.3 designs protection for offices, rooms, and facilities |
| Room names and signs are harmless | Signs can reveal high-value targets |
| Internal directories are low risk | They can support social engineering and targeting |
| More specialized physical controls are always better | Controls such as shielding should be risk-justified and operationally workable |
| All rooms need the same controls | Controls should match value, liability, importance, and classification |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.1 Physical Security Perimeters
- A.7.2 Physical Entry
- A.7.4 Physical Security Monitoring
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.12 Classification of Information
- A.5.15 Access Control
- Risk Assessment
- Office Room and Facility Security Assessment
- Sensitive Room Signage and Directory Review
- A.7.3 Audit Evidence Pack
- A.7.3 Audit Checklist
KB-ready summary
- A.7.3 requires physical security for offices, rooms, and facilities to be designed and implemented.
- Controls should match the value, liability, importance, and classification of information/assets inside.
- Risk assessment should support design choices.
- Avoid visible clues that identify sensitive rooms, systems, directories, or access codes.
- Centralized repositories need stronger protection because impact is concentrated.
- Specialized controls should be used only where context justifies them.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Offices
- Facilities
- Secure areas
- Audit
Note Metadata
Aliases: A.7.3, Securing Offices Rooms and Facilities, Securing Offices, Rooms and Facilities
Source: 04 Annex A Physical Controls/A.7.3 Securing Offices Rooms and Facilities.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.8 - Equipment Siting and Protection
- A.7 Physical Controls MOC
- A.7.3 Audit Evidence Pack
- AQ-ISO27001-A.7.3 Securing Offices, Rooms and Facilities
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.3 Securing Offices, Rooms and Facilities
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-021 - Room Security and Physical Monitoring
- ISO 27002 Annex A Control Interpretation Map
- A.7.3 Audit Checklist
- Office Room and Facility Security Assessment
- Sensitive Room Signage and Directory Review
- Annex A Controls MOC