UnixTime

Research Note

ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

On this page

Requirement

Requirement lens

This control asks whether physical security has been designed into offices, rooms, and facilities based on the information and assets inside them.

“Physical security for offices, rooms and facilities shall be designed and implemented.”

Plain-language meaning

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

Protection should match the value, liability, and importance of information and associated assets in the area. A general meeting room, a finance records room, a call center handling customer data, and a server room do not need the same controls.

Why this matters

Physical areas can expose confidentiality, integrity, and availability. People can view documents, overhear calls, find internal directories, identify target rooms from signage, tamper with equipment, or concentrate too much critical information in one place.

Centralized repositories and critical rooms create higher impact. If one room contains core records, backups, privileged equipment, network connections, or sensitive files, the physical protection around that room needs to be stronger.

Implementation guidance

Implementer focus

Start with what happens in the room and what information/assets are inside. Then decide the physical design and controls.

1. Identify offices, rooms, and facilities requiring controls

Examples include:

  • server rooms and network rooms;
  • records archives;
  • rooms processing classified or regulated information;
  • finance, HR, legal, and customer service work areas;
  • security operations areas;
  • print/mail rooms;
  • backup media storage;
  • plant rooms supporting ICT services;
  • rooms used by different customers or projects.

2. Match controls to value, liability, and importance

Use risk assessment to decide the control level.

Area factor Control implication
High confidentiality Stronger access restriction, no visible clues, clear-desk/clear-screen, visitor restrictions
High availability Environmental and physical resilience, controlled plant room access
High integrity Tamper prevention, restricted access, monitoring or logging
Legal or contractual liability Evidence of access control, segregation, and handling rules
Centralized information Stronger protection because impact is concentrated

The control should not be guessed from room labels. It should be tied to the information and assets present.

3. Avoid unnecessary clues about targets

Do not make sensitive rooms easy to identify.

Examples of weak practice:

  • signs pointing to the server room;
  • room names exposing purpose, such as “Payroll Records”;
  • internal telephone directories accessible to visitors;
  • printed internal contact lists at reception;
  • door codes written on whiteboards or notice boards.

The goal is not secrecy theatre. It is avoiding unnecessary targeting information for unauthorized persons.

4. Control internal information exposure

Controls may include:

  • clear desk and clear screen;
  • secure storage for records and media;
  • restricted room access;
  • visitor escort and movement limits;
  • secure disposal bins;
  • privacy screens where needed;
  • restrictions on notice boards and internal lists;
  • rules for room booking and shared spaces.

5. Consider special controls only when justified

Some controls, such as electromagnetic shielding, can be relevant in specific contexts but can also disrupt normal operations, mobile connectivity, emergency communications, and business continuity.

Use risk assessment before applying specialized controls. Strong controls that break business operations are not automatically better.

Audit guidance

Auditor focus

Test whether room protection matches the most sensitive and critical information in the area.

Auditors should verify that physical security requirements have been identified for offices, rooms, and facilities and that implemented controls are adequate for the risk.

Audit testing should include:

  • room/facility security assessment;
  • classification or asset mapping for rooms;
  • secure-area procedures;
  • physical walkthrough;
  • review of room labels, signs, directories, notice boards, and phone lists;
  • access restrictions for sensitive rooms;
  • handling procedures for classified information;
  • evidence that controls align with risk assessment;
  • review of centralized information repositories and high-value rooms.

The auditor should try to identify sensitive room purposes from visible clues and check whether internal directories or access codes are exposed to unauthorized persons.

Evidence examples

Evidence quality

Strong evidence links room purpose, information/assets, risk, implemented controls, and review.

Evidence What it proves
Room/facility security assessment Controls are selected based on area risk
Asset/classification mapping Protection matches information sensitivity
Secure room control list Required controls are documented
Physical walkthrough evidence Controls operate in the actual facility
Signage review Sensitive locations are not unnecessarily exposed
Directory/contact list control Internal information is not exposed to outsiders
Access control records Sensitive rooms are restricted
Clear desk/clear screen checks Information exposure is controlled

Strong evidence

  • Controls are based on value, liability, importance, and classification of information/assets.
  • Sensitive rooms do not reveal their purpose unnecessarily.
  • Internal directories, phone lists, and access codes are not exposed to outsiders.
  • Physical controls match the most sensitive and critical information in the area.
  • Centralized repositories have stronger protection.
  • Specialized controls are risk-assessed before implementation.
  • Room security is reviewed after layout, asset, process, or classification changes.

Weak evidence

  • Server room or records room is clearly signposted.
  • Internal phone lists are visible at reception or public areas.
  • Door codes are written on notice boards or whiteboards.
  • Room security is based on habit, not risk assessment.
  • High-value records are stored in ordinary rooms with no added controls.
  • Centralized repositories are not treated as higher impact.
  • Specialized controls are implemented without business continuity consideration.

Common failures

Implementation watchouts

The common failure is protecting the building while leaking sensitive room purpose, contact lists, or access clues inside the building.

Failure Why it matters
Sensitive room signage Makes targets easier to identify
Internal directories exposed Helps social engineering and targeting
Access codes visible Defeats the access control
Room controls not risk-based Protection may be too weak or unnecessarily disruptive
Centralized repositories underestimated Single compromise can have high impact
Shared spaces not controlled Confidential work can leak through ordinary rooms
Specialized controls added blindly Can impair operations or continuity

Exam traps

Exam focus

A.7.3 is about designing physical security for offices, rooms, and facilities based on the information and assets inside them.

Trap Correct interpretation
A.7.3 is the same as A.7.1 A.7.1 defines perimeters; A.7.3 designs protection for offices, rooms, and facilities
Room names and signs are harmless Signs can reveal high-value targets
Internal directories are low risk They can support social engineering and targeting
More specialized physical controls are always better Controls such as shielding should be risk-justified and operationally workable
All rooms need the same controls Controls should match value, liability, importance, and classification

KB-ready summary

  • A.7.3 requires physical security for offices, rooms, and facilities to be designed and implemented.
  • Controls should match the value, liability, importance, and classification of information/assets inside.
  • Risk assessment should support design choices.
  • Avoid visible clues that identify sensitive rooms, systems, directories, or access codes.
  • Centralized repositories need stronger protection because impact is concentrated.
  • Specialized controls should be used only where context justifies them.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Offices
  • Facilities
  • Secure areas
  • Audit

Note Metadata

Aliases: A.7.3, Securing Offices Rooms and Facilities, Securing Offices, Rooms and Facilities

Source: 04 Annex A Physical Controls/A.7.3 Securing Offices Rooms and Facilities.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.