Requirement
Requirement lens
This control asks whether the organization has designed and implemented protection against physical and environmental threats that could damage infrastructure or disrupt information processing.
“Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.”
Plain-language meaning
The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threats from neighboring premises.
This is not only a facilities topic. If a physical or environmental event can damage information assets, interrupt ICT services, destroy records, or make a secure area unusable, it belongs in the ISMS risk picture.
Why this matters
Physical and environmental threats can take down confidentiality, integrity, and availability at the same time. A server room in a flood-prone basement, paper records stored near ignition sources, or cooling failure after a power outage can create an information security incident even when logical security is strong.
Implementation guidance
Implementer focus
Start with predictable hazards, site context, and business continuity dependencies. Then select controls based on risk and specialist advice.
1. Identify realistic hazards
Assess threats such as:
- fire and smoke;
- flood, water leaks, drainage failure, or pipes above critical equipment;
- explosion or hazardous materials;
- chemical leaks from nearby sites;
- civil unrest, protest, or targeted hostility;
- power failure and secondary cooling failure;
- extreme weather;
- structural weakness;
- neighboring businesses that increase hazard or hostile-attention risk;
- storage practices that increase fire load or block safety equipment.
2. Consider site and neighbor context
The organization should consider both its own premises and nearby accommodation.
Examples:
| Context | Risk question |
|---|---|
| Neighbor handles hazardous materials | Could a spill, fire, or evacuation affect the site? |
| Neighbor attracts hostile attention | Could protests or attacks affect shared buildings or access? |
| Server room in basement | Is flooding or drainage failure realistic? |
| Critical rack below pipework | Could leaks damage core infrastructure? |
| Paper stored in aisles | Does storage increase fire load or block response? |
3. Use specialist advice where needed
Specialists may be needed for fire protection, building safety, environmental controls, electrical resilience, flood protection, chemical hazard, and security engineering.
Keep records of advice, decisions, and rejected options. Link the decision to Risk Assessment, Control Attributes and Risk Treatment Effects, and Statement of Applicability where applicable.
4. Align with business continuity
Fallback arrangements and backups should support A.5.29 Information Security During Disruption and A.5.30 ICT Readiness for Business Continuity.
Check whether physical protection aligns with:
- recovery time objectives;
- backup location and restoration assumptions;
- alternate worksite arrangements;
- emergency response responsibilities;
- critical supplier and utility dependencies;
- server room cooling and power resilience.
5. Train relevant personnel
Staff involved in emergency response, facilities operations, security, and ICT recovery should know what to do when a hazard materializes.
Training records should show who was trained, on what procedure, and when.
Audit guidance
Auditor focus
Test whether hazards were identified, controls were implemented, specialist advice was recorded, and continuity assumptions still work under realistic physical conditions.
Auditors should verify:
- documented physical/environmental threat assessment;
- site and neighboring-premises hazard analysis;
- specialist advice or inspection records;
- implemented fire, flood, environmental, and emergency controls;
- linkage to Risk Assessment, Control Attributes and Risk Treatment Effects, and continuity plans;
- backup and fallback arrangements;
- training records for relevant personnel;
- evidence that controls still work and have not degraded over time.
Walkthrough testing matters. Look for practical weaknesses such as blocked fire extinguishers, fire doors propped open, paper stored in corridors, server rooms below water pipes, basement equipment, or poor housekeeping around critical infrastructure.
Evidence examples
Evidence quality
Strong evidence connects identified hazards to implemented controls, continuity assumptions, specialist advice, and periodic inspection.
| Evidence | What it proves |
|---|---|
| Physical/environmental threat assessment | Hazards were identified and evaluated |
| Site risk assessment | Physical location risks were considered |
| Specialist inspection/advice records | Control selection was informed by competent input |
| Fire/flood/environmental protection records | Controls are implemented |
| Site walkthrough records | Practical conditions are reviewed |
| BCP/ICT continuity linkage | Fallback and backup arrangements fit risk |
| Training records | Relevant personnel know what to do |
| Maintenance/inspection records | Protections are kept effective |
Strong evidence
- Hazard assessment includes site, building, room, and neighbor risks.
- Controls are documented, implemented, and maintained.
- Specialist advice exists for material hazards.
- Continuity plans consider secondary effects such as cooling failure after power loss.
- Walkthroughs identify and correct practical weaknesses.
- Training records exist for emergency and response roles.
Weak evidence
- Generic statement that the building is safe.
- Fire extinguishers exist but no site hazard assessment is available.
- BCP exists but ignores physical site failure.
- Specialist advice is missing where hazards are material.
- Controls have degraded over time, such as blocked extinguishers or propped fire doors.
- Server room location risks are not assessed.
Common failures
Implementation watchouts
A.7.5 fails when environmental risk is treated as a landlord or facilities issue with no ISMS link.
| Failure | Why it matters |
|---|---|
| No neighbor hazard assessment | External hazards can affect the site |
| No secondary-effect analysis | Power failure may also break cooling, monitoring, or access control |
| BCP disconnected from facilities risk | Recovery assumptions may fail during a real event |
| Specialist advice missing | Controls may be unsuitable for the actual hazard |
| Controls degrade over time | Fire doors, extinguishers, and storage rules stop working in practice |
| Critical equipment in poor locations | Flood, pipe leaks, heat, or fire can cause avoidable outages |
Exam traps
Exam focus
A.7.5 is about designed protection against physical and environmental threats, not just emergency evacuation or generic health and safety.
| Trap | Correct interpretation |
|---|---|
| Fire extinguishers alone satisfy the control | The control needs risk-based protection against relevant physical/environmental threats |
| Only natural disasters matter | Intentional and unintentional man-made threats also matter |
| Neighboring premises are irrelevant | Neighbor hazards can affect the organization |
| BCP is separate | Fallback and backup arrangements should align with business continuity |
| Environmental controls are facilities-only | They protect information assets and ICT availability |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.1 Physical Security Perimeters
- A.7.3 Securing Offices Rooms and Facilities
- A.7.4 Physical Security Monitoring
- A.5.29 Information Security During Disruption
- A.5.30 ICT Readiness for Business Continuity
- Risk Assessment
- Statement of Applicability
- Control Attributes and Risk Treatment Effects
- Physical and Environmental Threat Assessment
- Environmental Protection Inspection Checklist
- A.7.5 Audit Evidence Pack
- A.7.5 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.5 requires the organization to identify and protect against physical and environmental threats that can damage infrastructure or disrupt information processing.
- Assess hazards from the site, building, rooms, utilities, environment, and neighbors.
- Use specialist advice where the risk requires competence beyond the ISMS team.
- Link controls to risk assessment, continuity plans, backup assumptions, and emergency response.
- Audit by walking the site, checking records, and testing whether controls still work in practice.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Environmental threats
- Business continuity
- Audit
Note Metadata
Aliases: A.7.5, Protecting Against Physical and Environmental Threats
Source: 04 Annex A Physical Controls/A.7.5 Protecting Against Physical and Environmental Threats.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Control Attributes and Risk Treatment Effects
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.8 - Equipment Siting and Protection
- A.7 Physical Controls MOC
- A.7.5 Audit Evidence Pack
- AQ-ISO27001-A.7.5 Protecting Against Physical and Environmental Threats
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.5 Protecting Against Physical and Environmental Threats
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-022 - Environmental Threats, Secure Areas, and Clear Desk
- EXAM-023 - Equipment Siting and Protection
- EXAM-025 - Supporting Utilities
- ISO 27002 Annex A Control Interpretation Map
- A.7.5 Audit Checklist
- Environmental Protection Inspection Checklist
- Equipment Siting and Protection Assessment
- Physical and Environmental Threat Assessment
- Annex A Controls MOC