UnixTime

Research Note

ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats

The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threa...

On this page

Requirement

Requirement lens

This control asks whether the organization has designed and implemented protection against physical and environmental threats that could damage infrastructure or disrupt information processing.

“Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.”

Plain-language meaning

The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threats from neighboring premises.

This is not only a facilities topic. If a physical or environmental event can damage information assets, interrupt ICT services, destroy records, or make a secure area unusable, it belongs in the ISMS risk picture.

Why this matters

Physical and environmental threats can take down confidentiality, integrity, and availability at the same time. A server room in a flood-prone basement, paper records stored near ignition sources, or cooling failure after a power outage can create an information security incident even when logical security is strong.

Implementation guidance

Implementer focus

Start with predictable hazards, site context, and business continuity dependencies. Then select controls based on risk and specialist advice.

1. Identify realistic hazards

Assess threats such as:

  • fire and smoke;
  • flood, water leaks, drainage failure, or pipes above critical equipment;
  • explosion or hazardous materials;
  • chemical leaks from nearby sites;
  • civil unrest, protest, or targeted hostility;
  • power failure and secondary cooling failure;
  • extreme weather;
  • structural weakness;
  • neighboring businesses that increase hazard or hostile-attention risk;
  • storage practices that increase fire load or block safety equipment.

2. Consider site and neighbor context

The organization should consider both its own premises and nearby accommodation.

Examples:

Context Risk question
Neighbor handles hazardous materials Could a spill, fire, or evacuation affect the site?
Neighbor attracts hostile attention Could protests or attacks affect shared buildings or access?
Server room in basement Is flooding or drainage failure realistic?
Critical rack below pipework Could leaks damage core infrastructure?
Paper stored in aisles Does storage increase fire load or block response?

3. Use specialist advice where needed

Specialists may be needed for fire protection, building safety, environmental controls, electrical resilience, flood protection, chemical hazard, and security engineering.

Keep records of advice, decisions, and rejected options. Link the decision to Risk Assessment, Control Attributes and Risk Treatment Effects, and Statement of Applicability where applicable.

4. Align with business continuity

Fallback arrangements and backups should support A.5.29 Information Security During Disruption and A.5.30 ICT Readiness for Business Continuity.

Check whether physical protection aligns with:

  • recovery time objectives;
  • backup location and restoration assumptions;
  • alternate worksite arrangements;
  • emergency response responsibilities;
  • critical supplier and utility dependencies;
  • server room cooling and power resilience.

5. Train relevant personnel

Staff involved in emergency response, facilities operations, security, and ICT recovery should know what to do when a hazard materializes.

Training records should show who was trained, on what procedure, and when.

Audit guidance

Auditor focus

Test whether hazards were identified, controls were implemented, specialist advice was recorded, and continuity assumptions still work under realistic physical conditions.

Auditors should verify:

  • documented physical/environmental threat assessment;
  • site and neighboring-premises hazard analysis;
  • specialist advice or inspection records;
  • implemented fire, flood, environmental, and emergency controls;
  • linkage to Risk Assessment, Control Attributes and Risk Treatment Effects, and continuity plans;
  • backup and fallback arrangements;
  • training records for relevant personnel;
  • evidence that controls still work and have not degraded over time.

Walkthrough testing matters. Look for practical weaknesses such as blocked fire extinguishers, fire doors propped open, paper stored in corridors, server rooms below water pipes, basement equipment, or poor housekeeping around critical infrastructure.

Evidence examples

Evidence quality

Strong evidence connects identified hazards to implemented controls, continuity assumptions, specialist advice, and periodic inspection.

Evidence What it proves
Physical/environmental threat assessment Hazards were identified and evaluated
Site risk assessment Physical location risks were considered
Specialist inspection/advice records Control selection was informed by competent input
Fire/flood/environmental protection records Controls are implemented
Site walkthrough records Practical conditions are reviewed
BCP/ICT continuity linkage Fallback and backup arrangements fit risk
Training records Relevant personnel know what to do
Maintenance/inspection records Protections are kept effective

Strong evidence

  • Hazard assessment includes site, building, room, and neighbor risks.
  • Controls are documented, implemented, and maintained.
  • Specialist advice exists for material hazards.
  • Continuity plans consider secondary effects such as cooling failure after power loss.
  • Walkthroughs identify and correct practical weaknesses.
  • Training records exist for emergency and response roles.

Weak evidence

  • Generic statement that the building is safe.
  • Fire extinguishers exist but no site hazard assessment is available.
  • BCP exists but ignores physical site failure.
  • Specialist advice is missing where hazards are material.
  • Controls have degraded over time, such as blocked extinguishers or propped fire doors.
  • Server room location risks are not assessed.

Common failures

Implementation watchouts

A.7.5 fails when environmental risk is treated as a landlord or facilities issue with no ISMS link.

Failure Why it matters
No neighbor hazard assessment External hazards can affect the site
No secondary-effect analysis Power failure may also break cooling, monitoring, or access control
BCP disconnected from facilities risk Recovery assumptions may fail during a real event
Specialist advice missing Controls may be unsuitable for the actual hazard
Controls degrade over time Fire doors, extinguishers, and storage rules stop working in practice
Critical equipment in poor locations Flood, pipe leaks, heat, or fire can cause avoidable outages

Exam traps

Exam focus

A.7.5 is about designed protection against physical and environmental threats, not just emergency evacuation or generic health and safety.

Trap Correct interpretation
Fire extinguishers alone satisfy the control The control needs risk-based protection against relevant physical/environmental threats
Only natural disasters matter Intentional and unintentional man-made threats also matter
Neighboring premises are irrelevant Neighbor hazards can affect the organization
BCP is separate Fallback and backup arrangements should align with business continuity
Environmental controls are facilities-only They protect information assets and ICT availability

KB-ready summary

Mentor takeaway

A.7.5 requires the organization to identify and protect against physical and environmental threats that can damage infrastructure or disrupt information processing.

  • Assess hazards from the site, building, rooms, utilities, environment, and neighbors.
  • Use specialist advice where the risk requires competence beyond the ISMS team.
  • Link controls to risk assessment, continuity plans, backup assumptions, and emergency response.
  • Audit by walking the site, checking records, and testing whether controls still work in practice.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Environmental threats
  • Business continuity
  • Audit

Note Metadata

Aliases: A.7.5, Protecting Against Physical and Environmental Threats

Source: 04 Annex A Physical Controls/A.7.5 Protecting Against Physical and Environmental Threats.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.