Requirement
Requirement lens
This control asks whether security measures for work performed inside secure areas have been designed and implemented.
“Security measures for working in secure areas shall be designed and implemented.”
Plain-language meaning
The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cover what people may know, bring in, take out, record, discuss, supervise, and modify while inside the secure area.
Why this matters
A secure area can still leak information or suffer unauthorized modification if work practices are weak. Sensitive product designs, regulated processes, incident response work, privileged administration, classified documents, or high-value intellectual property may need stronger controls while work is being performed.
Implementation guidance
Implementer focus
Define rules based on the sensitivity of the work, not just the room label.
1. Identify secure-area work
Examples include:
- sensitive product or strategy development;
- privileged ICT administration;
- forensic or incident investigation work;
- confidential legal, HR, or finance processing;
- regulated customer or personal data handling;
- secure build, test, or deployment activity;
- work where unauthorized modification could cause major damage.
2. Define secure-area working rules
Rules may cover:
- authorized personnel only;
- need-to-know restrictions;
- visitor and contractor supervision;
- restrictions on paper, removable media, and equipment movement;
- restrictions on mobile phones, cameras, audio/video recording, or smart devices;
- supervision of sensitive activity;
- dual control for high-risk actions;
- logging of entry, exit, work sessions, and material movement;
- clean-up and verification before leaving the area.
3. Apply risk-based supervision
Some secure work may need oversight, peer presence, or dual control.
| Situation | Possible control |
|---|---|
| High-value design work | Need-to-know access and no recording devices |
| Critical system change | Dual control or peer verification |
| Contractor work in secure area | Escort and supervision |
| Handling sensitive media | Media movement log and secure storage |
| Forensic evidence work | Chain of custody and controlled access |
4. Apply rules consistently
Secure-area procedures should apply to employees, contractors, suppliers, visitors, and third parties. Exceptions should be approved, recorded, and time-bound.
Audit guidance
Auditor focus
Test whether secure-area work rules exist, match the sensitivity of the work, and are applied consistently to everyone.
Auditors should verify:
- secure areas and sensitive work are identified;
- entry controls restrict access to authorized personnel;
- need-to-know rules are understood and applied;
- movement of paper, media, equipment, and information is controlled;
- mobile phones, cameras, recording devices, and smart devices are controlled where needed;
- work is supervised where required;
- dual control is applied for high-risk actions where appropriate;
- procedures apply consistently to employees, contractors, and third parties.
Interview personnel working in the secure area and compare their answers with documented procedures.
Evidence examples
Evidence quality
Strong evidence shows both access control and working-practice control inside the secure area.
| Evidence | What it proves |
|---|---|
| Secure-area working procedure | Rules are defined |
| Secure-area risk assessment | Control level matches sensitivity |
| Authorized personnel list | Access is restricted |
| Visitor/contractor escort records | Third-party access is supervised |
| Device restriction signage or records | Recording risks are controlled |
| Media/material movement log | Information movement is controlled |
| Dual-control records | High-risk work requires two-person control |
| Interview evidence | Staff know and follow the rules |
Strong evidence
- Secure-area rules are specific to the work being performed.
- Access, need-to-know, device, media, and supervision rules are documented.
- Employees and third parties are handled consistently.
- Dual control is used where risk justifies it.
- Exceptions are approved and traceable.
Weak evidence
- A secure door exists but no working rules exist.
- Staff know the room is sensitive but cannot explain what is restricted.
- Contractors follow informal rules only.
- Phones and cameras are allowed by habit despite sensitive work.
- No records exist for media or information movement.
Common failures
Implementation watchouts
Secure areas fail when the door is controlled but the work inside is not.
| Failure | Why it matters |
|---|---|
| Entry control only | Sensitive work can still be photographed, copied, or discussed |
| Need-to-know not enforced | Awareness of sensitive work spreads beyond authorized roles |
| Recording devices unmanaged | Photos, audio, or video can leak sensitive information |
| No contractor consistency | Third parties become the weakest path |
| No supervision for high-risk work | Unauthorized modification or removal may go unnoticed |
| Dual control absent where needed | One person can perform high-risk actions unchecked |
Exam traps
Exam focus
A.7.6 is about how work is performed inside secure areas. It is not the same as A.7.2 physical entry.
| Trap | Correct interpretation |
|---|---|
| Badge access satisfies the control | Badge access is entry control; A.7.6 needs secure working measures |
| Secure-area rules apply only to employees | Contractors and third parties also need consistent controls |
| Mobile phones are harmless | Phones can record photos, video, audio, and messages |
| Need-to-know is optional | It limits unnecessary knowledge of sensitive work |
| Dual control is always required | It is applied where risk justifies simultaneous activity by two people |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.1 Physical Security Perimeters
- A.7.2 Physical Entry
- A.7.3 Securing Offices Rooms and Facilities
- A.5.15 Access Control
- A.5.18 Access Rights
- A.5.28 Collection of Evidence
- Risk Assessment
- Secure Area Working Procedure
- Secure Area Work Authorization Register
- A.7.6 Audit Evidence Pack
- A.7.6 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.6 controls behavior and work practices inside secure areas. A locked room is not enough if sensitive information can still be copied, recorded, removed, or modified.
- Identify sensitive work performed inside secure areas.
- Define need-to-know, device, media, supervision, and dual-control rules.
- Apply rules to employees, contractors, suppliers, and visitors.
- Audit by observing actual behavior and interviewing people who work in the secure area.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Secure areas
- Supervision
- Audit
Note Metadata
Aliases: A.7.6, Working in Secure Areas
Source: 04 Annex A Physical Controls/A.7.6 Working in Secure Areas.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.28 - Collection of Evidence
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- A.7 Physical Controls MOC
- A.7.6 Audit Evidence Pack
- AQ-ISO27001-A.7.6 Working in Secure Areas
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.6 Working in Secure Areas
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-022 - Environmental Threats, Secure Areas, and Clear Desk
- ISO 27002 Annex A Control Interpretation Map
- A.7.6 Audit Checklist
- Secure Area Work Authorization Register
- Secure Area Working Procedure
- Annex A Controls MOC