UnixTime

Research Note

ISO 27001 A.7.6 - Working in Secure Areas

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cov...

On this page

Requirement

Requirement lens

This control asks whether security measures for work performed inside secure areas have been designed and implemented.

“Security measures for working in secure areas shall be designed and implemented.”

Plain-language meaning

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cover what people may know, bring in, take out, record, discuss, supervise, and modify while inside the secure area.

Why this matters

A secure area can still leak information or suffer unauthorized modification if work practices are weak. Sensitive product designs, regulated processes, incident response work, privileged administration, classified documents, or high-value intellectual property may need stronger controls while work is being performed.

Implementation guidance

Implementer focus

Define rules based on the sensitivity of the work, not just the room label.

1. Identify secure-area work

Examples include:

  • sensitive product or strategy development;
  • privileged ICT administration;
  • forensic or incident investigation work;
  • confidential legal, HR, or finance processing;
  • regulated customer or personal data handling;
  • secure build, test, or deployment activity;
  • work where unauthorized modification could cause major damage.

2. Define secure-area working rules

Rules may cover:

  • authorized personnel only;
  • need-to-know restrictions;
  • visitor and contractor supervision;
  • restrictions on paper, removable media, and equipment movement;
  • restrictions on mobile phones, cameras, audio/video recording, or smart devices;
  • supervision of sensitive activity;
  • dual control for high-risk actions;
  • logging of entry, exit, work sessions, and material movement;
  • clean-up and verification before leaving the area.

3. Apply risk-based supervision

Some secure work may need oversight, peer presence, or dual control.

Situation Possible control
High-value design work Need-to-know access and no recording devices
Critical system change Dual control or peer verification
Contractor work in secure area Escort and supervision
Handling sensitive media Media movement log and secure storage
Forensic evidence work Chain of custody and controlled access

4. Apply rules consistently

Secure-area procedures should apply to employees, contractors, suppliers, visitors, and third parties. Exceptions should be approved, recorded, and time-bound.

Audit guidance

Auditor focus

Test whether secure-area work rules exist, match the sensitivity of the work, and are applied consistently to everyone.

Auditors should verify:

  • secure areas and sensitive work are identified;
  • entry controls restrict access to authorized personnel;
  • need-to-know rules are understood and applied;
  • movement of paper, media, equipment, and information is controlled;
  • mobile phones, cameras, recording devices, and smart devices are controlled where needed;
  • work is supervised where required;
  • dual control is applied for high-risk actions where appropriate;
  • procedures apply consistently to employees, contractors, and third parties.

Interview personnel working in the secure area and compare their answers with documented procedures.

Evidence examples

Evidence quality

Strong evidence shows both access control and working-practice control inside the secure area.

Evidence What it proves
Secure-area working procedure Rules are defined
Secure-area risk assessment Control level matches sensitivity
Authorized personnel list Access is restricted
Visitor/contractor escort records Third-party access is supervised
Device restriction signage or records Recording risks are controlled
Media/material movement log Information movement is controlled
Dual-control records High-risk work requires two-person control
Interview evidence Staff know and follow the rules

Strong evidence

  • Secure-area rules are specific to the work being performed.
  • Access, need-to-know, device, media, and supervision rules are documented.
  • Employees and third parties are handled consistently.
  • Dual control is used where risk justifies it.
  • Exceptions are approved and traceable.

Weak evidence

  • A secure door exists but no working rules exist.
  • Staff know the room is sensitive but cannot explain what is restricted.
  • Contractors follow informal rules only.
  • Phones and cameras are allowed by habit despite sensitive work.
  • No records exist for media or information movement.

Common failures

Implementation watchouts

Secure areas fail when the door is controlled but the work inside is not.

Failure Why it matters
Entry control only Sensitive work can still be photographed, copied, or discussed
Need-to-know not enforced Awareness of sensitive work spreads beyond authorized roles
Recording devices unmanaged Photos, audio, or video can leak sensitive information
No contractor consistency Third parties become the weakest path
No supervision for high-risk work Unauthorized modification or removal may go unnoticed
Dual control absent where needed One person can perform high-risk actions unchecked

Exam traps

Exam focus

A.7.6 is about how work is performed inside secure areas. It is not the same as A.7.2 physical entry.

Trap Correct interpretation
Badge access satisfies the control Badge access is entry control; A.7.6 needs secure working measures
Secure-area rules apply only to employees Contractors and third parties also need consistent controls
Mobile phones are harmless Phones can record photos, video, audio, and messages
Need-to-know is optional It limits unnecessary knowledge of sensitive work
Dual control is always required It is applied where risk justifies simultaneous activity by two people

KB-ready summary

Mentor takeaway

A.7.6 controls behavior and work practices inside secure areas. A locked room is not enough if sensitive information can still be copied, recorded, removed, or modified.

  • Identify sensitive work performed inside secure areas.
  • Define need-to-know, device, media, supervision, and dual-control rules.
  • Apply rules to employees, contractors, suppliers, and visitors.
  • Audit by observing actual behavior and interviewing people who work in the secure area.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Secure areas
  • Supervision
  • Audit

Note Metadata

Aliases: A.7.6, Working in Secure Areas

Source: 04 Annex A Physical Controls/A.7.6 Working in Secure Areas.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.