UnixTime

Research Note

A.7 Physical Controls MOC

A.5 defines organizational governance and A.6 defines people behavior and personnel lifecycle controls. A.7 tests whether the physical environment supports those decisions. The...

On this page

Section focus

A.7 controls protect information and associated assets through physical zones, entry controls, environmental safeguards, equipment protection, secure working practices, and physical monitoring.

Covered controls

Control Topic Status Main evidence focus
A.7.1 Physical Security Perimeters Defined security perimeters for areas containing information and associated assets draft Zone model, perimeter diagrams, risk assessment, access/egress controls
A.7.2 Physical Entry Entry controls and access points for secure areas draft Physical access authorization, visitor logs, badge controls, delivery/loading controls
A.7.3 Securing Offices Rooms and Facilities Physical security design for offices, rooms, and facilities draft Room security assessment, classification mapping, signage/directory controls
A.7.4 Physical Security Monitoring Continuous monitoring for unauthorized physical access draft Monitoring scope, alarm logs, test records, escalation, false alarm tracking
A.7.5 Protecting Against Physical and Environmental Threats Protection against physical and environmental hazards draft Hazard assessment, specialist advice, inspection records, continuity linkage
A.7.6 Working in Secure Areas Security measures for working inside secure areas draft Secure-area work rules, need-to-know, device/media restrictions, supervision
A.7.7 Clear Desk and Clear Screen Clear desk and clear screen rules for unattended information draft Policy, auto-lock, inspections, printer/fax controls, enforcement
A.7.8 Equipment Siting and Protection Secure siting and protection of equipment draft Equipment inventory, siting assessment, environmental/access/viewing controls, remote equipment
A.7.9 Security of Assets Off-Premises Protection of assets used or stored off-site draft Authorization, off-site register, custody, mobile/BYOD controls, return/erase evidence
A.7.10 Storage Media Lifecycle management of storage media draft Approved media, inventory, movement logs, secure transport, disposal/destruction
A.7.11 Supporting Utilities Protection from supporting utility failures draft Utility dependency register, UPS/generator tests, HVAC, telecoms, alarms, BMS review
A.7.12 Cabling Security Protection of power, data, and service cabling draft Cable routes, labelling, segregation, locked cabinets, inspection records
A.7.13 Equipment Maintenance Correct maintenance of equipment draft Maintenance register, fault logs, maintainer authorization, post-maintenance checks
A.7.14 Secure Disposal or Re-Use of Equipment Secure data/software removal before equipment disposal or reuse draft Disposal register, sanitization records, destruction evidence, repair dispatch checks

How A.7 differs from A.5 and A.6

A.5 defines organizational governance and A.6 defines people behavior and personnel lifecycle controls. A.7 tests whether the physical environment supports those decisions. The same information risk can fail through a door, loading bay, shared wall, visitor process, or unprotected paper record even when the logical control is strong.

Templates and working records

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Moc

Note Metadata

Aliases: A.7 Physical Controls, Physical Controls MOC

Source: 04 Annex A Physical Controls/A.7 Physical Controls MOC.md

Graph-sourced resources

Templates and evidence