Section focus
A.7 controls protect information and associated assets through physical zones, entry controls, environmental safeguards, equipment protection, secure working practices, and physical monitoring.
Covered controls
| Control | Topic | Status | Main evidence focus |
|---|---|---|---|
| A.7.1 Physical Security Perimeters | Defined security perimeters for areas containing information and associated assets | draft | Zone model, perimeter diagrams, risk assessment, access/egress controls |
| A.7.2 Physical Entry | Entry controls and access points for secure areas | draft | Physical access authorization, visitor logs, badge controls, delivery/loading controls |
| A.7.3 Securing Offices Rooms and Facilities | Physical security design for offices, rooms, and facilities | draft | Room security assessment, classification mapping, signage/directory controls |
| A.7.4 Physical Security Monitoring | Continuous monitoring for unauthorized physical access | draft | Monitoring scope, alarm logs, test records, escalation, false alarm tracking |
| A.7.5 Protecting Against Physical and Environmental Threats | Protection against physical and environmental hazards | draft | Hazard assessment, specialist advice, inspection records, continuity linkage |
| A.7.6 Working in Secure Areas | Security measures for working inside secure areas | draft | Secure-area work rules, need-to-know, device/media restrictions, supervision |
| A.7.7 Clear Desk and Clear Screen | Clear desk and clear screen rules for unattended information | draft | Policy, auto-lock, inspections, printer/fax controls, enforcement |
| A.7.8 Equipment Siting and Protection | Secure siting and protection of equipment | draft | Equipment inventory, siting assessment, environmental/access/viewing controls, remote equipment |
| A.7.9 Security of Assets Off-Premises | Protection of assets used or stored off-site | draft | Authorization, off-site register, custody, mobile/BYOD controls, return/erase evidence |
| A.7.10 Storage Media | Lifecycle management of storage media | draft | Approved media, inventory, movement logs, secure transport, disposal/destruction |
| A.7.11 Supporting Utilities | Protection from supporting utility failures | draft | Utility dependency register, UPS/generator tests, HVAC, telecoms, alarms, BMS review |
| A.7.12 Cabling Security | Protection of power, data, and service cabling | draft | Cable routes, labelling, segregation, locked cabinets, inspection records |
| A.7.13 Equipment Maintenance | Correct maintenance of equipment | draft | Maintenance register, fault logs, maintainer authorization, post-maintenance checks |
| A.7.14 Secure Disposal or Re-Use of Equipment | Secure data/software removal before equipment disposal or reuse | draft | Disposal register, sanitization records, destruction evidence, repair dispatch checks |
How A.7 differs from A.5 and A.6
A.5 defines organizational governance and A.6 defines people behavior and personnel lifecycle controls. A.7 tests whether the physical environment supports those decisions. The same information risk can fail through a door, loading bay, shared wall, visitor process, or unprotected paper record even when the logical control is strong.
Related concepts
- Risk Assessment
- Statement of Applicability
- Internal Audit
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.12 Classification of Information
- A.5.15 Access Control
- A.5.18 Access Rights
- A.5.28 Collection of Evidence
- ISO 27002 Annex A Control Interpretation Map
- A.7 Physical Controls Implementation Audit Risk Mapping
Templates and working records
- Physical Security Zone Register
- Physical Security Perimeter Review Checklist
- Secure Area Access Register
- Visitor Access Log
- Delivery and Loading Area Security Checklist
- Physical Entry Access Review
- Office Room and Facility Security Assessment
- Sensitive Room Signage and Directory Review
- Physical Security Monitoring Procedure
- Physical Security Alarm Test Record
- Physical Security False Alarm Register
- Physical and Environmental Threat Assessment
- Environmental Protection Inspection Checklist
- Secure Area Working Procedure
- Secure Area Work Authorization Register
- Clear Desk and Clear Screen Checklist
- Printer and Fax Security Checklist
- Equipment Siting and Protection Assessment
- Equipment Protection Inspection Checklist
- Remote Equipment Register
- Off-Premises Asset Authorization Register
- Off-Premises Asset Protection Checklist
- Long-Term Asset Loan Attestation
- Storage Media Handling Procedure
- Storage Media Movement Log
- Secure Media Disposal and Destruction Register
- Damaged Media Handling Decision Record
- Supporting Utility Dependency Register
- Supporting Utility Inspection and Test Log
- UPS and Generator Capacity Test Record
- Building Management System Security Review
- Cabling Route and Protection Register
- Cabling Inspection Checklist
- Equipment Maintenance Register
- Maintenance Access and Tamper Check Record
- Equipment Disposal and Reuse Register
- Equipment Sanitization Verification Checklist
- Repair Dispatch Data Protection Checklist
- A.7.1 Audit Checklist
- A.7.2 Audit Checklist
- A.7.3 Audit Checklist
- A.7.4 Audit Checklist
- A.7.5 Audit Checklist
- A.7.6 Audit Checklist
- A.7.7 Audit Checklist
- A.7.8 Audit Checklist
- A.7.9 Audit Checklist
- A.7.10 Audit Checklist
- A.7.11 Audit Checklist
- A.7.12 Audit Checklist
- A.7.13 Audit Checklist
- A.7.14 Audit Checklist
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Moc
Note Metadata
Aliases: A.7 Physical Controls, Physical Controls MOC
Source: 04 Annex A Physical Controls/A.7 Physical Controls MOC.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
- A.7.1 Audit Checklist
- A.7.2 Audit Checklist
- A.7.3 Audit Checklist
- A.7.4 Audit Checklist
- A.7.5 Audit Checklist
- A.7.6 Audit Checklist
- A.7.7 Audit Checklist
- A.7.8 Audit Checklist
- A.7.9 Audit Checklist
- A.7.10 Audit Checklist
- A.7.11 Audit Checklist
- A.7.12 Audit Checklist
- A.7.13 Audit Checklist
- A.7.14 Audit Checklist
Related Notes
- Internal Audit
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.28 - Collection of Evidence
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.13 - Equipment Maintenance
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls Implementation Guide
- ISO 27001 Implementer Guide
- A.7 Physical Controls Implementation Audit Risk Mapping
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.7.1 Audit Checklist
- A.7.10 Audit Checklist
- A.7.11 Audit Checklist
- A.7.12 Audit Checklist
- A.7.13 Audit Checklist
- A.7.14 Audit Checklist
- A.7.2 Audit Checklist
- A.7.3 Audit Checklist
- A.7.4 Audit Checklist
- A.7.5 Audit Checklist
- A.7.6 Audit Checklist
- A.7.7 Audit Checklist
- A.7.8 Audit Checklist
- A.7.9 Audit Checklist
- Building Management System Security Review
- Cabling Inspection Checklist
- Cabling Route and Protection Register
- Clear Desk and Clear Screen Checklist
- Damaged Media Handling Decision Record
- Delivery and Loading Area Security Checklist
- Environmental Protection Inspection Checklist
- Equipment Disposal and Reuse Register
- Equipment Maintenance Register
- Equipment Protection Inspection Checklist
- Equipment Sanitization Verification Checklist
- Equipment Siting and Protection Assessment
- Long-Term Asset Loan Attestation
- Maintenance Access and Tamper Check Record
- Off-Premises Asset Authorization Register
- Off-Premises Asset Protection Checklist
- Office Room and Facility Security Assessment
- Physical and Environmental Threat Assessment
- Physical Entry Access Review
- Physical Security Alarm Test Record
- Physical Security False Alarm Register
- Physical Security Monitoring Procedure
- Physical Security Perimeter Review Checklist
- Physical Security Zone Register
- Printer and Fax Security Checklist
- Remote Equipment Register
- Repair Dispatch Data Protection Checklist
- Secure Area Access Register
- Secure Area Work Authorization Register
- Secure Area Working Procedure
- Secure Media Disposal and Destruction Register
- Sensitive Room Signage and Directory Review
- Storage Media Handling Procedure
- Storage Media Movement Log
- Supporting Utility Dependency Register
- Supporting Utility Inspection and Test Log
- UPS and Generator Capacity Test Record
- Visitor Access Log
- Annex A Controls MOC
- ISO 27001 Overview