Implementer lens
Use this page when designing physical controls, assigning facility/security owners, and creating evidence for physical protection of information and associated assets.
Implementation objectives
| Control | Practical objective | Main owner | Core records |
|---|---|---|---|
| A.7.1 Physical Security Perimeters | Define physical zones and boundaries that protect information and associated assets | Facilities / security / IT / asset owners | Physical Security Zone Register, Physical Security Perimeter Review Checklist |
| A.7.2 Physical Entry | Control and review entry to secure areas, including visitors and deliveries | Facilities / reception / security / managers | Secure Area Access Register, Visitor Access Log, Delivery and Loading Area Security Checklist, Physical Entry Access Review |
| A.7.3 Securing Offices Rooms and Facilities | Design room/facility controls based on information value, liability, importance, and classification | Facilities / security / business owners | Office Room and Facility Security Assessment, Sensitive Room Signage and Directory Review |
| A.7.4 Physical Security Monitoring | Monitor premises for unauthorized access and connect alerts to response/escalation | Facilities / security / monitoring provider / incident owner | Physical Security Monitoring Procedure, Physical Security Alarm Test Record, Physical Security False Alarm Register |
| A.7.5 Protecting Against Physical and Environmental Threats | Protect sites and infrastructure from physical/environmental hazards and align fallback arrangements to continuity | Facilities / security / ICT continuity / site owners | Physical and Environmental Threat Assessment, Environmental Protection Inspection Checklist |
| A.7.6 Working in Secure Areas | Define secure-area working rules for sensitive work, devices, media, supervision, and dual control | Facilities / security / business owners / area owners | Secure Area Working Procedure, Secure Area Work Authorization Register |
| A.7.7 Clear Desk and Clear Screen | Define and enforce rules for unattended papers, media, screens, printers, and fax output | Managers / users / IT / facilities | Clear Desk and Clear Screen Checklist, Printer and Fax Security Checklist |
| A.7.8 Equipment Siting and Protection | Site and protect equipment against damage, interference, unauthorized access, viewing exposure, and remote-equipment gaps | Facilities / IT / asset owners / security | Equipment Siting and Protection Assessment, Equipment Protection Inspection Checklist, Remote Equipment Register |
| A.7.9 Security of Assets Off-Premises | Authorize, protect, track, and recover assets used outside controlled premises | IT / asset owners / managers / HR | Off-Premises Asset Authorization Register, Off-Premises Asset Protection Checklist, Long-Term Asset Loan Attestation |
| A.7.10 Storage Media | Manage media across acquisition, use, transportation, storage, erasure, destruction, and disposal | IT / records owners / asset owners / facilities | Storage Media Handling Procedure, Storage Media Movement Log, Secure Media Disposal and Destruction Register, Damaged Media Handling Decision Record |
| A.7.11 Supporting Utilities | Identify, test, maintain, and monitor utilities required for information processing availability | Facilities / IT / continuity owners / service owners | Supporting Utility Dependency Register, Supporting Utility Inspection and Test Log, UPS and Generator Capacity Test Record, Building Management System Security Review |
| A.7.12 Cabling Security | Protect cabling against damage, interception, tampering, and interference | Facilities / IT / network owners | Cabling Route and Protection Register, Cabling Inspection Checklist |
| A.7.13 Equipment Maintenance | Maintain equipment using authorized maintainers while protecting data and checking for tampering | IT / facilities / equipment owners | Equipment Maintenance Register, Maintenance Access and Tamper Check Record |
| A.7.14 Secure Disposal or Re-Use of Equipment | Verify data and licensed software are removed before equipment disposal, reuse, transfer, or repair | IT / asset owners / records owners / procurement | Equipment Disposal and Reuse Register, Equipment Sanitization Verification Checklist, Repair Dispatch Data Protection Checklist |
Implementation workflow
- Identify areas containing information and associated assets.
- Classify zones by business process, asset sensitivity, customer/regulatory need, and risk.
- Define perimeter boundaries and controlled access points.
- Select entry controls proportionate to each zone.
- Define visitor, delivery, emergency, out-of-hours, and shared-building procedures.
- Assess offices, rooms, and facilities based on the information and assets they contain.
- Define monitoring scope, alarm response, escalation, testing, and false alarm handling.
- Assess physical and environmental hazards, including neighbor risks and continuity dependencies.
- Define secure-area working rules for sensitive work.
- Define clear desk, clear screen, printer, fax, and removable media rules.
- Assess equipment siting for physical access, environmental exposure, viewing exposure, and interference.
- Include remote and networked equipment in inventory, scope, responsibility boundaries, and risk assessment.
- Define authorization, custody, protection, attestation, return, and erase rules for off-premises assets.
- Define lifecycle rules for storage media, including approved media, movement, secure transport, disposal, and damaged media.
- Map supporting utility dependencies for critical facilities and test utility resilience against continuity requirements.
- Document and inspect protected cable routes, labels, segregation, and terminations.
- Define maintenance schedules, authorized maintainer rules, information protection, and post-maintenance checks.
- Define secure equipment disposal/reuse verification for data, licensed software, hidden storage, and repair dispatch.
- Link physical access and asset return reviews to joiner/mover/leaver processes.
- Review perimeters, rooms, monitoring, hazards, secure working rules, equipment siting, off-site assets, media handling, supporting utilities, cabling, maintenance, and disposal after layout, tenancy, process, threat, or asset changes.
Implementation decisions
| Decision | Why it matters |
|---|---|
| Which zones need protection? | Prevents sensitive areas from being treated as general office space |
| What boundary is relied on? | Exposes weak walls, ceilings, shared doors, and loading routes |
| Who may enter each secure area? | Makes physical access accountable |
| How are visitors and deliveries controlled? | Prevents routine third-party movement from bypassing security |
| How is physical access reviewed? | Prevents leavers, movers, contractors, and old roles retaining access |
| Which room details should be hidden? | Prevents signage, directories, or access codes from exposing targets |
| Who responds to physical alarms? | Prevents physical breaches from staying outside incident management |
| Which physical/environmental hazards are realistic? | Prevents avoidable outages from fire, flood, power, cooling, or neighbor risks |
| Which secure work needs extra rules? | Prevents sensitive activity from being copied, recorded, removed, or modified |
| How will clear desk/screen be enforced? | Prevents policy-only controls that fail in daily behavior |
| Where should equipment be placed and protected? | Prevents damage, tampering, unauthorized viewing, and unmanaged remote-equipment exposure |
| Which assets may leave the premises? | Prevents uncontrolled off-site loss, theft, BYOD, and custody risk |
| How will storage media be controlled across its lifecycle? | Prevents data leakage through unapproved media, transport, repair, reuse, or disposal |
| Which utilities must stay available? | Prevents false continuity assumptions about power, cooling, telecoms, water, emergency lighting, and BMS |
| How are cable paths protected? | Prevents outages, interception, interference, and inaccurate connections |
| Who may maintain equipment? | Prevents unauthorized access, data exposure, and tampering during maintenance |
| How is equipment sanitized before reuse/disposal? | Prevents residual data, software leakage, and repair/disposal exposure |
Related maps
- Iso27001
- ISO27002
- Implementer guide
- Physical controls
Note Metadata
Aliases: A.7 Implementation Guide
Source: 05 Implementer Guide/A.7 Physical Controls Implementation Guide.md
Related Notes
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.13 - Equipment Maintenance
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- ISO 27001 Implementer Guide
- A.7 Physical Controls Implementation Audit Risk Mapping
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27002 Annex A Control Interpretation Map
- Building Management System Security Review
- Cabling Inspection Checklist
- Cabling Route and Protection Register
- Clear Desk and Clear Screen Checklist
- Damaged Media Handling Decision Record
- Delivery and Loading Area Security Checklist
- Environmental Protection Inspection Checklist
- Equipment Disposal and Reuse Register
- Equipment Maintenance Register
- Equipment Protection Inspection Checklist
- Equipment Sanitization Verification Checklist
- Equipment Siting and Protection Assessment
- Long-Term Asset Loan Attestation
- Maintenance Access and Tamper Check Record
- Off-Premises Asset Authorization Register
- Off-Premises Asset Protection Checklist
- Office Room and Facility Security Assessment
- Physical and Environmental Threat Assessment
- Physical Entry Access Review
- Physical Security Alarm Test Record
- Physical Security False Alarm Register
- Physical Security Monitoring Procedure
- Physical Security Perimeter Review Checklist
- Physical Security Zone Register
- Printer and Fax Security Checklist
- Remote Equipment Register
- Repair Dispatch Data Protection Checklist
- Secure Area Access Register
- Secure Area Work Authorization Register
- Secure Area Working Procedure
- Secure Media Disposal and Destruction Register
- Sensitive Room Signage and Directory Review
- Storage Media Handling Procedure
- Storage Media Movement Log
- Supporting Utility Dependency Register
- Supporting Utility Inspection and Test Log
- UPS and Generator Capacity Test Record
- Visitor Access Log
- Annex A Controls MOC
- ISO 27001 Overview