UnixTime

Research Note

A.7 Physical Controls Implementation Guide

1. Identify areas containing information and associated assets. 2. Classify zones by business process, asset sensitivity, customer/regulatory need, and risk. 3. Define perimeter...

On this page

Implementer lens

Use this page when designing physical controls, assigning facility/security owners, and creating evidence for physical protection of information and associated assets.

Implementation objectives

Control Practical objective Main owner Core records
A.7.1 Physical Security Perimeters Define physical zones and boundaries that protect information and associated assets Facilities / security / IT / asset owners Physical Security Zone Register, Physical Security Perimeter Review Checklist
A.7.2 Physical Entry Control and review entry to secure areas, including visitors and deliveries Facilities / reception / security / managers Secure Area Access Register, Visitor Access Log, Delivery and Loading Area Security Checklist, Physical Entry Access Review
A.7.3 Securing Offices Rooms and Facilities Design room/facility controls based on information value, liability, importance, and classification Facilities / security / business owners Office Room and Facility Security Assessment, Sensitive Room Signage and Directory Review
A.7.4 Physical Security Monitoring Monitor premises for unauthorized access and connect alerts to response/escalation Facilities / security / monitoring provider / incident owner Physical Security Monitoring Procedure, Physical Security Alarm Test Record, Physical Security False Alarm Register
A.7.5 Protecting Against Physical and Environmental Threats Protect sites and infrastructure from physical/environmental hazards and align fallback arrangements to continuity Facilities / security / ICT continuity / site owners Physical and Environmental Threat Assessment, Environmental Protection Inspection Checklist
A.7.6 Working in Secure Areas Define secure-area working rules for sensitive work, devices, media, supervision, and dual control Facilities / security / business owners / area owners Secure Area Working Procedure, Secure Area Work Authorization Register
A.7.7 Clear Desk and Clear Screen Define and enforce rules for unattended papers, media, screens, printers, and fax output Managers / users / IT / facilities Clear Desk and Clear Screen Checklist, Printer and Fax Security Checklist
A.7.8 Equipment Siting and Protection Site and protect equipment against damage, interference, unauthorized access, viewing exposure, and remote-equipment gaps Facilities / IT / asset owners / security Equipment Siting and Protection Assessment, Equipment Protection Inspection Checklist, Remote Equipment Register
A.7.9 Security of Assets Off-Premises Authorize, protect, track, and recover assets used outside controlled premises IT / asset owners / managers / HR Off-Premises Asset Authorization Register, Off-Premises Asset Protection Checklist, Long-Term Asset Loan Attestation
A.7.10 Storage Media Manage media across acquisition, use, transportation, storage, erasure, destruction, and disposal IT / records owners / asset owners / facilities Storage Media Handling Procedure, Storage Media Movement Log, Secure Media Disposal and Destruction Register, Damaged Media Handling Decision Record
A.7.11 Supporting Utilities Identify, test, maintain, and monitor utilities required for information processing availability Facilities / IT / continuity owners / service owners Supporting Utility Dependency Register, Supporting Utility Inspection and Test Log, UPS and Generator Capacity Test Record, Building Management System Security Review
A.7.12 Cabling Security Protect cabling against damage, interception, tampering, and interference Facilities / IT / network owners Cabling Route and Protection Register, Cabling Inspection Checklist
A.7.13 Equipment Maintenance Maintain equipment using authorized maintainers while protecting data and checking for tampering IT / facilities / equipment owners Equipment Maintenance Register, Maintenance Access and Tamper Check Record
A.7.14 Secure Disposal or Re-Use of Equipment Verify data and licensed software are removed before equipment disposal, reuse, transfer, or repair IT / asset owners / records owners / procurement Equipment Disposal and Reuse Register, Equipment Sanitization Verification Checklist, Repair Dispatch Data Protection Checklist

Implementation workflow

  1. Identify areas containing information and associated assets.
  2. Classify zones by business process, asset sensitivity, customer/regulatory need, and risk.
  3. Define perimeter boundaries and controlled access points.
  4. Select entry controls proportionate to each zone.
  5. Define visitor, delivery, emergency, out-of-hours, and shared-building procedures.
  6. Assess offices, rooms, and facilities based on the information and assets they contain.
  7. Define monitoring scope, alarm response, escalation, testing, and false alarm handling.
  8. Assess physical and environmental hazards, including neighbor risks and continuity dependencies.
  9. Define secure-area working rules for sensitive work.
  10. Define clear desk, clear screen, printer, fax, and removable media rules.
  11. Assess equipment siting for physical access, environmental exposure, viewing exposure, and interference.
  12. Include remote and networked equipment in inventory, scope, responsibility boundaries, and risk assessment.
  13. Define authorization, custody, protection, attestation, return, and erase rules for off-premises assets.
  14. Define lifecycle rules for storage media, including approved media, movement, secure transport, disposal, and damaged media.
  15. Map supporting utility dependencies for critical facilities and test utility resilience against continuity requirements.
  16. Document and inspect protected cable routes, labels, segregation, and terminations.
  17. Define maintenance schedules, authorized maintainer rules, information protection, and post-maintenance checks.
  18. Define secure equipment disposal/reuse verification for data, licensed software, hidden storage, and repair dispatch.
  19. Link physical access and asset return reviews to joiner/mover/leaver processes.
  20. Review perimeters, rooms, monitoring, hazards, secure working rules, equipment siting, off-site assets, media handling, supporting utilities, cabling, maintenance, and disposal after layout, tenancy, process, threat, or asset changes.

Implementation decisions

Decision Why it matters
Which zones need protection? Prevents sensitive areas from being treated as general office space
What boundary is relied on? Exposes weak walls, ceilings, shared doors, and loading routes
Who may enter each secure area? Makes physical access accountable
How are visitors and deliveries controlled? Prevents routine third-party movement from bypassing security
How is physical access reviewed? Prevents leavers, movers, contractors, and old roles retaining access
Which room details should be hidden? Prevents signage, directories, or access codes from exposing targets
Who responds to physical alarms? Prevents physical breaches from staying outside incident management
Which physical/environmental hazards are realistic? Prevents avoidable outages from fire, flood, power, cooling, or neighbor risks
Which secure work needs extra rules? Prevents sensitive activity from being copied, recorded, removed, or modified
How will clear desk/screen be enforced? Prevents policy-only controls that fail in daily behavior
Where should equipment be placed and protected? Prevents damage, tampering, unauthorized viewing, and unmanaged remote-equipment exposure
Which assets may leave the premises? Prevents uncontrolled off-site loss, theft, BYOD, and custody risk
How will storage media be controlled across its lifecycle? Prevents data leakage through unapproved media, transport, repair, reuse, or disposal
Which utilities must stay available? Prevents false continuity assumptions about power, cooling, telecoms, water, emergency lighting, and BMS
How are cable paths protected? Prevents outages, interception, interference, and inaccurate connections
Who may maintain equipment? Prevents unauthorized access, data exposure, and tampering during maintenance
How is equipment sanitized before reuse/disposal? Prevents residual data, software leakage, and repair/disposal exposure
  • Iso27001
  • ISO27002
  • Implementer guide
  • Physical controls

Note Metadata

Aliases: A.7 Implementation Guide

Source: 05 Implementer Guide/A.7 Physical Controls Implementation Guide.md