UnixTime

Research Note

A.7 Physical Controls Implementation Audit Risk Mapping

- Physical controls often fail through behavior, not technology. Observation and walkthrough evidence matter. - Physical controls should align to asset inventory, classification...

On this page

How to use this map

Use this as the bridge between physical control implementation, audit testing, ISO/IEC 27002 interpretation, and ISO/IEC 27005 risk thinking.

Control Implementation focus Audit focus ISO 27005 risk link Useful templates
A.7.1 Physical Security Perimeters Define zones, boundaries, perimeter purpose, risk basis, shared-premises controls, and review triggers Walk perimeters; check diagrams, bypass paths, fire exits, landlord access, out-of-hours controls, and review evidence Unauthorized physical access, tampering, theft, shared-premises bypass, and zone exposure risk Physical Security Zone Register, Physical Security Perimeter Review Checklist, A.7.1 Audit Checklist
A.7.2 Physical Entry Define secure areas, entry controls, visitor handling, delivery/loading controls, and physical access reviews Sample access logs, visitor logs, badge use, leaver/mover removals, delivery records, and inventory updates Unauthorized entry, visitor movement, badge/key misuse, loading bay bypass, theft, and equipment tampering risk Secure Area Access Register, Visitor Access Log, Delivery and Loading Area Security Checklist, Physical Entry Access Review, A.7.2 Audit Checklist
A.7.3 Securing Offices Rooms and Facilities Design room and facility controls based on information value, liability, importance, classification, and concentration Walk rooms; check signage, directories, access clues, centralized repositories, and risk-based control selection Room-level exposure, target identification, internal information leakage, centralized repository, and facility design risk Office Room and Facility Security Assessment, Sensitive Room Signage and Directory Review, A.7.3 Audit Checklist
A.7.4 Physical Security Monitoring Define continuous monitoring scope, alarm response, escalation, tests, incident linkage, and false alarm handling Sample monitoring procedures, alarm logs, test records, false alarm actions, interviews, and incident escalation Unauthorized access detection, delayed response, theft/tampering, physical incident escalation, and false-alarm risk Physical Security Monitoring Procedure, Physical Security Alarm Test Record, Physical Security False Alarm Register, A.7.4 Audit Checklist
A.7.5 Protecting Against Physical and Environmental Threats Identify physical/environmental hazards, obtain specialist advice, implement protections, and align fallback arrangements to continuity Review hazard assessments, specialist advice, inspection records, continuity linkage, training records, and site walkthrough findings Fire, flood, environmental failure, utility failure, hazardous neighbor, civil unrest, and site outage risk Physical and Environmental Threat Assessment, Environmental Protection Inspection Checklist, A.7.5 Audit Checklist
A.7.6 Working in Secure Areas Define secure-area working rules for sensitive work, need-to-know, device/media restrictions, supervision, and dual control Observe secure-area practices, interview staff, sample authorization/escort/media records, and test consistent third-party treatment Unauthorized disclosure, recording, copying, media removal, unauthorized modification, and weak supervision risk Secure Area Working Procedure, Secure Area Work Authorization Register, A.7.6 Audit Checklist
A.7.7 Clear Desk and Clear Screen Define and enforce unattended information controls for desks, screens, removable media, printers, and fax machines Walk desks/screens/printers, review auto-lock settings, sample inspections, and check corrective actions Unattended information exposure, shoulder surfing, photography, removable media loss, printer/fax exposure, misfiling, and disposal risk Clear Desk and Clear Screen Checklist, Printer and Fax Security Checklist, A.7.7 Audit Checklist
A.7.8 Equipment Siting and Protection Site equipment securely; protect it from damage, interference, unauthorized access, unauthorized viewing, and remote-equipment scope gaps Walk equipment locations, inspect network cupboards/racks/screens, review inventory, environmental controls, remote equipment, and staff rules Equipment damage, unauthorized physical access, unauthorized viewing, environmental exposure, interference, remote equipment, and unmanaged asset risk Equipment Siting and Protection Assessment, Equipment Protection Inspection Checklist, Remote Equipment Register, A.7.8 Audit Checklist
A.7.9 Security of Assets Off-Premises Define what assets may leave, authorization, off-site custody, mobile/BYOD protection, long-term attestation, return, erase, and risk acceptance Sample off-site asset records, mobile/BYOD controls, leaver returns, attestations, insurance conditions, and accepted residual risks Off-site loss/theft, BYOD exposure, weak custody, unreturned assets, cross-border exposure, and unmanaged residual risk Off-Premises Asset Authorization Register, Off-Premises Asset Protection Checklist, Long-Term Asset Loan Attestation, A.7.9 Audit Checklist
A.7.10 Storage Media Define approved media, lifecycle handling, movement authorization, secure transport, key separation, erasure, destruction, and damaged-media decisions Sample media inventory, movement logs, courier records, transport protection, destruction logs, and damaged-media decisions Media loss, unauthorized access, insecure transport, poor disposal, damaged media recovery, malware from unapproved media, and classification handling risk Storage Media Handling Procedure, Storage Media Movement Log, Secure Media Disposal and Destruction Register, Damaged Media Handling Decision Record, A.7.10 Audit Checklist
A.7.11 Supporting Utilities Identify required utilities, inspect/test them, provide redundancy where justified, monitor failures, and secure in-scope BMS Review utility dependency mapping, UPS/generator tests, HVAC maintenance, telecoms resilience, alarms, emergency lighting, provider agreements, and BMS controls Power failure, cooling failure, telecommunications outage, water/site closure, fire protection failure, emergency lighting failure, BMS compromise, and availability risk Supporting Utility Dependency Register, Supporting Utility Inspection and Test Log, UPS and Generator Capacity Test Record, Building Management System Security Review, A.7.11 Audit Checklist
A.7.12 Cabling Security Protect cable routes, terminations, labels, segregation, and external/provider weak points Walk cable routes, inspect labels/cabinets/patch panels, review diagrams, and assess interference or interception risks Cable damage, interception, tampering, interference, inaccurate connection, external junction exposure, and availability risk Cabling Route and Protection Register, Cabling Inspection Checklist, A.7.12 Audit Checklist
A.7.13 Equipment Maintenance Define maintenance requirements, authorized maintainers, data protection, fault logs, and post-maintenance verification Sample maintenance records, maintainer authorization, escort logs, fault closure, information protection, and tamper checks Equipment failure, unplanned outage, integrity loss, unauthorized maintenance access, information exposure during repair, and tampering risk Equipment Maintenance Register, Maintenance Access and Tamper Check Record, A.7.13 Audit Checklist
A.7.14 Secure Disposal or Re-Use of Equipment Identify storage media in equipment, sanitize/destroy data, remove licensed software, verify results, and control repair/disposal Sample equipment disposal/reuse records, sanitization evidence, hidden storage checks, contractor evidence, and repair dispatch decisions Residual data exposure, licensed software leakage, insecure reuse, insecure repair, contractor disposal risk, hidden storage, and privacy/IP compromise Equipment Disposal and Reuse Register, Equipment Sanitization Verification Checklist, Repair Dispatch Data Protection Checklist, A.7.14 Audit Checklist

Mapping notes

  • Physical controls often fail through behavior, not technology. Observation and walkthrough evidence matter.
  • Physical controls should align to asset inventory, classification, access rights, and personnel lifecycle processes.
  • Physical monitoring should not stay isolated inside facilities. If information or associated assets may be affected, it should connect to information security event and incident processes.
  • Environmental threats should connect to ISO 27005 risk analysis and business continuity assumptions.
  • Secure-area work controls protect behavior inside a controlled area, not just access to the area.
  • Clear desk and clear screen controls need observation and technical enforcement evidence, not policy evidence alone.
  • Equipment siting links asset inventory to physical reality. Auditors should inspect actual equipment placement, not only inventory exports.
  • Off-premises asset controls link physical security to remote work, HR leaver processes, BYOD, and management risk acceptance.
  • Storage media controls should follow classification and maintain custody records through transport and disposal.
  • Supporting utilities should be tested against business continuity requirements, including dependent loads such as cooling.
  • Cabling, maintenance, and disposal controls are easy to overlook because they look operational. They still create direct information security risk.
  • Iso27001
  • Iso27002
  • Iso27005
  • Crosswalk
  • Physical controls

Note Metadata

Aliases: A.7 Implementation Audit Risk Map

Source: 08 Crosswalks/A.7 Physical Controls Implementation Audit Risk Mapping.md

Graph-sourced resources

Templates and evidence