How to use this map
Use this as the bridge between physical control implementation, audit testing, ISO/IEC 27002 interpretation, and ISO/IEC 27005 risk thinking.
| Control | Implementation focus | Audit focus | ISO 27005 risk link | Useful templates |
|---|---|---|---|---|
| A.7.1 Physical Security Perimeters | Define zones, boundaries, perimeter purpose, risk basis, shared-premises controls, and review triggers | Walk perimeters; check diagrams, bypass paths, fire exits, landlord access, out-of-hours controls, and review evidence | Unauthorized physical access, tampering, theft, shared-premises bypass, and zone exposure risk | Physical Security Zone Register, Physical Security Perimeter Review Checklist, A.7.1 Audit Checklist |
| A.7.2 Physical Entry | Define secure areas, entry controls, visitor handling, delivery/loading controls, and physical access reviews | Sample access logs, visitor logs, badge use, leaver/mover removals, delivery records, and inventory updates | Unauthorized entry, visitor movement, badge/key misuse, loading bay bypass, theft, and equipment tampering risk | Secure Area Access Register, Visitor Access Log, Delivery and Loading Area Security Checklist, Physical Entry Access Review, A.7.2 Audit Checklist |
| A.7.3 Securing Offices Rooms and Facilities | Design room and facility controls based on information value, liability, importance, classification, and concentration | Walk rooms; check signage, directories, access clues, centralized repositories, and risk-based control selection | Room-level exposure, target identification, internal information leakage, centralized repository, and facility design risk | Office Room and Facility Security Assessment, Sensitive Room Signage and Directory Review, A.7.3 Audit Checklist |
| A.7.4 Physical Security Monitoring | Define continuous monitoring scope, alarm response, escalation, tests, incident linkage, and false alarm handling | Sample monitoring procedures, alarm logs, test records, false alarm actions, interviews, and incident escalation | Unauthorized access detection, delayed response, theft/tampering, physical incident escalation, and false-alarm risk | Physical Security Monitoring Procedure, Physical Security Alarm Test Record, Physical Security False Alarm Register, A.7.4 Audit Checklist |
| A.7.5 Protecting Against Physical and Environmental Threats | Identify physical/environmental hazards, obtain specialist advice, implement protections, and align fallback arrangements to continuity | Review hazard assessments, specialist advice, inspection records, continuity linkage, training records, and site walkthrough findings | Fire, flood, environmental failure, utility failure, hazardous neighbor, civil unrest, and site outage risk | Physical and Environmental Threat Assessment, Environmental Protection Inspection Checklist, A.7.5 Audit Checklist |
| A.7.6 Working in Secure Areas | Define secure-area working rules for sensitive work, need-to-know, device/media restrictions, supervision, and dual control | Observe secure-area practices, interview staff, sample authorization/escort/media records, and test consistent third-party treatment | Unauthorized disclosure, recording, copying, media removal, unauthorized modification, and weak supervision risk | Secure Area Working Procedure, Secure Area Work Authorization Register, A.7.6 Audit Checklist |
| A.7.7 Clear Desk and Clear Screen | Define and enforce unattended information controls for desks, screens, removable media, printers, and fax machines | Walk desks/screens/printers, review auto-lock settings, sample inspections, and check corrective actions | Unattended information exposure, shoulder surfing, photography, removable media loss, printer/fax exposure, misfiling, and disposal risk | Clear Desk and Clear Screen Checklist, Printer and Fax Security Checklist, A.7.7 Audit Checklist |
| A.7.8 Equipment Siting and Protection | Site equipment securely; protect it from damage, interference, unauthorized access, unauthorized viewing, and remote-equipment scope gaps | Walk equipment locations, inspect network cupboards/racks/screens, review inventory, environmental controls, remote equipment, and staff rules | Equipment damage, unauthorized physical access, unauthorized viewing, environmental exposure, interference, remote equipment, and unmanaged asset risk | Equipment Siting and Protection Assessment, Equipment Protection Inspection Checklist, Remote Equipment Register, A.7.8 Audit Checklist |
| A.7.9 Security of Assets Off-Premises | Define what assets may leave, authorization, off-site custody, mobile/BYOD protection, long-term attestation, return, erase, and risk acceptance | Sample off-site asset records, mobile/BYOD controls, leaver returns, attestations, insurance conditions, and accepted residual risks | Off-site loss/theft, BYOD exposure, weak custody, unreturned assets, cross-border exposure, and unmanaged residual risk | Off-Premises Asset Authorization Register, Off-Premises Asset Protection Checklist, Long-Term Asset Loan Attestation, A.7.9 Audit Checklist |
| A.7.10 Storage Media | Define approved media, lifecycle handling, movement authorization, secure transport, key separation, erasure, destruction, and damaged-media decisions | Sample media inventory, movement logs, courier records, transport protection, destruction logs, and damaged-media decisions | Media loss, unauthorized access, insecure transport, poor disposal, damaged media recovery, malware from unapproved media, and classification handling risk | Storage Media Handling Procedure, Storage Media Movement Log, Secure Media Disposal and Destruction Register, Damaged Media Handling Decision Record, A.7.10 Audit Checklist |
| A.7.11 Supporting Utilities | Identify required utilities, inspect/test them, provide redundancy where justified, monitor failures, and secure in-scope BMS | Review utility dependency mapping, UPS/generator tests, HVAC maintenance, telecoms resilience, alarms, emergency lighting, provider agreements, and BMS controls | Power failure, cooling failure, telecommunications outage, water/site closure, fire protection failure, emergency lighting failure, BMS compromise, and availability risk | Supporting Utility Dependency Register, Supporting Utility Inspection and Test Log, UPS and Generator Capacity Test Record, Building Management System Security Review, A.7.11 Audit Checklist |
| A.7.12 Cabling Security | Protect cable routes, terminations, labels, segregation, and external/provider weak points | Walk cable routes, inspect labels/cabinets/patch panels, review diagrams, and assess interference or interception risks | Cable damage, interception, tampering, interference, inaccurate connection, external junction exposure, and availability risk | Cabling Route and Protection Register, Cabling Inspection Checklist, A.7.12 Audit Checklist |
| A.7.13 Equipment Maintenance | Define maintenance requirements, authorized maintainers, data protection, fault logs, and post-maintenance verification | Sample maintenance records, maintainer authorization, escort logs, fault closure, information protection, and tamper checks | Equipment failure, unplanned outage, integrity loss, unauthorized maintenance access, information exposure during repair, and tampering risk | Equipment Maintenance Register, Maintenance Access and Tamper Check Record, A.7.13 Audit Checklist |
| A.7.14 Secure Disposal or Re-Use of Equipment | Identify storage media in equipment, sanitize/destroy data, remove licensed software, verify results, and control repair/disposal | Sample equipment disposal/reuse records, sanitization evidence, hidden storage checks, contractor evidence, and repair dispatch decisions | Residual data exposure, licensed software leakage, insecure reuse, insecure repair, contractor disposal risk, hidden storage, and privacy/IP compromise | Equipment Disposal and Reuse Register, Equipment Sanitization Verification Checklist, Repair Dispatch Data Protection Checklist, A.7.14 Audit Checklist |
Mapping notes
- Physical controls often fail through behavior, not technology. Observation and walkthrough evidence matter.
- Physical controls should align to asset inventory, classification, access rights, and personnel lifecycle processes.
- Physical monitoring should not stay isolated inside facilities. If information or associated assets may be affected, it should connect to information security event and incident processes.
- Environmental threats should connect to ISO 27005 risk analysis and business continuity assumptions.
- Secure-area work controls protect behavior inside a controlled area, not just access to the area.
- Clear desk and clear screen controls need observation and technical enforcement evidence, not policy evidence alone.
- Equipment siting links asset inventory to physical reality. Auditors should inspect actual equipment placement, not only inventory exports.
- Off-premises asset controls link physical security to remote work, HR leaver processes, BYOD, and management risk acceptance.
- Storage media controls should follow classification and maintain custody records through transport and disposal.
- Supporting utilities should be tested against business continuity requirements, including dependent loads such as cooling.
- Cabling, maintenance, and disposal controls are easy to overlook because they look operational. They still create direct information security risk.
Related guides
- Iso27001
- Iso27002
- Iso27005
- Crosswalk
- Physical controls
Note Metadata
Aliases: A.7 Implementation Audit Risk Map
Source: 08 Crosswalks/A.7 Physical Controls Implementation Audit Risk Mapping.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
- A.7.1 Audit Checklist
- A.7.2 Audit Checklist
- A.7.3 Audit Checklist
- A.7.4 Audit Checklist
- A.7.5 Audit Checklist
- A.7.6 Audit Checklist
- A.7.7 Audit Checklist
- A.7.8 Audit Checklist
- A.7.9 Audit Checklist
- A.7.10 Audit Checklist
- A.7.11 Audit Checklist
- A.7.12 Audit Checklist
- A.7.13 Audit Checklist
- A.7.14 Audit Checklist
Related Notes
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.13 - Equipment Maintenance
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- A.7 Physical Controls Implementation Guide
- ISO 27001 Implementer Guide
- ISO 27001 Auditor Guide
- ISO 27005 Risk Management Guide
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27002 Annex A Control Interpretation Map
- ISO 27005 Knowledge Base
- GRC Knowledge Model
- A.7.1 Audit Checklist
- A.7.10 Audit Checklist
- A.7.11 Audit Checklist
- A.7.12 Audit Checklist
- A.7.13 Audit Checklist
- A.7.14 Audit Checklist
- A.7.2 Audit Checklist
- A.7.3 Audit Checklist
- A.7.4 Audit Checklist
- A.7.5 Audit Checklist
- A.7.6 Audit Checklist
- A.7.7 Audit Checklist
- A.7.8 Audit Checklist
- A.7.9 Audit Checklist
- Building Management System Security Review
- Cabling Inspection Checklist
- Cabling Route and Protection Register
- Clear Desk and Clear Screen Checklist
- Damaged Media Handling Decision Record
- Delivery and Loading Area Security Checklist
- Environmental Protection Inspection Checklist
- Equipment Disposal and Reuse Register
- Equipment Maintenance Register
- Equipment Protection Inspection Checklist
- Equipment Sanitization Verification Checklist
- Equipment Siting and Protection Assessment
- Long-Term Asset Loan Attestation
- Maintenance Access and Tamper Check Record
- Off-Premises Asset Authorization Register
- Off-Premises Asset Protection Checklist
- Office Room and Facility Security Assessment
- Physical and Environmental Threat Assessment
- Physical Entry Access Review
- Physical Security Alarm Test Record
- Physical Security False Alarm Register
- Physical Security Monitoring Procedure
- Physical Security Perimeter Review Checklist
- Physical Security Zone Register
- Printer and Fax Security Checklist
- Remote Equipment Register
- Repair Dispatch Data Protection Checklist
- Secure Area Access Register
- Secure Area Work Authorization Register
- Secure Area Working Procedure
- Secure Media Disposal and Destruction Register
- Sensitive Room Signage and Directory Review
- Storage Media Handling Procedure
- Storage Media Movement Log
- Supporting Utility Dependency Register
- Supporting Utility Inspection and Test Log
- UPS and Generator Capacity Test Record
- Visitor Access Log
- Annex A Controls MOC
- ISO 27001 Overview
- Templates MOC