AQ-ISO27001-A.7.12 Cabling Security
Audit question set for ISO27001-A.7.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
ISO27001 domain with 72 resources grouped for implementation and audit work.
Domain guide
A.7 controls for physical perimeters, entry, secure areas, monitoring, environmental threats, equipment placement, and clear desk/screen.
Guide + resources
Implementation context, reference notes, and explanatory material.
Audit question set for ISO27001-A.7.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.10. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.9. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.5. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.7.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Control-level notes and control-domain references.
A.5 defines organizational governance and A.6 defines people behavior and personnel lifecycle controls. A.7 tests whether the physical environment supports those decisions. The...
The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area,...
The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carr...
Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and bu...
Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they...
Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep m...
Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no lon...
If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are...
The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.
The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of...
The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threa...
The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cov...
People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, al...
The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.
The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.
Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they can cause outages, interference, safety issues, interception, or tampering.
Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep maintenance and fault records, and protect confidential information during maintenance.
Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no longer recoverable.
The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carriers such as USB drives, backup tapes, disks, removable drives, CDs/DVDs, printed records, and other portable media.
Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and building management systems can all affect availability.
The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.
The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.
The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area, reception barrier, secure office, server room, records archive, or customer-specific zone.
If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are controlled, and how access records are reviewed.
The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.
The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of both.
The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threats from neighboring premises.
The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cover what people may know, bring in, take out, record, discuss, supervise, and modify while inside the secure area.
People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, alter, or discard them.
Audit evidence packs, registers, proof records, and evidence examples.
The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.
- Media handling follows classification. - Media is inventoried and labelled where appropriate. - Dispatches are authorized and recorded. - Sensitive media is protected during t...
- Critical facilities have documented utility dependencies. - UPS/generator tests include load, runtime, cooling, and maintenance evidence. - Alarms detect utility failures and...
- Cable routes are documented and protected. - Power/data segregation is implemented where needed. - Patch panels, cabinets, and connections are locked or access-controlled. - L...
- Maintenance is scheduled and recorded. - Faults and repairs are tracked. - Maintainers are authorized and qualified. - External maintainers are escorted where required. - Conf...
- Records identify asset, storage media, classification, method, verifier, and date. - Sanitization method matches media type and sensitivity. - Contractor records are asset-spe...
The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.
- Controls are based on value, liability, importance, and classification. - Sensitive room purpose is not unnecessarily exposed. - Internal directories and access clues are prot...
- Monitoring scope is documented and risk-based. - Alerts have owners, response times, and escalation paths. - Monitoring tests are performed and recorded. - Monitoring staff kn...
- Hazard assessment includes site, room, utility, and neighbor risks. - Specialist advice exists for material hazards. - Controls are implemented and maintained. - Continuity ar...
- Secure-area work is identified and risk-assessed. - Need-to-know, device, media, supervision, and dual-control rules are documented. - Employees, contractors, and third partie...
- Rules cover papers, removable media, screens, printers, faxes, storage, and confidential waste. - Auto-lock settings are enforced. - Sensitive print/fax workflows are controll...
- Equipment inventory includes location, owner, and protection requirement. - Siting assessment covers physical, environmental, viewing, access, and interference risks. - Networ...
- Asset removal is authorized and logged. - Off-site assets are recorded with custodian, location, and review date. - Mobile devices are encrypted and managed. - Long-term loans...
Reusable implementation, audit, and operational templates.
- Confirm physical security perimeters are defined. - Confirm zones are linked to information/assets and risk. - Review perimeter diagrams or zone register. - Walk the perimeter...
Use this checklist during an internal audit of storage media acquisition, use, transport, storage, disposal, destruction, and damaged-media handling.
Use this checklist during an internal audit of power, cooling, telecommunications, water, emergency lighting, fire protection, and building-management utility resilience.
Use this checklist during an internal audit of power, data, telecommunications, and supporting service cabling.
Use this checklist during an internal audit of equipment maintenance and repair controls.
Use this checklist during an internal audit of equipment disposal, reuse, sale, donation, recycling, or repair dispatch.
- Confirm secure areas are identified. - Confirm entry controls match risk and sensitivity. - Review physical access authorization and logs. - Check physical access review recor...
Use this checklist during an internal audit of physical security design for offices, rooms, and facilities.
- Confirm premises monitoring scope is documented. - Confirm monitoring is continuous where required. - Review monitoring service or personnel responsibilities. - Check alarm re...
Use this checklist during an internal audit of physical and environmental threat protection.
Use this checklist during an internal audit of work performed inside secure areas.
Use this checklist during an internal audit of clear desk, clear screen, printer, fax, and unattended information controls.
Use this checklist during an internal audit of equipment siting, physical protection, environmental exposure, and remote equipment scope.
Use this checklist during an internal audit of assets taken, used, stored, or accessed outside organization premises.
Mappings across controls, risks, standards, and assurance views.
- Physical controls often fail through behavior, not technology. Observation and walkthrough evidence matter. - Physical controls should align to asset inventory, classification...
Link to this domain with /research/iso27001/annex-a-physical-controls/ . Link directly to exact notes from any resource card above.