UnixTime

Domain guide

What this domain covers

A.7 controls for physical perimeters, entry, secure areas, monitoring, environmental threats, equipment placement, and clear desk/screen.

72 resources

Guide + resources

Grouped resources

Guide notes

Implementation context, reference notes, and explanatory material.

14 items
Research note 01 min read

AQ-ISO27001-A.7.12 Cabling Security

Audit question set for ISO27001-A.7.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.13 Equipment Maintenance

Audit question set for ISO27001-A.7.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment

Audit question set for ISO27001-A.7.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.10 Storage Media

Audit question set for ISO27001-A.7.10. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.11 Supporting Utilities

Audit question set for ISO27001-A.7.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.9 Security of Assets Off-Premises

Audit question set for ISO27001-A.7.9. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.8 Equipment Siting and Protection

Audit question set for ISO27001-A.7.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.1 Physical Security Perimeters

Audit question set for ISO27001-A.7.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.2 Physical Entry

Audit question set for ISO27001-A.7.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.3 Securing Offices, Rooms and Facilities

Audit question set for ISO27001-A.7.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.4 Physical Security Monitoring

Audit question set for ISO27001-A.7.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.6 Working in Secure Areas

Audit question set for ISO27001-A.7.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.7.7 Clear Desk and Clear Screen

Audit question set for ISO27001-A.7.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question

Controls

Control-level notes and control-domain references.

29 items
Framework note 03 mins read

A.7 Physical Controls MOC

A.5 defines organizational governance and A.6 defines people behavior and personnel lifecycle controls. A.7 tests whether the physical environment supports those decisions. The...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.1 - Physical Security Perimeters

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area,...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.10 - Storage Media

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carr...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.11 - Supporting Utilities

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and bu...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.12 - Cabling Security

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they...

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.7.13 - Equipment Maintenance

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep m...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment

Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no lon...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.2 - Physical Entry

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.4 - Physical Security Monitoring

The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.6 - Working in Secure Areas

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cov...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.7 - Clear Desk and Clear Screen

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, al...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.8 - Equipment Siting and Protection

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.9 - Security of Assets Off-Premises

The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.

ISO27001 ISO27002 iso27001 iso27002
Framework note 01 min read

ISO27001-A.7.12 Cabling Security

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they can cause outages, interference, safety issues, interception, or tampering.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.13 Equipment Maintenance

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep maintenance and fault records, and protect confidential information during maintenance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment

Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no longer recoverable.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.10 Storage Media

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carriers such as USB drives, backup tapes, disks, removable drives, CDs/DVDs, printed records, and other portable media.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.11 Supporting Utilities

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and building management systems can all affect availability.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.9 Security of Assets Off-Premises

The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.8 Equipment Siting and Protection

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.1 Physical Security Perimeters

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area, reception barrier, secure office, server room, records archive, or customer-specific zone.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.2 Physical Entry

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are controlled, and how access records are reviewed.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.3 Securing Offices, Rooms and Facilities

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.4 Physical Security Monitoring

The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of both.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.5 Protecting Against Physical and Environmental Threats

The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threats from neighboring premises.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.6 Working in Secure Areas

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cover what people may know, bring in, take out, record, discuss, supervise, and modify while inside the secure area.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.7 Clear Desk and Clear Screen

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, alter, or discard them.

ISO27001 ISO27002 iso27001 annex_a

Evidence packs

Audit evidence packs, registers, proof records, and evidence examples.

14 items
Template note 02 mins read

A.7.1 Audit Evidence Pack

The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.10 Audit Evidence Pack

- Media handling follows classification. - Media is inventoried and labelled where appropriate. - Dispatches are authorized and recorded. - Sensitive media is protected during t...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.11 Audit Evidence Pack

- Critical facilities have documented utility dependencies. - UPS/generator tests include load, runtime, cooling, and maintenance evidence. - Alarms detect utility failures and...

ISO27001 ISO27002 audit evidence
Template note 01 min read

A.7.12 Audit Evidence Pack

- Cable routes are documented and protected. - Power/data segregation is implemented where needed. - Patch panels, cabinets, and connections are locked or access-controlled. - L...

ISO27001 ISO27002 audit evidence
Template note 01 min read

A.7.13 Audit Evidence Pack

- Maintenance is scheduled and recorded. - Faults and repairs are tracked. - Maintainers are authorized and qualified. - External maintainers are escorted where required. - Conf...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.14 Audit Evidence Pack

- Records identify asset, storage media, classification, method, verifier, and date. - Sanitization method matches media type and sensitivity. - Contractor records are asset-spe...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.2 Audit Evidence Pack

The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.3 Audit Evidence Pack

- Controls are based on value, liability, importance, and classification. - Sensitive room purpose is not unnecessarily exposed. - Internal directories and access clues are prot...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.4 Audit Evidence Pack

- Monitoring scope is documented and risk-based. - Alerts have owners, response times, and escalation paths. - Monitoring tests are performed and recorded. - Monitoring staff kn...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.5 Audit Evidence Pack

- Hazard assessment includes site, room, utility, and neighbor risks. - Specialist advice exists for material hazards. - Controls are implemented and maintained. - Continuity ar...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.6 Audit Evidence Pack

- Secure-area work is identified and risk-assessed. - Need-to-know, device, media, supervision, and dual-control rules are documented. - Employees, contractors, and third partie...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.7 Audit Evidence Pack

- Rules cover papers, removable media, screens, printers, faxes, storage, and confidential waste. - Auto-lock settings are enforced. - Sensitive print/fax workflows are controll...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.8 Audit Evidence Pack

- Equipment inventory includes location, owner, and protection requirement. - Siting assessment covers physical, environmental, viewing, access, and interference risks. - Networ...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.7.9 Audit Evidence Pack

- Asset removal is authorized and logged. - Off-site assets are recorded with custodian, location, and review date. - Mobile devices are encrypted and managed. - Long-term loans...

ISO27001 ISO27002 audit evidence

Templates

Reusable implementation, audit, and operational templates.

14 items
Template note 01 min read

A.7.1 Audit Checklist

- Confirm physical security perimeters are defined. - Confirm zones are linked to information/assets and risk. - Review perimeter diagrams or zone register. - Walk the perimeter...

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.10 Audit Checklist

Use this checklist during an internal audit of storage media acquisition, use, transport, storage, disposal, destruction, and damaged-media handling.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.11 Audit Checklist

Use this checklist during an internal audit of power, cooling, telecommunications, water, emergency lighting, fire protection, and building-management utility resilience.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.12 Audit Checklist

Use this checklist during an internal audit of power, data, telecommunications, and supporting service cabling.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.13 Audit Checklist

Use this checklist during an internal audit of equipment maintenance and repair controls.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.14 Audit Checklist

Use this checklist during an internal audit of equipment disposal, reuse, sale, donation, recycling, or repair dispatch.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.2 Audit Checklist

- Confirm secure areas are identified. - Confirm entry controls match risk and sensitivity. - Review physical access authorization and logs. - Check physical access review recor...

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.3 Audit Checklist

Use this checklist during an internal audit of physical security design for offices, rooms, and facilities.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.4 Audit Checklist

- Confirm premises monitoring scope is documented. - Confirm monitoring is continuous where required. - Review monitoring service or personnel responsibilities. - Check alarm re...

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.5 Audit Checklist

Use this checklist during an internal audit of physical and environmental threat protection.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.6 Audit Checklist

Use this checklist during an internal audit of work performed inside secure areas.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.7 Audit Checklist

Use this checklist during an internal audit of clear desk, clear screen, printer, fax, and unattended information controls.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.8 Audit Checklist

Use this checklist during an internal audit of equipment siting, physical protection, environmental exposure, and remote equipment scope.

ISO27001 ISO27002 template audit
Template note 01 min read

A.7.9 Audit Checklist

Use this checklist during an internal audit of assets taken, used, stored, or accessed outside organization premises.

ISO27001 ISO27002 template audit

Crosswalks

Mappings across controls, risks, standards, and assurance views.

1 item
Framework note 05 mins read

A.7 Physical Controls Implementation Audit Risk Mapping

- Physical controls often fail through behavior, not technology. Observation and walkthrough evidence matter. - Physical controls should align to asset inventory, classification...

ISO27001 ISO27002 iso27001 iso27005

Deep links

Link to this domain with /research/iso27001/annex-a-physical-controls/ . Link directly to exact notes from any resource card above.