When working toward ISO 27001:2022 certification, Annex A.7 physical security plays an often overlooked role in protecting your information assets. Annex A offers 93 security measures split into four areas: Organizational Rules (A.5), People Practices (A.6), Physical Security (A.7), and Tech Safeguards (A.8).
This article dives into Annex A.7, which includes 14 controls (A.7.1 to A.7.14) focused on securing physical spaces and equipment. These controls are key for protecting against theft or damage, especially with more hybrid workplaces. Whether you're aiming for certification or boosting security, Annex A.7 helps keep your physical assets safe.
What Are Annex A.7 Physical Security Controls in ISO 27001:2022?
Annex A.7 physical security controls are all about keeping your offices, data centers, and devices safe from physical threats like break-ins or environmental hazards. They cover rules, actions, and setups to shield your hardware and information. Under ISO 27001:2022, you need to review these controls during your risk planning and note their use in your Statement of Applicability (SoA).
With 14 controls, Annex A.7 offers clear steps to protect physical locations, guided by ISO 27002:2022 for adapting to your business size, industry, and emerging risks.
Key Topics Covered in Annex A.7 Controls
Annex A.7 addresses vital physical security areas to keep your workplace safe. Key topics include:
Perimeter and Entry Safety: Controls like A.7.1 (Physical Security Perimeter) and A.7.2 (Physical Entry Controls) secure building boundaries and access points.
Room and Facility Protection: A.7.3 (Securing Offices, Rooms, and Facilities) locks down sensitive areas with monitoring.
Threat Defense and Oversight: A.7.4 (Physical Security Monitoring) and A.7.5 (Protecting Against Physical and Environmental Threats) guard against intruders and events like storms common in September 2025.
Secure Work Areas: A.7.6 (Working in Secure Areas) and A.7.7 (Clear Desk and Clear Screen Policy) encourage tidy, secure work habits.
Gear and Off-Site Care: A.7.8 (Equipment Siting and Protection), A.7.9 (Security of Assets Off-Premises), and A.7.10 (Storage Media) safeguard devices and data away from the office.
Utility and Cable Support: A.7.11 (Supporting Utilities) and A.7.12 (Cabling Security) ensure power and wiring are secure from tampering.
Maintenance and Disposal: A.7.13 (Equipment Maintenance) keeps devices in top shape, while A.7.14 (Secure Disposal) prevents data leaks from old gear.
Complete List of ISO 27001 Annex A.7 Controls
Here is a complete list of Annex A.7 physical security controls from ISO 27001:2022, shown in a simple table for easy access. Decide which apply to your setup based on risks, and use ISO 27002 for detailed how-to advice.
Control ID | Control Title |
---|---|
A.7.1 | Physical Security Perimeter |
A.7.2 | Physical Entry Controls |
A.7.3 | Securing Offices, Rooms, and Facilities |
A.7.4 | Physical Security Monitoring |
A.7.5 | Protecting Against Physical and Environmental Threats |
A.7.6 | Working in Secure Areas |
A.7.7 | Clear Desk and Clear Screen Policy |
A.7.8 | Equipment Siting and Protection |
A.7.9 | Security of Assets Off-Premises |
A.7.10 | Storage Media |
A.7.11 | Supporting Utilities |
A.7.12 | Cabling Security |
A.7.13 | Equipment Maintenance |
A.7.14 | Secure disposal or re-use of euipment |