Annex A.7 of ISO 27001 includes 14 physical controls that address the security of physical environments and equipment critical to an ISMS. These controls mitigate risks such as theft, environmental damage, or unauthorized access, complementing organizational, people, and technological controls. By securing physical assets, organizations protect sensitive information and ensure operational continuity.

Each control in Annex A.7 is defined in the normative ISO/IEC 27001:2022 standard with a unique identifier, title, and brief statement. For practical implementation, ISO/IEC 27002:2022, an informative companion, provides detailed guidance, examples, and best practices across 164 pages, using the same numbering for seamless reference. Both standards are available for purchase from the International Organization for Standardization (ISO) or authorized resellers.

Complete List of Annex A.7 Physical Controls

The table below lists all fourteen physical controls of Annex A.

Key Topics Covered in Annex A.7 Controls

Annex A.7 addresses a range of physical security measures to protect organizational assets from physical and environmental threats. These controls are critical for securing data centers, offices, and equipment in both on-site and hybrid work environments. Below is a breakdown of the main areas covered by A.7, with examples and their relevance in 2025.

Perimeter and Access Security

The following controls are related to this topic:

• A.7.1 (Physical Security Perimeter)

• A.7.2 (Physical Entry Controls)

• A.7.3 (Securing Offices, Rooms, and Facilities)

• A.7.6 (Working in Secure Areas).

Purpose: Establish physical barriers and access restrictions to prevent unauthorized entry. A.7.1 defines secure perimeters (e.g., fences, walls), while A.7.2 mandates entry controls like keycards or biometrics.

Relevance: With rising physical intrusion risks, such as unauthorized access to data centers, these controls are essential for protecting sensitive assets.

Monitoring and Detection

The following controls are related to this topic:

• A.7.4 (Physical Security Monitoring)

Purpose: Use monitoring systems like CCTV to detect and deter unauthorized activities. A.7.4 requires surveillance to monitor secure areas.

Relevance: In 2025, advanced monitoring technologies, including AI-driven analytics, enhance detection of physical security breaches.

Environmental Protection

The following controls are related to this topic:

• A.7.5 (Protecting Against Physical and Environmental Threats)

• A.7.11 (Supporting Utilities).

Purpose: Safeguard assets from environmental risks like fires, floods, or power failures. A.7.5 includes measures like fire suppression systems, while A.7.11 ensures reliable utilities like backup power.

Relevance: Climate-related risks and power grid vulnerabilities in 2025 make these controls critical for operational continuity.

Equipment and Media Security

The following controls are related to this topic:

• A.7.8 (Equipment Siting and Protection)

• A.7.9 (Security of Assets Off-Premises)

• A.7.10 (Storage Media)

• A.7.12 (Cabling Security)

• A.7.13 (Equipment Maintenance)

• A.7.14 (Secure Disposal or Reuse of Equipment).

Purpose: Protect equipment and media from damage, theft, or misuse. A.7.10 secures storage media like USB drives, while A.7.14 ensures secure disposal to prevent data leaks.

Relevance: With hybrid work and mobile devices prevalent, securing off-premises assets and proper disposal are vital to prevent data breaches.

Workspace Policies

The following controls are related to this topic:

• A.7.7 (Clear Desk and Clear Screen Policy)

Purpose: Minimize risks from unattended documents or screens. A.7.7 requires employees to clear desks and lock screens when not in use.

Relevance: In shared or remote workspaces, this control reduces risks of unauthorized data exposure.