ISO 27001: 2022 Annex A Explained (Pt.3): Physical Controls
    Back to Knowledge Hub

    ISO 27001: 2022 Annex A Explained (Pt.3): Physical Controls

    Phuong Linh

    Phuong Linh

    August 19, 2025 • 15 min read

    In today's world, where remote work is common and data is stored across various locations, from on-site servers to employee laptops at home, the scope of physical security has expanded far beyond a single office building.

    Think of your company's data and systems as the valuable assets stored inside a bank. Your digital security measures are the alarms, encrypted communication, and digital locks on the vault. Your physical controls are the security guards, the steel door, the concrete walls, and the surveillance cameras. Without the physical protection, the digital locks are rendered meaningless.

    Therefore, Annex A's Physical Controls make companies look beyond the keyboard and consider a wider range of risks, from environmental disasters to simple human error. By implementing them, you're building a strong security posture that can protect against some of the most common and damaging security incidents.

    What Are Physical Controls?

    ISO 27001 Annex A is a crucial component of the standard, outlining a comprehensive set of security controls. Among these are Physical Controls (named from 7.1 to 7.14), designed to secure the physical environment where an organization's information and assets are stored and processed. These controls are essential for any company seeking ISO 27001 certification, as they show how companies protect against threats like unauthorized physical access, theft, and environmental damage.

    During ISO 27001 audits, auditors will meticulously examine the implementation and effectiveness of these physical Annex A controls. They will assess measures such as:

    • Physical entry controls: Policies and procedures for allowing and restricting access to secure areas, including the use of access cards, biometrics, and visitor logs.
    • Secure areas: The physical security of buildings, rooms, and enclosures where sensitive information is handled, ensuring they are protected by barriers, alarms, and surveillance.
    • Equipment security: Controls to prevent unauthorized removal, damage, or compromise of equipment, including locking servers in racks and securing laptops.
    • Cabling security: Protecting power and telecommunications cabling from interception or damage.

    The proper implementation and maintenance of these controls are critical for a successful ISO 27001 certification.

    Quick Overview: 14 Physical Controls of ISO 27001

    Annex A of ISO 27001:2022 outlines 14 physical controls:

    1. Physical security perimeters (7.1)
    2. Physical entry (7.2)
    3. Securing offices, rooms and facilities (7.3)
    4. Physical security monitoring (7.4)
    5. Protecting against physical and environmental threats (7.5)
    6. Working in secure areas (7.6)
    7. Clear desk and clear screen (7.7)
    8. Equipment siting and protection (7.8)
    9. Security of assets off-premises (7.9)
    10. Storage media (7.10)
    11. Supporting utilities (7.11)
    12. Cabling security (7.12)
    13. Equipment maintenance (7.13)
    14. Secure disposal or re-use of equipment (7.14)

    Let's take a deeper dive!

    Capybara mascot

    Ready to Implement ISO 27001?

    Enter your email to receive a free ISO 27001 checklist and start your compliance journey today.

    A Look at Physical Controls

    Here is a detailed breakdown of each of the 14 controls and how they can be applied for your business.

    1. Physical Security Perimeter (7.1)

    This control requires you to establish and maintain a secure perimeter around your facilities. This could be a physical boundary like a fence or a metaphorical one like a secured front entrance. By clearly defining secure areas, you make it immediately obvious where people are and are not permitted to go.

    For a small office, this might mean a locked front door with a digital keypad. For a larger organization, it could involve a security guard station, perimeter fencing, and secured parking areas.

    2. Physical Entry Controls (7.2)

    You must control and monitor who enters your secure areas. This ensures that only authorized individuals have access to sensitive locations, preventing unauthorized individuals, e.g., competitors, criminals, or any outsiders, from accessing your data.

    To ensure control of who enters, companies can use key cards, biometric scanners, or a sign-in process for all visitors. This includes escorting visitors at all times within secure areas.

    3. Securing Offices, Rooms & Facilities (7.3)

    This control is about protecting sensitive areas within your perimeter. You must secure rooms that contain important information and equipment. Even if an intruder gets past the front door, they should not be able to access the server room, data archives, or confidential meeting spaces.

    For example, companies can use a separate, secure lock on the server room door, locking file cabinets containing sensitive documents, and educating employees on the dangers of "tailgating" (when an unauthorized person follows an employee through a secure door).

    4. Physical Security Monitoring (7.4)

    This involves actively monitoring your physical spaces, with equipment such as security cameras (CCTV), motion detectors, or sensors on doors and windows, to detect and respond to unauthorized access or suspicious activity.

    Monitoring gives companies evidence to look into in case of a breach, and can act as a deterrent to intruders. These systems should be monitored in real-time or reviewed regularly.

    5. Protecting Against Physical & Environmental Threats (7.5)

    Your assets must be protected from natural disasters and environmental risks. A fire, flood, or power surge can be just as destructive to your data as a cyber-attack. This control ensures business continuity and data integrity.

    To protect your data against physical and environmental threats, some solutions include implementing fire detection and distinguisher systems, placing servers in a climate-controlled room with proper ventilation, and using uninterruptible power supplies (UPS) to protect against power outages.

    6. Working in Secure Areas (7.6)

    You need to establish special rules for working in high-security zones to reduce the likelihood of accidental or malicious data leakage. In spaces where the most sensitive data is handled, standard controls may not be enough.

    These special rules may include restricting the use of personal mobile devices, banning cameras, and implementing a policy of "no paper" or controlled document handling.

    7. Clear Desk & Clear Screen (7.7)

    This is one of the most effective and low-cost controls. It is satisfied by a policy requiring employees to keep sensitive information off their desks and to lock their computer screens when they step away. It prevents "shoulder surfing" and the theft of documents or access to an unlocked computer in an open-plan office.

    To fulfill this control, companies can implement a policy that all papers must be filed away at the end of the day, and set a screen saver with password protection that activates after a short period of inactivity.

    8. Equipment Siting & Protection (7.8)

    This control requires the strategic placement of equipment in secure, low-risk locations. This prevents equipment from being tampered with or stolen, and protects it from environmental damage.

    To do this, house servers in a secure, locked rack instead of on the floor, and position printers in a controlled area to prevent sensitive documents from being leaked.

    9. Security of Assets Off-Premises (7.9)

    This control addresses the risk associated with equipment used outside of your secure perimeter, such as by remote or traveling employees. A lost or stolen laptop with unencrypted data can lead to a major breach. This control extends your security boundary to where the work is actually being done.

    Solutions consist of requiring full-disk encryption on all company laptops, implementing multi-factor authentication (MFA) for remote access, and having a policy for immediately reporting lost or stolen equipment.

    10. Storage Media (7.10)

    This control focuses on the secure storage and management of all physical media containing data. USB drives, hard drives, and backup tapes can easily be lost, stolen, or improperly disposed of, leading to data leaks.

    Companies should store all physical media in a locked cabinet, maintain an inventory of all media, and encrypt data on portable storage devices.

    11. Supporting Utilities (7.11)

    You must ensure that critical systems have a reliable supply of power, air conditioning, and other utilities. System downtime can be caused by something as simple as a power outage or a failed air conditioner in a server room.

    Therefore, companies should think about using a backup generator, having redundant power sources, and regularly testing your HVAC systems to support their critical systems.

    12. Cabling Security (7.12)

    This control requires you to protect power and network cables from being physically tampered with or intercepted. An attacker can gain unauthorized access to your network by physically tapping into a network cable. Protecting cables is a simple way to close this vulnerability.

    Solutions consist of running cables through secure conduits, hiding them in walls or under floors, and ensuring that all networking closets are locked.

    13. Equipment Maintenance (7.13)

    You need to have a policy for the secure maintenance of all equipment. When equipment is being repaired, it's a potential point of data exposure. This control ensures that maintenance activities are performed without compromising security.

    Precautions you can take are to use only trusted, vetted third-party vendors for repairs, have a clear chain of custody for any device leaving the premises, and securely wipe data before a device is sent for repair.

    14. Secure Disposal or Re-Use of Equipment (7.14)

    This is the final step in the equipment lifecycle. You must securely erase all data from a device before it is disposed of or re-used. Data can be easily recovered from hard drives, even after they have been "deleted" or formatted. A hard drive thrown in the trash can be a goldmine for an attacker.

    To prevent this, use a data wiping utility that meets industry standards, physically shred hard drives, or use a certified third-party service for equipment disposal.

    Common Challenges and Best Practices

    Implementing these controls isn't just a one-time project. It requires an ongoing commitment. Here are some common challenges and best practices to help you succeed:

    • Employee Awareness: Employees are often the weakest link. They might forget to lock their screens or hold a door open for an unbadged visitor without thinking.

    Best Practice: Make security a part of your company culture. Conduct regular training sessions, send out reminders, and have a clear disciplinary process for violations.

    • Remote Work Risks: It's much harder to enforce physical controls when your employees are working from home or a coffee shop.

    Best Practice: Develop a comprehensive remote work security policy. This should include rules on screen locking, device encryption, use of public Wi-Fi, and a clear reporting process for lost or stolen equipment.

    • The "It Won't Happen to Us" Mindset: Many organizations believe they are too small or not a high enough profile to be targeted by physical threats.

    Best Practice: Educate your team on the real-world risks. Remind them that breaches often start with a simple, opportunistic action, not a targeted attack.

    The Benefits of Physical Controls Beyond Compliance

    While ISO 27001 certification is a major driver, the benefits of implementing these controls go far beyond a seal of approval. A strong physical security posture can:

    • Ensure Constant Operation: By protecting your physical assets from fire, flood, and other disasters, you reduce the risk of downtime and ensure your business can continue to operate.
    • Build Customer Trust: In an era of increasing data privacy concerns, customers and partners want to know that you are serious about security. A strong, visible commitment to both digital and physical security builds confidence and strengthens your reputation.
    • Improve Audit Readiness: A well-documented and consistently executed set of physical controls makes the ISO 27001 audit process smoother and more efficient.

    Your Magic Document: The Statement of Applicability (SoA)

    Now for the most important part. How do you tell an auditor which of the 93 controls you've chosen? You use a document called the Statement of Applicability (SoA).

    It's basically a big checklist where you go through every single one of the 93 controls and state one of three things:

    • "Yes, we're doing this." You then briefly explain how you've implemented the control.
    • "No, this doesn't apply to us." Here, you must provide a clear reason why. This is your justification for excluding a control.
    • You can also state your intention to implement a control in the future.

    For example, if you are a fully remote startup with no physical office, you can absolutely exclude controls related to "securing physical offices." Your justification in the SoA would be: "This control is not applicable as the organization operates on a fully remote basis with no physical office premises."

    Why Do Annex A Controls Matter So Much?

    Going through this process isn't just about ticking boxes for a certificate. It has real, tangible benefits for your startup.

    • Build trust with clients and investors: When you can show a potential enterprise client your SoA, you're speaking their language. You're demonstrating that you take security seriously and have a professional, well‑thought‑out approach.
    • Ensure you've covered all your risks: Annex A is like a checklist built by thousands of security experts. By reviewing it, you make sure you haven't forgotten about a major area of risk. It's a fantastic safety net.
    • Pass vendor & regulatory checks: More and more, getting through vendor security questionnaires or complying with regulations requires having these kinds of documented controls in place. ISO 27001 gives you a golden ticket.
    • Scale without reinventing the wheel: As you grow, you'll have a solid security foundation to build on. You won't have to make up security rules as you go; you'll already have a blueprint for success.

    Conclusion

    Annex A looks intimidating from a distance, but up close, it's just a helpful catalog of best practices. Physical security is an essential, integrated component of a complete information security strategy. By paying attention to the details of these 14 controls, you can create a safer, more resilient organization.

    The key is to use your risk assessment to make smart, informed decisions about which controls make sense for your company.

    Ready to build a smart ISO 27001 roadmap that's perfect for your startup's size and stage? Smartly is here to help you navigate the journey and save time for building your product.

    });