Physical Security Perimeters - ISO 27001 Annex A Control

ISO 27001 Annex A 7.1

The walls and doors that mark where the security regime starts.

ISO 27001 Annex A 7.1 - Physical Security Perimeters

The control starts with the building. Information sits inside spaces - offices, server rooms, storage areas - and those spaces need defined boundaries that mark where the organisation's physical security regime applies. Without that boundary, every other physical control is harder to apply because there is no clear inside and outside.

Perimeters need to be appropriate to what they protect. The reception area of an office has a different perimeter to a data centre or a secure document store. Each perimeter needs walls or partitions that resist easy intrusion, doors and windows with appropriate locks, and arrangements that match the value and sensitivity of what sits inside.

Multiple perimeters often make sense for sites of any size. A general site perimeter at the edge of the property, an office perimeter at the building entrance, and additional perimeters around higher-security zones. The layered approach means that getting through one perimeter does not give attackers the run of the whole site.

For us the perimeter is more than the front door. It is the fence, the reception, the access controlled doors into the office areas, and the additional locks on the comms room. Each layer adds friction for someone trying to get in where they should not be, and gives more chances to spot something wrong before it becomes a real incident.

Practical Compliance Guidance

Physical security perimeters are described in the IMS1 Manual in Section 8.3 IT Equipment and Physical Security. The F-Q26 Premises Monthly Checklist can be used to check physical security aspects on-site.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Physical Security Policy alongside the wider information security arrangements. Use as the source for perimeter definitions and the rules that apply within them.
F-Q26 Premises Monthly Checklist	This professional checklist helps businesses demonstrate that regular safety inspections, equipment checks, and premises compliance controls are being carried out consistently and documented correctly.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What if we work from home or from shared offices?

The control still applies but the perimeter looks different. For home working, the home itself is the perimeter, with appropriate technical and procedural controls compensating. For shared offices and co-working, the perimeter is whatever the building provides, supplemented by procedural rules - locked drawers, screen privacy, no sensitive calls in shared spaces. The perimeter concept adapts to the working pattern.

Do we need multiple perimeters?

Where the site contains areas of differing sensitivity - a general office area plus a server room, for example - layered perimeters allow each area to have controls appropriate to its sensitivity. A single perimeter is sufficient where the whole space has the same sensitivity profile.

How is the perimeter documented?

Through the physical security policy supported by floorplans, photographs or schematic drawings showing where the perimeters sit and what protects each one. The premises register can hold a summary record. The audit will look for clarity about what is inside and outside each perimeter.

Further Resources