Physical Entry - ISO 27001 Annex A Control
ISO 27001 Annex A 7.2
Define who gets in, by what route, and how the access is recorded.
ISO 27001 Annex A 7.2 - Physical Entry
Once a perimeter exists, the next question is how people get through it. The control asks for entry to be managed - who is authorised, by what route, with what record. Without this, an unlocked door or a tailgated entry can make the perimeter meaningless. With it, the organisation has both prevention and a trail to follow if something goes wrong.
Different perimeters need different entry controls. The general office may use card access with a logged audit trail. A server room may add multi-factor controls or biometrics. A data centre may include mantrap arrangements. The layered approach to perimeters carries through to layered entry controls, each appropriate to what sits inside.
Visitor management is a particular focus. Visitors should be expected, signed in, escorted where appropriate, and signed out at the end. Their access should be limited to the areas they need - a visitor to reception does not need access to the office floor, and a visitor to one office does not need run of the building. Tailgating - a visitor or unauthorised person following a legitimate cardholder through a door - is a common gap that controls and culture need to address together.
The visitor process is the area that gets tested most often in practice. Couriers, contractors, candidates for interview, the engineer fixing the printer - they all show up regularly and the process has to handle them quickly without becoming a security shortcut. We have a single sign-in point, photo badges for any visit longer than an hour, and a rule that any escort gets handed off properly rather than the visitor being left to find their own way.
The audit test is whether the access logs and the visitor records match the actual movement of people through the secure areas. If the logs are pristine but staff casually let people in through side doors, the documented control is not the operating control. I will look at the route from front door to sensitive areas and ask what stops an unauthorised person walking it.
Practical Compliance Guidance
Physical entry arrangements are described in the IMS1 Manual in Section 8.3 IT Equipment and Physical Security.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | The full alphaZ ISO 27001 toolkit inlcuding the IMS1 Manual, policies, procedures, registers and audit checklists. |
| PP-8-100 Information Security Policy Procedure | Contains the Physical Security Policy including the rules for staff access, visitor management, and entry to higher-security areas. |
| PP-1-06 Management Equipment Premises Policy Procedure | Policy-procedure detailing the arrangements in place to manage the use of and inspection and maintenance of equipment and premises. |
Note - all the above files can be downloaded with an alphaZ subscription.
