Securing Offices, Rooms and Facilities - ISO 27001 Annex A Control

ISO 27001 Annex A 7.3

The internal spaces need their own protection - not just the building.

ISO 27001 Annex A 7.3 - Securing Offices, Rooms and Facilities

Inside the building perimeter, particular rooms and offices need their own protection. The control recognises that not all internal spaces are equal - the boardroom where strategic discussions happen, the HR office where personal data is handled, the comms room where the network sits, and the document storage room each need protection appropriate to what they contain.

Physical arrangements vary. Some rooms may need lockable doors with controlled access. Others may need partitioning that limits casual visibility from corridors. Some may need additional fire or environmental protection. The protection should match the sensitivity of the information and equipment held in the space, not a single standard applied uniformly.

Beyond the obvious rooms, the control extends to less obvious facilities. Cleaning cupboards used to store equipment, cabinets in shared corridors holding records, photocopier areas where forgotten documents accumulate. Each of these needs to be considered alongside the formal offices and rooms.

The most overlooked rooms are usually the ones that have built up sensitive content over time without anyone noticing. The HR cupboard, the finance archive, the office where someone happens to handle customer complaints. The control asks the organisation to look at every internal space and ask whether the protection matches what is actually inside, not what was originally intended to be there.

Practical Compliance Guidance

Office and room security is described in the IMS1 Manual in section 8.3 IT Equipment and Physical Security. The F-Q26 Premises Monthly Checklist can be used to check for the security of offices, rooms and facilities.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Physical Security Policy setting out the protection expected for different categories of internal space.
F-Q26 Premises Monthly Checklist	This professional checklist helps businesses demonstrate that regular safety inspections, equipment checks, and premises compliance controls are being carried out consistently and documented correctly.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Which rooms need additional protection?

Any room containing information or equipment that warrants more protection than the general office area. Typical examples: comms and server rooms, HR and finance offices, document storage, secure printing areas, rooms used for confidential discussions, and any room where keys to other areas are held. The list should be tailored to the actual operations of the organisation.

What about open-plan offices?

Open-plan layouts make traditional room-based controls harder. The mitigation usually combines clear desk arrangements, lockable storage at desks, screen privacy, designated areas for confidential calls, and physical separation of higher-sensitivity teams where the layout allows. The Physical Security Policy should set out the expectations.

Should rooms be visibly identified?

There is a balance. Visible identification helps staff know which areas they should and should not enter, but advertising "Server Room" on the door also tells anyone walking past where the equipment sits. A common compromise is internal numbering or coded labels that staff understand but do not advertise the contents to outsiders.

Further Resources