Protecting Against Physical and Environmental Threats - ISO 27001 Annex A Control

ISO 27001 Annex A 7.5

Information has to survive the things that can damage the building it sits in.

ISO 27001 Annex A 7.5 - Protecting Against Physical and Environmental Threats

The control widens the lens beyond intruders. Fire, flood, severe weather, vandalism, accidental damage, terrorism, civil disruption - all can damage the equipment and information that sits inside the perimeter. The control asks the organisation to think about these threats specifically and put protections in place that match the actual risk profile of the location.

Some protections are universal. Smoke detection and fire suppression in any space holding equipment. Power protection through UPS or generators. Reasonable resilience against water damage from leaks or flooding. Backup arrangements that hold copies somewhere physically separate from the primary site.

Other protections are location-specific. A site in a flood zone needs different controls to a site on high ground. A city centre office faces different civil-disruption risks to a rural site. The risk assessment should drive the control selection rather than a generic checklist applied without thought to local conditions.

The most common gap in this control is the gap between the planned protection and the actual environment. Server rooms with no smoke detectors. Power-protected systems whose UPS has not been tested. Fire suppression systems whose service has lapsed. The audit will sample the actual state of the protections rather than the documented intent, and gaps tend to surface quickly.

Practical Compliance Guidance

Environmental threat protection is described in the IMS1 Manual in Section 8.3 IT Equipment and Physical Security. The F-Q26 Premises Monthly Checklist can be used to assess for physical and environmental threats.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS21 Business Continuity Register	The business continuity register listing scenarios and arrangements. Use to record the environmental threats considered and the protection arrangements in place for each.
F-Q26 Premises Monthly Checklist	This professional checklist helps businesses demonstrate that regular safety inspections, equipment checks, and premises compliance controls are being carried out consistently and documented correctly.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Which threats need to be considered?

Those that could realistically affect the location. For most UK sites that includes fire, flood, power failure, water leaks from plumbing, severe weather events and the consequences of nearby civil incidents. Sites with specific exposures - flood zones, areas subject to industrial accidents, locations near sensitive infrastructure - should add the specific threats relevant to their environment.

What about cloud services?

Cloud providers run their own physical and environmental protection at their data centres. The organisation does not need to duplicate this but does need to confirm through due diligence that the provider has appropriate arrangements - typically through their certifications and SOC reports - and reflect this in the supplier risk assessment.

Should we test the protection?

Yes, where possible. UPS units should be load-tested periodically. Fire suppression systems are typically serviced annually. Generators should be run on test schedules. Backup recovery should be tested as part of A.5.30 ICT readiness. Untested protection often turns out not to work when the moment comes.

Further Resources