Working in Secure Areas - ISO 27001 Annex A Control

ISO 27001 Annex A 7.6

The behaviour inside a secure area matters as much as who gets in.

ISO 27001 Annex A 7.6 - Working in Secure Areas

Designating an area as secure does not by itself make the work that happens inside it secure. The control sits alongside the entry controls and asks the organisation to think about behaviour - what can be brought in, what can be taken out, what can be discussed, and how staff actually work in those spaces.

The rules vary by area. A general office may simply require that visitors are escorted and that conversations stay within the team. A development environment may require that personal devices are kept out and that recording equipment is restricted. A data centre or secure document store may add requirements about photography, written notes leaving the area, and how the area is checked at the start and end of each working session.

Staff working in these areas need to know the rules. Awareness training, signage at the entry points, and clear policies all help. The control is not satisfied by writing the rules - it is satisfied by the rules being followed in practice, which depends on staff understanding why they exist and seeing them applied consistently.

The clearest way to fail this control is to designate areas as secure and then operate them no differently from anywhere else. If everyone walks into the comms room with their phone in their pocket and no one ever comments, the secure area is secure on paper only. The audit looks at how the area actually operates, not what the door label says.

Practical Compliance Guidance

Working practices for secure areas are described in the IMS1 Manual in Section 8.3 IT Equipment and Physical Security. Specific working rules for higher-security areas are set out in the policy or local procedures.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit inlcuding the IMS1 Manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Physical Security Policy including the rules expected for working in different categories of secure area.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What rules typically apply in secure areas?

Common examples: no personal devices that can record audio, video or images; no unaccompanied visitors; clear desk arrangements at the end of each working session; restrictions on what can be removed from the area; sign-in records for entry and exit; and additional confidentiality expectations for any conversations. The exact rules should match the sensitivity of the area.

How do we handle contractors working in secure areas?

Through a combination of contractual confidentiality obligations, induction to the local rules, escort by a member of staff for the duration of the work, and review of any output before it leaves the area. The supplier agreement should reflect the secure area rules where contractors will routinely work in them.

What about photography and recording?

Restrictions on photography and recording are common in higher-sensitivity areas. The position should be clear in the policy and at the entry to the area. Where work needs photographs (engineering documentation, for example) the process should require authorisation and define how the resulting images are handled.

Further Resources