ISO 27001:2022 Annex A Control 7.1

Physical Security Perimeters

Book a demo

business,communication,connection,working,concept

What is ISO 27001:2022 Annex A 7.1?

ISO 27001:2022 Annex A 7.1 requires organisations to establish security perimeters and use them to safeguard information and associated assets.

Information and Information Security Assets Explained

Information can be described as any data, knowledge, or insight that has worth to an organisation or company. This includes any details obtained about individuals, customers, partners, employees, and other stakeholders.

Information security assets can be broadly classified into:

Data

Data and information are often mistaken for one another but there is a distinct difference. Data is raw, unprocessed and generally of no use in its present form. On the other hand, information is data that has been arranged into a usable format, such as an email or phone number.

Infrastructure

Infrastructure encompasses all components of a network – servers, printers, routers, and more – to create a cohesive system.

Software infrastructure, such as operating systems and applications, must be safeguarded from cyber threats, just as hardware does. To avoid exploitation by malicious hackers seeking access to sensitive data, both need to be regularly updated with patches and fixes for any vulnerabilities exposed by hackers.

Physical Security Perimeters Explained

Physical security refers to the physical measures that safeguard an organisation’s resources and premises. It is a fundamental and indispensable part of information security. It involves more than just locking the door; it also entails being aware of who has access to what, when, where, and how.

Physical security perimeters identify the physical boundaries of a building or area and control access to it. Fences, walls, gates and other barriers can be employed to prevent unauthorised entry by people or vehicles. Furthermore, electronic surveillance equipment such as CCTV cameras can be used to monitor activity outside the facility.

Physical security perimeters offer the initial layer of protection against outsiders attempting to access your computer system via a wired or wireless connection in a business. They are frequently combined with additional information security controls, such as identity management, access control, and intrusion detection systems.

Guidance on ISO 27001:2022 Annex A 7.1

ISO 27001:2022 Annex A 7.1 guarantees an organisation can show it has suitable physical security boundaries in place to stop unauthorised physical access to information and other related assets.

This entails taking steps to preclude:

  • Unauthorised entry into buildings, rooms, or areas containing information assets is prohibited.
  • The removal of assets without permission from the premises is unacceptable.
  • The unauthorised utilisation of premises assets, such as computers and related devices, is not permitted.
  • Unauthorised tampering with electronic communication equipment, such as telephones, faxes and computer terminals, is not allowed.

It is possible to implement physical security perimeters in two different ways:

Physical access control – safeguards entry to facilities and buildings and movement within them. This includes locking doors, alarms, fences and barriers.

Hardware security – provides control over physical equipment, such as computers, printers and scanners, that process data containing sensitive information.

This control helps safeguard information and other related assets, such as confidential documents, records, and equipment, by preventing unauthorised use of facility space, equipment, and supplies.

What’s Involved and How to Meet the Requirements

Guidelines to be taken into account for physical security perimeters should be adopted where feasible:

  • Establishing security barriers and pinpointing the exact location and strength of each in line with information security regulations concerning the resources within the boundary.
  • Ensuring the physical security of a building or site that houses information processing systems is vital, with no gaps or weak points in the perimeter where a break-in could be facilitated.
  • The exterior surfaces of the site, including roofs, walls, ceilings, and flooring, must be of sturdy construction and all external doors should be outfitted with control mechanisms like bars, alarms, and locks to prevent unauthorised entry.
  • Ensure windows and doors are locked when unoccupied and consider external security for windows, especially on the ground floor; ventilation must be taken into account too.

For further insight into what is expected for compliance with the ISO 27001:2022 standard, consult the associated documentation.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 7.1 replaces ISO 27001:2013 Annex A 11.1.1; the context and meaning remaining largely similar, albeit phrased differently.

The 2022 version saw a reduction in implementation requirements compared to the prior control.

Annex A 7.1 lacks the requirements detailed in Annex A 11.1.1, which are as followed:

  • There should be a staffed reception area or another way of managing physical entry to the site or building.
  • Only authorised personnel should be permitted entry to sites and buildings.
  • Construct physical barriers, when applicable, to impede unauthorised physical access and avert environmental contamination.
  • Installing intruder detection systems that meet national, regional, or international standards and testing them regularly to secure all external doors and accessible windows is necessary.
  • All unoccupied areas should be fitted with an alarm system at all times.
  • We should ensure coverage of other areas, such as computer and communications rooms.
  • The organisation should keep their information processing facilities physically separated from those managed by external sources.

No omission reduces the effectiveness of the new ISO 27001:2022 standard; instead, they were eliminated to make the control easier to use and understand.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of This Process?

The Chief Information Officer (CIO) is the leader responsible for safeguarding company data and systems. They work with other executives to consider security when making business decisions, such as the Chief Financial Officer and Chief Executive Officer. Implementing policies and procedures to protect the company’s information is a key part of the CIO’s role.

The Chief Financial Officer has a role in deciding on physical security perimeters. Working with other C-suite executives, including the CIO, they decide how much to invest in physical security measures such as surveillance cameras, access controls and alarms.

What Do These Changes Mean for You?

ISO 27001:2022 is not a major overhaul, so no significant alterations are necessary for compliance.

It is worth examining your current implementation to guarantee it is in line with the new requirements. Particularly, if any changes were made since the version of 2013. It is worth re-assessing those changes to determine if they remain valid or need to be altered.

How ISMS.Online Help

ISMS.online can assist in proving ISO 27001 compliance by providing an online system that enables storage of documents in a single, accessible location. It also facilitates development of checklists for each document, thus facilitating review and modification of documents.

Would you like to experience how it works?

Contact us today to reserve a demonstration.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.