ISO 27001:2022 Annex A 7.2 emphasises the requirement for organisations to secure areas through the employment of suitable entry controls and access points.
Entry controls and access points are crucial to the security system of any building. They allow occupants to enter and exit while maintaining security, and can stop those who are not authorised or desired from entering.
Entry control systems provide access to a building by way of doors and gates, including keypads, card readers, biometric scanners and fobs. Additionally, they provide locking mechanisms for doors and gates, in addition to turnstiles and revolving doors.
An access point is an electronic device that ensures security in large commercial buildings. It utilises RFID technology to track all movement within and out of the premises. The access point sends data back to headquarters, allowing security personnel to observe when someone enters or exits the facility and which areas they are accessing during their stay.
Book a 30 minute chat with us and we’ll show you how
ISO 27001:2022 Annex A Control 7.2 guarantees only authorised physical access to the organisation’s data and other related assets.
Physical security is paramount for safeguarding the confidentiality, integrity and accessibility of information resources. Annex A Control 7.2 of ISO 27001:2022 is primarily concerned with preserving data and other related assets from unauthorised access, theft or loss. Thus, necessary entry and access points should be implemented to guarantee only authorised personnel can access secure areas.
Controls should be implemented to ensure reasonable assurance that only authorised persons have physical access, and that they are accurately identified.
The use of locks, keys (manual and electronic), security guards, monitoring systems, and other barriers at entrances and access points should be implemented. Access control systems such as passwords, card keys, or biometric devices should be used to secure sensitive areas within the facility.
Organisations must control and, if possible, separate access points such as delivery and loading zones and other points of entry to the premises from their IT facilities to prevent unauthorised access, in order to meet the demands of Annex A 7.2 implementation. These areas should be limited to authorised personnel only.
The ISO 27001:2022 document provides implementation guidance for Annex A 7.2, which assists in meeting the requirements for personnel, visitors and delivery people. To view these guidelines, access the revised version of the standard.
Annex A 7.2 in ISO 27001:2022 is not a new measure, but rather a combination of Annex A Controls 11.1.2 and 11.1.6 from ISO 27001:2013. These two Annex A Controls have been revised in ISO 27001:2022 to make it more intuitive than ISO 27001:2013.
Annex A Control 11.1.2 – Physical Entry Controls requires secure areas to be safeguarded by proper entry controls, so that only authorised personnel can gain access. This part of the standard outlines the measures organisations can take to ensure that only those permitted may enter for specific purposes.
The regulation requires that two-factor authentication be implemented for authorised personnel to gain access to information security sensitive areas, with a physical log book or electronic audit trail to support it.
Annex A Control 11.1.6 – Delivery and Loading Areas stipulates that access to these areas should be restricted to authorised personnel only. It is advised that they be designed so that they are separated from operational areas, thereby preventing delivery personnel from accessing other parts of the building.
Ultimately, Annex A Control 7.2 and Annex A Controls 11.1.2 and 11.1.6 are comparable in essence. The major distinction is that Annex A 11.1.2 and Annex A 11.1.6 were amalgamated for enhanced user-friendliness.
In the 2022 version of ISO 27001, an attributes table and control purpose were included, which were absent from the controls of the 2013 version.
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 | Annex A 5.1.1 Annex A 5.1.2 | Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 | Annex A 6.1.5 Annex A 14.1.1 | Information Security in Project Management |
| Organisational Controls | Annex A 5.9 | Annex A 8.1.1 Annex A 8.1.2 | Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 | Annex A 8.1.3 Annex A 8.2.3 | Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 | Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 | Information Transfer |
| Organisational Controls | Annex A 5.15 | Annex A 9.1.1 Annex A 9.1.2 | Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 | Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 | Authentication Information |
| Organisational Controls | Annex A 5.18 | Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 | Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 | Annex A 15.2.1 Annex A 15.2.2 | Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 | Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 | Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 | Annex A 18.1.1 Annex A 18.1.5 | Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 | Annex A 18.2.2 Annex A 18.2.3 | Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 | Annex A 16.1.2 Annex A 16.1.3 | Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 | Annex A 11.1.2 Annex A 11.1.6 | Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 | Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 | Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 | Annex A 6.2.1 Annex A 11.2.8 | User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 | Annex A 12.6.1 Annex A 18.2.3 | Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 | Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 | Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility Programs |
| Technological Controls | Annex A 8.19 | Annex A 12.5.1 Annex A 12.6.2 | Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 | Annex A 10.1.1 Annex A 10.1.2 | Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 | Annex A 14.1.2 Annex A 14.1.3 | Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering Principles |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 | Annex A 14.2.8 Annex A 14.2.9 | Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 | Annex A 12.1.4 Annex A 14.2.6 | Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 | Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 | Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
Controlling physical access is paramount for the security of any organisation or business. Ensuring no unauthorised personnel enter the premises is essential. Consequently, the implementation of stringent measures is essential.
The security department oversees all physical security aspects, such as entry control. Should they lack the necessary expertise or resources to manage this, they may assign authority to another department.
IT teams are crucial for physical security as well. They guarantee that the technology systems used for physical security are current and secure. For instance, if your organisation has an Intrusion Detection System (IDS) at the entrance but the software hasn’t been renewed in months, it may not be effective against intruders.
Your organisation need not alter their information security practices significantly, as the ISO 27001:2022 revised standard was only minimally adjusted.
If you possess an ISO 27001:2013 certification, you will discover that your current information security management approach is in compliance with the new standards.
If you are starting from the beginning, you should acquaint yourself with the compliance guidance in the new standard.
Our platform gives users access to all relevant documentation and resources, such as policies, procedures, standards, guidelines and info on compliance processes.
ISMS.online is perfect for businesses seeking to:
Our platform offers customised dashboards that grant you real-time insight into your compliance status.
Monitor and manage your ISO 27001:2022 compliance journey all in one spot: audits, gap analysis, training management, risk assessment, and more.
Contact us now to schedule a demonstration.
I’ve done ISO 27001 the hard way so I really value how much time it saved us in achieving ISO 27001 certification.
