ISO 27001:2022 Annex A Control 7.2

Physical Entry

Book a demo

several,businesspeople,walking,in,the,corridor

ISO 27001:2022 Annex A 7.2 emphasises the requirement for organisations to secure areas through the employment of suitable entry controls and access points.

What is ISO 27001:2022 Annex A 7.2?

Entry controls and access points are crucial to the security system of any building. They allow occupants to enter and exit while maintaining security, and can stop those who are not authorised or desired from entering.

Entry Controls

Entry control systems provide access to a building by way of doors and gates, including keypads, card readers, biometric scanners and fobs. Additionally, they provide locking mechanisms for doors and gates, in addition to turnstiles and revolving doors.

Access Points

An access point is an electronic device that ensures security in large commercial buildings. It utilises RFID technology to track all movement within and out of the premises. The access point sends data back to headquarters, allowing security personnel to observe when someone enters or exits the facility and which areas they are accessing during their stay.

What Is the Purpose of ISO 27001:2022 Annex A 7.2?

ISO 27001:2022 Annex A Control 7.2 guarantees only authorised physical access to the organisation’s data and other related assets.

Physical security is paramount for safeguarding the confidentiality, integrity and accessibility of information resources. Annex A Control 7.2 of ISO 27001:2022 is primarily concerned with preserving data and other related assets from unauthorised access, theft or loss. Thus, necessary entry and access points should be implemented to guarantee only authorised personnel can access secure areas.

Controls should be implemented to ensure reasonable assurance that only authorised persons have physical access, and that they are accurately identified.

The use of locks, keys (manual and electronic), security guards, monitoring systems, and other barriers at entrances and access points should be implemented. Access control systems such as passwords, card keys, or biometric devices should be used to secure sensitive areas within the facility.

What Is Involved and How to Meet the Requirements

Organisations must control and, if possible, separate access points such as delivery and loading zones and other points of entry to the premises from their IT facilities to prevent unauthorised access, in order to meet the demands of Annex A 7.2 implementation. These areas should be limited to authorised personnel only.

The ISO 27001:2022 document provides implementation guidance for Annex A 7.2, which assists in meeting the requirements for personnel, visitors and delivery people. To view these guidelines, access the revised version of the standard.

Changes and Differences from ISO 27001:2013

Annex A 7.2 in ISO 27001:2022 is not a new measure, but rather a combination of Annex A Controls 11.1.2 and 11.1.6 from ISO 27001:2013. These two Annex A Controls have been revised in ISO 27001:2022 to make it more intuitive than ISO 27001:2013.

Annex A Control 11.1.2 – Physical Entry Controls requires secure areas to be safeguarded by proper entry controls, so that only authorised personnel can gain access. This part of the standard outlines the measures organisations can take to ensure that only those permitted may enter for specific purposes.

The regulation requires that two-factor authentication be implemented for authorised personnel to gain access to information security sensitive areas, with a physical log book or electronic audit trail to support it.

Annex A Control 11.1.6 – Delivery and Loading Areas stipulates that access to these areas should be restricted to authorised personnel only. It is advised that they be designed so that they are separated from operational areas, thereby preventing delivery personnel from accessing other parts of the building.

Ultimately, Annex A Control 7.2 and Annex A Controls 11.1.2 and 11.1.6 are comparable in essence. The major distinction is that Annex A 11.1.2 and Annex A 11.1.6 were amalgamated for enhanced user-friendliness.

In the 2022 version of ISO 27001, an attributes table and control purpose were included, which were absent from the controls of the 2013 version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of This Process?

Controlling physical access is paramount for the security of any organisation or business. Ensuring no unauthorised personnel enter the premises is essential. Consequently, the implementation of stringent measures is essential.

The security department oversees all physical security aspects, such as entry control. Should they lack the necessary expertise or resources to manage this, they may assign authority to another department.

IT teams are crucial for physical security as well. They guarantee that the technology systems used for physical security are current and secure. For instance, if your organisation has an Intrusion Detection System (IDS) at the entrance but the software hasn’t been renewed in months, it may not be effective against intruders.

What Do These Changes Mean for You?

Your organisation need not alter their information security practices significantly, as the ISO 27001:2022 revised standard was only minimally adjusted.

If you possess an ISO 27001:2013 certification, you will discover that your current information security management approach is in compliance with the new standards.

If you are starting from the beginning, you should acquaint yourself with the compliance guidance in the new standard.

How ISMS.Online Help

Our platform gives users access to all relevant documentation and resources, such as policies, procedures, standards, guidelines and info on compliance processes.

ISMS.online is perfect for businesses seeking to:

  • Manage ISO certification process more effectively.
  • Ensure customer satisfaction with our proof of adherence to ISO 27001.
  • Maximise output by employing one system for all audits and checks.
  • Ensure uniform excellence management across the business to raise customer gratification.

Our platform offers customised dashboards that grant you real-time insight into your compliance status.

Monitor and manage your ISO 27001:2022 compliance journey all in one spot: audits, gap analysis, training management, risk assessment, and more.

Contact us now to schedule a demonstration.

I’ve done ISO 27001 the hard way so I really value how much time it saved us in achieving ISO 27001 certification.

Carl Vaughan
Infosec Lead, MetCloud

Book your demo

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.