ISO 27001:2022 Annex A Control 7.3

Securing Offices, Rooms and Facilities

Book a demo

group,of,young,business,people,are,working,together,in,modern

What Is ISO 27001:2022 Annex A 7.3?

ISO 27001:2022 Annex A 7.3 outlines the requirement for constructing and executing physical security for offices, chambers and venues.

This control encourages organisations to put appropriate measures in place to safeguard against unauthorised access to rooms, offices and facilities, particularly when dealing with information security. Such measures may include locks, alarms, security guards, or other suitable means to protect against information security issues.

Physical Security for Offices, Rooms and Facilities Explained

Physical security is an essential component of information security. The two must be taken into account together. Information security is the safeguarding of data and systems from unauthorised access, use, disclosure, disruption, alteration or destruction.

Physical security involves taking measures to protect personnel, facilities, equipment and other assets from potential hazards, such as burglary, sabotage, terrorism and other criminal activities, by reducing the associated risks.

Determining if you have an information sensitive location is the initial step in physical security. These could be offices, rooms, or facilities with computers containing delicate data, or those with personnel granted access to delicate information.

Locks and Keys

Secure all doors, windows and cupboards; attach security seals to laptops and mobile devices; install password protection for computers; encrypt sensitive data.

CCTV

Closed-circuit cameras provide an efficient means of surveilling activity on the grounds or in particular regions of a structure.

Intruder Alarms

Motion, heat, or sound can trigger these alarms, which alert you to any intruders or unauthorised people in an area (e.g. a security alarm going off if someone attempts to break into the office).

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

What Is the Purpose of ISO 27001:2022 Annex A 7.3?

The goal of ISO 27001:2022 Annex A Control 7.3 is to protect the organisation’s information and other associated assets in offices, rooms, and facilities from unauthorised physical access, damage, and interference.

The primary objective of ISO 27001:2022 Annex A 7.3 is to reduce the risk of unauthorised physical access to offices, rooms, and facilities to an acceptable level by:

  • Preventing unauthorised individuals from entering offices, rooms, and facilities is essential. All personnel must be authorised before they can gain access.
  • Prevent harm or disruption to the organisation’s data and other related assets within workplace areas, rooms and facilities.
  • Ensure information security sensitive areas are discreet so that it is difficult to discern their purpose.
  • Minimising the chance of theft or property loss in offices, rooms, and facilities.
  • Ensure identification of personnel authorised for physical access via a combination of uniforms, electronic door entry systems, and visitor passes.
  • Where feasible, CCTV or other surveillance systems should be implemented to ensure security in vital areas such as doors/exits.

Annex A 7.3 pertains to all structures utilised by the organisation for offices or administrative operations. It also covers rooms in which confidential data is retained or processed, including areas where sensitive conversations occur.

This does not include reception areas or other public parts of an organisation’s premises, unless they are utilised for administrative purposes, such as when a reception area serves as an office.

What Is Involved and How to Meet the Requirements

Annex A 7.3 of ISO 27001:2022 stipulates that rooms and facilities must be safeguarded. To fulfil these requirements, the following security measures should be taken:

  • Locating critical facilities to prevent public access.
  • Ensure buildings are not intrusive and demonstrate minimal indication as to their purpose, with no clear signs either inside or outside the building that show information processing activities are taking place.
  • Set up systems to protect confidential data and activities from being heard or seen from the outside. Electromagnetic shielding may be necessary.
  • Make sure directories, internal phone books and online maps showing the whereabouts of confidential info processing facilities accessible to any unauthorised person.

For further details on reaching the control stipulated in the ISO 27001:2022 standard, consult the document.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 7.3 replaces ISO 27001:2013 Annex A 11.1.3 in the revised 2022 standard.

Annex A 7.3 is not a novel control. It is a modified version of Annex A 11.1.3 in ISO 27001:2013. The most significant distinction between the 2013 and 2022 versions is the Annex A Control Number has been altered. Apart from this adjustment, the context and general meaning remain unchanged, despite the rephrasing.

The 2022 Annex A Control features an attributes table and statement of purpose, which are absent from the 2013 version.

Who Is in Charge of This Process?

The first person to consult when arranging offices, rooms, and facilities is usually the manager or director in charge of the building and its contents.

The security manager oversees security in all areas, including offices and facilities. He/She keeps tabs on all personnel with access to these areas and ensures their use is appropriate.

In certain instances, multiple people may be responsible for security. For example, where an individual has access to sensitive information that could be detrimental to the business or to other staff members’ private lives, it is essential to have several individuals involved in their security.

The HR department are responsible for employee insurance policies and benefits, while IT manage computer systems and networks. Both departments are involved in managing physical safety, as well as cyber security issues such as phishing scams and unauthorised access attempts.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

What Do These Changes Mean for You?

No significant modifications are necessary to conform to the most up-to-date version of ISO 27001:2022.

Evaluate your existing information security solution to make sure it meets the renewed standard. If you’ve modified anything since 2013 when the last edition was issued, consider reviewing those changes to decide if they’re still applicable or need to be revised.

How ISMS.Online Help

Our platform is perfect for beginners in information security or those who want to quickly gain an understanding of ISO 27001:2022 without needing to invest time in studying from the beginning or reviewing long documents.

ISMS.online is kitted out with all the tools needed to meet compliance, including personalised document templates, checklists and policies.

Contact us now to schedule a demonstration.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Assured Results Method
100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo

Streamline your workflow with our new Jira integration! Learn more here.