Buy the 27001 Toolkit

ISO 27001 Control 7.1: Physical Security Perimeters

How to Stop Unauthorised People Getting Near Your Critical Systems

ISO 27001 Control 7.1 Physical security perimeters is all about one simple idea: don’t let the wrong people get physically close to important systems and information.

If anyone can walk into your office, server room, comms cabinet, or storage area without being challenged, your firewalls and encryption won’t help you much. This control asks you to design and maintain clear, robust physical boundaries around your information processing facilities.

This guide explains what ISO 27001 Control 7.1 is really asking for, and how to implement physical security perimeters in a practical, risk-based way.

What ISO 27001 Control 7.1 Actually Requires

In plain English, ISO 27001 Control 7.1 – Physical security perimeters expects you to:

  • Define which areas need protection (offices, server rooms, data centres, comms rooms, records storage, etc.).
  • Put physical barriers and controls in place to prevent unauthorised access, damage, and interference.
  • Use layered security – not just one lock on a door, but a combination of perimeters and zones.
  • Maintain, test, and review these perimeters to keep them effective over time.

It applies whether your information processing facilities are:

  • In your own building
  • In a shared office or co-working space
  • In a hosted data centre or colocation facility
  • In a smaller environment (e.g. a single secure room in a small business)

The key is that you can show conscious, risk-based design of physical security perimeters, not just “we locked the door”.

Step 1 – Decide What Needs a Physical Security Perimeter

Start by identifying which areas hold information processing facilities or other sensitive assets that need protection, for example:

  • Server rooms and comms rooms
  • Network cabinets and telecoms rooms
  • Areas with key line-of-business systems or specialist equipment
  • File rooms or cabinets containing sensitive records or backup media
  • Spaces used by third parties that host your equipment

For ISO 27001 Control 7.1, ask yourself:

  • Where are the systems and data that really matter?
  • Who should be able to get near them?
  • Who must not?

The answers drive how many physical security perimeters and zones you need, such as:

  • Outer perimeter – building boundary / reception
  • General office area – staff-only
  • Secure area – server room / comms room / high-sensitivity storage

Document this in a simple way (e.g. a site plan or short description in your ISMS) so you can show an auditor what you are protecting physically and where.

Step 2 – Design Robust Physical Security Perimeters

Once you know which areas need protection, design the physical barriers for ISO 27001 Control 7.1.

Common elements include:

  • Building structure
    – Solid walls, ceilings, floors and doors for secure areas
    – Avoid flimsy partitions around server rooms or critical equipment
    – Consider whether walls go fully to the slab/ceiling, not just a suspended ceiling
  • Doors and locks
    – Robust doors with appropriate locks (mechanical or electronic)
    – Controlled keys or access tokens – and a process for issuing, revoking, and auditing them
    – Door closers so doors don’t stay propped open
  • Windows and openings
    – Minimise external windows in secure areas where possible
    – Lockable windows, especially at ground floor or accessible levels
    – Security film, bars, or shutters where risk is higher
  • Other openings
    – Ventilation ducts, cable routes, false ceilings, and raised floors can all be attack paths
    – Grill, cage, or otherwise secure obvious bypass routes

The aim for ISO 27001 Control 7.1 is not to turn every office into a bunker, but to show that critical areas are properly enclosed and obvious weaknesses have been addressed.

Step 3 – Implement Layered Physical Security

A key part of ISO 27001 Control 7.1 is layered security – you don’t put all your faith in a single lock.

Think in terms of zones and progressive control:

  1. Public zone
    – Reception, lobby, visitor waiting areas
    – Visitors are logged, issued passes, and escorted where appropriate
  2. Staff-only zone
    – General office area behind access control
    – Doors controlled by access cards, codes, or keys
    – Visitors must be escorted and identifiable
  3. High-security zone (secure area)
    – Server rooms, comms rooms, sensitive records storage
    – Restricted to a smaller set of authorised personnel
    – Stronger controls (e.g. separate access rights, two-factor access, CCTV coverage)

Within each zone, you can add additional layers:

  • Locked racks or cages inside server rooms
  • Locked cabinets for backup media within a secure room
  • Separate zones for different tenants in shared buildings

For ISO 27001 Control 7.1, an auditor will usually be happy if they can see that the closer you get to critical assets, the stronger and narrower the access path becomes.

Step 4 – Control and Monitor Doors, Windows, and Access Points

Perimeters are only as strong as the points where people can pass through them.

For ISO 27001 Control 7.1, consider:

  • Access control systems
    – Badge/card readers, PIN pads, or biometric controls on key doors
    – Separate role-based access groups (e.g. IT staff vs general staff)
    – Processes for issuing, changing, and revoking access
  • Fire doors and emergency exits
    – Must comply with fire regulations (life safety comes first)
    – Fitted with alarms or monitoring so you know when they’re opened
    – Checked to ensure they aren’t used as casual side entrances
  • Visitor management
    – Sign-in / sign-out process, visitor badges, and escorts
    – Clear rules about where visitors can and cannot go
    – Records retained for a sensible period
  • Out-of-hours arrangements
    – How cleaning, maintenance, and security staff access secure areas
    – Additional controls when fewer people are around to notice something odd

These controls help you show that physical security perimeters under ISO 27001 Control 7.1 are enforced in day-to-day operations, not just designed on paper.

Step 5 – Adjust Physical Security Perimeters to Risk and Threat Level

Physical security isn’t static. ISO 27001 Control 7.1 expects you to respond if:

  • Your organisation’s risk profile changes
  • You introduce new critical systems
  • There’s an increased external threat (e.g. specific threats, protests, heightened crime)

Practical options include:

  • Temporarily restricting access to certain zones
  • Increasing manned security or patrols in key areas
  • Adding temporary barriers or controlled routes
  • Enhancing CCTV coverage or monitoring
  • Tightening visitor policies during high-risk periods

You don’t need a military-style posture, but you should be able to show how you would increase physical security if risk warranted it.

Step 6 – Maintain, Test, and Review Your Physical Perimeters

A door that doesn’t close properly or a card reader that’s been bypassed quietly undermines ISO 27001 Control 7.1.

Make sure you:

  • Inspect and test regularly
    – Doors close and lock correctly
    – Access control systems work reliably
    – Fire doors function in a failsafe manner and are not wedged open
  • Maintain and repair
    – Fix broken locks or damaged doors promptly
    – Replace faulty readers, sensors, or alarm components
    – Keep tamper-detection and alarm systems serviceable
  • Review access rights
    – Periodic review of who has access to which zones
    – Remove access for leavers and role changes quickly
  • Audit physical security perimeters
    – Include physical security checks in internal audits and walk-throughs
    – Test assumptions (e.g. can someone tailgate easily into a secure area?)

These activities demonstrate that your physical security perimeters under ISO 27001 Control 7.1 are actively managed, not left to drift.

Quick Implementation Checklist for ISO 27001 Control 7.1

Use this checklist to assess your physical security perimeters:

  • ISO 27001 Control 7.1 (Physical security perimeters) is covered in your ISMS documentation.
  • Sensitive areas (server rooms, comms rooms, records storage, etc.) have clearly defined security perimeters.
  • Perimeters are built with appropriate physical barriers (walls, doors, windows, ceilings, floors).
  • External doors and accessible windows have suitable locks or access controls.
  • Security is layered (public → staff-only → secure areas) with increasing restrictions.
  • Access to secure zones is controlled and limited to authorised personnel only.
  • Fire doors and emergency exits are safe, compliant, and monitored against misuse.
  • Visitor management is in place (sign-in, badges, escorting, restricted areas).
  • There are maintenance and testing routines for locks, alarms, access control, and monitoring systems.
  • Access rights to physical security perimeters are reviewed regularly.
  • There is a defined approach to strengthen physical security during periods of heightened risk.

Bringing It All Together

ISO 27001 Control 7.1 – Physical security perimeters – is about drawing clear physical boundaries around the places where your important information and systems live, and making sure only the right people can get through them.

If you:

  • Identify your critical areas,
  • Build sensible, layered perimeters around them, and
  • Maintain and monitor those perimeters over time,

you’ll be able to show that physical security is an integral part of your ISMS – not just an afterthought – and that ISO 27001 Control 7.1 is properly implemented in practice.

Explore the ISO 27001 Controls

Overview
Organisational
Controls (5.1 to 5.37)
People
Controls (6.1 to 6.8)
Physical
Controls (7.1 to 7.14)
Technological
Controls (8.1 to 8.34)
Full Control List

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG