ISO 27001 Control 7.5: Protecting Against Physical and Environmental Threats

How to Stop Disasters (Big and Small) Knocking You Offline

ISO 27001 Control 7.5 Protecting against physical and environmental threats is about all the things that can literally knock your organisation off its feet – fire, flood, storms, power events, civil unrest, even simple building issues.

You can have perfectly designed networks and controls, but if the building floods, the server room fills with smoke, or a digger takes out the incoming power and comms, your availability (and sometimes your integrity and confidentiality) can disappear very quickly.

This control asks you to do something very specific: think ahead. Identify the physical and environmental threats that matter for each site, then design and operate your facilities so those events are less likely to stop you operating – or, if they do happen, the impact is contained.

This guide breaks down what ISO 27001 Control 7.5 is really asking for and how to apply it in a practical, risk-based way.

What ISO 27001 Control 7.5 Actually Requires

In plain English, ISO 27001 Control 7.5 – Protecting against physical and environmental threats expects you to:

  • Identify the physical and environmental risks that could affect your sites (offices, data centres, comms rooms, critical workspaces).
  • Take proportionate preventive measures to reduce the likelihood and impact of those events.
  • Consider both natural hazards (fire, flood, storms, earthquake) and human-caused threats (vandalism, terrorism, civil unrest, accidents).
  • Show that protection of people, information, and infrastructure is built into the location, design and operation of your facilities.

This is a preventive control that supports all three security properties:

  • Confidentiality – by avoiding damage, theft or uncontrolled exposure of assets.
  • Integrity – by preventing physical damage that corrupts systems or data.
  • Availability – by keeping critical services running or recoverable when bad things happen.

Step 1 – Start with a Site-Level Physical and Environmental Risk Assessment

Before you design controls, you need to understand the actual threats for each site.

For ISO 27001 Control 7.5, your risk assessment should consider:

  • Natural hazards
    – Flooding (rivers, surface water, coastal)
    – Extreme weather (storms, heat, snow/ice)
    – Earthquakes or landslides (if relevant in your region)
    – Fire risk – both internal and from neighbouring buildings
  • Man-made threats
    – Crime (theft, vandalism, arson)
    – Civil unrest, protests, or targeted attacks
    – Industrial accidents nearby (chemical plants, fuel depots, rail lines, major roads)
    – Environmental emissions (smoke, dust, corrosive fumes)
  • Building-specific risks
    – Location of server rooms and comms rooms (basement vs top floor)
    – Condition of building fabric (leaky roofs, old wiring, obsolete fire systems)
    – Shared infrastructure in multi-tenant buildings (shared risers, power, or comms routes)

For more complex risks (e.g. flood modelling, fire engineering, structural issues), it’s completely acceptable – and often wise – to bring in specialists. That’s exactly what the control expects in higher-risk scenarios.

Document the risks and the rationale for your chosen controls. When an auditor asks, “why did you do X, but not Y?” you can point straight to that assessment.

Step 2 – Think About Location and Building Design Early (If You Can)

If you’re choosing or refitting a location, ISO 27001 Control 7.5 is far easier to address upfront than retrofitting later.

Consider:

  • Local topography and environment
    – Avoid known flood plains or, if you must be there, keep critical areas above ground level.
    – Think about drainage, nearby watercourses, and low-lying car parks that could flood and affect access.
    – In earthquake-prone areas, ensure the building and internal fit-out meet relevant standards.
  • Urban and security context
    – Avoid locations that are routinely used for protests, unrest or high crime, if possible.
    – Consider distance from high-risk neighbours (e.g. fuel depots, chemical plants, major transport hubs).
  • Placement of critical rooms
    – Don’t put your primary server room directly under the roof or in a known leak-prone area.
    – Avoid basement locations in flood-risk areas.
    – Keep critical spaces away from external glass walls or easily breached façades.

You may not always have a perfect choice, but ISO 27001 Control 7.5 is satisfied when you can clearly explain: we considered the risks, and here’s how we mitigated them given our constraints.

Step 3 – Put Sensible Fire Protection in Place

Fire is one of the most common and most serious physical threats. ISO 27001 Control 7.5 expects you to treat it as a first-class risk.

Key measures:

  • Detection
    – Smoke and heat detectors in line with local fire regulations and your risk profile.
    – Early detection in server rooms, comms rooms and archive areas.
  • Suppression
    – Appropriate fire extinguishers in the right locations (and staff trained how and when to use them).
    – For critical spaces, consider gas-based suppression systems or pre-action sprinklers designed to minimise damage to equipment.
    – Ensure suppression systems do not create new risks to personnel (e.g. safe gas concentrations, evacuation procedures).
  • Compartmentation and escape
    – Fire doors and fire-resistant walls between critical rooms and the rest of the building.
    – Clear evacuation routes and signage; muster points away from high-risk areas.
  • Maintenance and testing
    – Regular testing of alarms, detectors, extinguishers and suppression systems.
    – Documented inspections, with prompt remediation of any defects.

Much of this will overlap with health and safety and local fire code compliance, which is fine – ISO 27001 Control 7.5 expects you to plug into those requirements rather than reinvent them.

Step 4 – Manage Flood, Water Ingress and Environmental Leaks

Flooding and leaks don’t have to be dramatic to be damaging – a small leak above a comms rack can cause days of downtime.

Controls that support ISO 27001 Control 7.5 include:

  • Location and layout
    – Avoid putting critical systems directly under water tanks, wet services, or known leak points if you can.
    – Where that’s unavoidable, use drip trays, containment and extra monitoring.
  • Detection
    – Water leak detectors under raised floors in server rooms and comms rooms.
    – Sensors in plant rooms and near critical cable or pipe runs.
  • Response capability
    – Pumps or wet-vac equipment for dealing with minor flooding.
    – Clear responsibilities for who is called and how they respond when an alarm triggers.
  • Physical barriers
    – Door thresholds, flood boards or barriers for high-risk external doors.
    – Sealed cable and pipe penetrations where water ingress is a credible risk.

Again, ISO 27001 Control 7.5 is about foreseeable events. If you know you’re in a flood-risk area or you’ve had leaks before, you should be able to show what’s changed as a result.

Step 5 – Protect Against Power and Surge-Related Events

Many “environmental” incidents are really electrical – surges, brownouts, and unstable power supplies that damage equipment or corrupt data.

To support ISO 27001 Control 7.5:

  • Surge protection
    – Surge suppression on key circuits supplying servers, network equipment and critical workstations.
    – Surge-protected distribution units in racks where appropriate.
  • Clean and stable power
    – UPS for critical systems, sized appropriately for graceful shutdown or failover.
    – For high-availability environments, generators or secondary feeds.
  • Grounding and bonding
    – Proper electrical grounding to reduce the risk of equipment damage and safety hazards.
    – Regular testing by competent electrical professionals.

These measures help protect both availability (keeping systems running) and integrity (avoiding data corruption from abrupt power events).

Step 6 – Consider Security for Higher-Impact Threats

In some environments, ISO 27001 Control 7.5 also expects you to consider less common but higher-impact threats – explosives, weapons, or deliberate violent attack.

You may not need these controls everywhere, but for high-risk sites you might see:

  • Screening and inspections
    – Random bag or vehicle checks at entries to sensitive facilities.
    – Security checkpoints for deliveries, with inspection of goods.
  • Standoff and blast protection
    – Barriers (or subtle design elements like planters, statues, or water features) to keep vehicles away from building façades.
    – Reinforced glazing or walls in critical areas.
  • Coordination with law enforcement and landlords
    – Clear protocols for dealing with bomb threats, suspicious packages, or violent incidents.
    – Joint exercises or planning where appropriate.

If you identify these risks in your assessment, you don’t have to implement every possible measure, but you do need a reasoned approach.

Step 7 – Use Smart Environmental Design, Not Just Barriers

ISO 27001 Control 7.5 aligns nicely with crime prevention through environmental design (CPTED) – using the built environment to discourage threats without making your premises feel like a fortress.

Examples:

  • Natural barriers
    – Landscaping, water features, raised beds and street furniture that prevent vehicles from approaching too close without looking hostile.
  • Visibility and sight lines
    – Designing spaces so staff and legitimate visitors can naturally observe key areas, making it harder for someone to act unnoticed.
  • Clear but subtle separation
    – Gradual transitions from public to semi-public to secure spaces, supported by layout and furnishings, as well as formal controls.

This approach satisfies ISO 27001 Control 7.5 while keeping the workplace usable and welcoming.

Step 8 – Tie It All into Your ISMS and Continuity Plans

Controls for physical and environmental threats should not live in isolation. To fully meet ISO 27001 Control 7.5, they should link to:

  • Business continuity and disaster recovery plans
    – What happens if a site becomes unavailable due to fire, flood, or structural damage?
    – Where do people work from, and how do critical services continue?
  • Incident management
    – How do you log and respond to physical and environmental incidents?
    – Who coordinates with landlords, emergency services and utility providers?
  • Change management
    – When you refurbish, move, or significantly change infrastructure, do you re-check physical and environmental risks?
  • Training and awareness
    – Staff should know what to do in emergencies (fire, evacuation, severe weather).
    – Facilities and IT teams should understand why these controls exist, not just how to operate them.

This ensures that protecting against physical and environmental threats is a living part of your ISMS, not a one-off risk workshop that’s never revisited.

Quick Implementation Checklist for ISO 27001 Control 7.5

Use this to benchmark your current position:

  • ISO 27001 Control 7.5 (Protecting against physical and environmental threats) is covered in your risk assessment and physical security documentation.
  • Each key site has a physical and environmental risk assessment that considers natural and man-made threats.
  • The location and internal placement of critical facilities (server rooms, comms rooms, critical offices) reflects those risks.
  • Appropriate fire detection and suppression measures are in place, maintained and tested.
  • Controls exist to manage flooding and leaks (location, drainage, leak detection, response capability).
  • Key systems are protected against electrical surges and power issues (surge protection, UPS, generators where required).
  • Where necessary, higher-impact threats (explosives, weapons, civil unrest) have been assessed and proportionate measures implemented.
  • Environmental design principles are used to discourage unauthorised access while keeping the site usable.
  • Physical and environmental protections are integrated with business continuity, incident management and change management.
  • Relevant staff are aware of the risks and trained on emergency procedures.

Bringing It All Together

ISO 27001 Control 7.5 – Protecting against physical and environmental threats – is about accepting that not every risk to your information is digital. Buildings flood. Power fails. Fires start. People make mistakes. Sometimes, people act with intent.

If you:

  • Assess physical and environmental risks for each site,
  • Design and operate your buildings with those risks in mind, and
  • Link these measures to your continuity and incident processes,

you’ll be able to show that your organisation can withstand – or at least recover rationally from – the kinds of events that take systems down in the real world. That’s exactly what ISO 27001 Control 7.5 is there to achieve.

Explore the ISO 27001 Controls

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG