ISO 27001 Control 7.6: Working in Secure Areas

How to Keep Your Most Sensitive Spaces Truly Secure

ISO 27001 Control 7.6 Working in secure areas is all about what happens inside your most sensitive spaces – not just how you lock the door.

You can have strong physical perimeters and access control, but if people are wandering around unsupervised, using phones to take photos, or leaving doors propped open “just for a minute”, the control is effectively broken. Control 7.6 expects you to define how work is carried out in secure areas, so that activities, behaviour and local rules all support security rather than undermining it.

This guide explains what ISO 27001 Control 7.6 is really asking for and how to put in place clear, practical rules for anyone working in or visiting secure areas.

What ISO 27001 Control 7.6 Actually Requires

In plain English, ISO 27001 Control 7.6 – Working in secure areas expects you to:

  • Define what counts as a “secure area” (e.g. server rooms, comms rooms, certain labs, high-sensitivity offices).
  • Make sure only authorised people know about and access those secure areas.
  • Control how people behave and work inside those areas.
  • Prevent unauthorised recording, copying or removal of information from those areas.
  • Ensure secure areas are properly closed, monitored and inspected when not in use.
  • Make sure people know what to do in an emergency while still protecting security.

It’s a preventive control that supports confidentiality, integrity and availability by making sure your most sensitive locations are run like secure spaces, not just ordinary rooms with a fancy lock.

Step 1 – Decide What Counts as a Secure Area (and Who Needs to Know)

Start by being explicit about which locations are “secure areas”. These might include:

  • Server rooms and data halls
  • Network and telecoms rooms
  • Rooms used for handling particularly sensitive client or HR/finance data
  • R&D labs or testing environments with sensitive prototypes or IP
  • Security control rooms (CCTV, access control, monitoring)

For ISO 27001 Control 7.6, you should:

  • Document your secure areas
    – List them in your physical security procedures or asset register.
    – Link them to the assets and information they protect.
  • Keep awareness on a need-to-know basis
    – Don’t unnecessarily advertise the existence, name or exact function of every secure room.
    – Internally, only share detailed information about secure areas with staff who need it to do their job.

You don’t need to be secretive about everything, but you do want to avoid turning your most sensitive spaces into obvious targets.

Step 2 – Tighten Access to Secure Areas (and Make It Personal)

Control 7.6 builds on your physical access controls and expects stricter rules for secure areas than for normal office space.

Good practice includes:

  • Named, role-based access
    – Only grant access to secure areas where there is a clear business need.
    – Use named IDs on access control – no shared fobs or generic keys if you can avoid it.
    – Review access regularly (e.g. quarterly) and remove it promptly for leavers and role changes.
  • Minimise unnecessary presence
    – No “hanging out” in secure areas because they’re quiet or convenient.
    – Limit entry for cleaners, contractors, visitors and non-essential staff – and control it when unavoidable (escorting, temporary access, logs).
  • Prevent tailgating
    – Make it clear that people entering secure areas must not let others follow them in without confirming they’re authorised.
    – Back this up with training and, if needed, signage.

The test for ISO 27001 Control 7.6 is simple: if an auditor stood by the secure area for an hour, would they see people challenge unexpected faces, or just shrug and let them in?

Step 3 – Set Clear Rules for Working in Secure Areas

Once inside a secure area, people need to follow stricter rules than in normal office space.

Your procedures for ISO 27001 Control 7.6 should cover:

  • Supervision and lone working
    – Avoid unsupervised work in secure areas where possible, especially for visitors and contractors.
    – If lone working is necessary, put compensating controls in place (logging, cameras, check-ins).
  • Sign-in / sign-out (if access system doesn’t already do this)
    – Manual log, access control reporting, or both – whatever suits your size and tooling.
    – Include purpose of visit and person responsible for them, if they’re not regular staff.
  • Behaviour expectations
    – No eating, drinking or other activities that could damage equipment or distract attention.
    – No “camping out” on personal work in secure areas.
    – Clear desk / clear screen rules enforced even more strictly than in general office space.
  • Handling of information and media
    – Rules on printing, copying and moving data out of secure areas.
    – Controls around removable media and portable storage (in line with your storage media policies).

The idea is to treat secure areas as controlled workspaces, not general-purpose rooms with a couple of racks in them.

Step 4 – Control Recording Devices and Endpoint Use

Recording devices are a particular risk in secure areas. ISO 27001 Control 7.6 expects you to be absolutely clear about what is and isn’t allowed.

That usually means:

  • Default: no recording or imaging
    – Prohibit photography, video, audio recording and screen captures unless there is an explicit, documented authorisation.
    – This includes mobile phone cameras, wearable devices, and laptops/tablets with cameras.
  • Endpoint device rules
    – Decide whether personal devices (BYOD) are allowed at all in secure areas; often the safest default is no personal devices.
    – For corporate devices, define what can and cannot be connected (e.g. no unauthorised USB devices, no tethering).
  • Exceptions and approvals
    – If someone needs to take photographs for documentation, audits or maintenance, require prior approval and supervised use.
    – Store and handle those images as sensitive information.
  • Monitoring and enforcement
    – Supervisors should be ready to challenge visible use of cameras or recording equipment.
    – Make the rules visible (signage) and reinforce them in training.

For an auditor, a clear “no recording without prior approval” rule for secure areas is an easy win for ISO 27001 Control 7.6 – as long as people can explain it and it’s enforced.

Step 5 – Protect Secure Areas When They’re Empty

Control 7.6 doesn’t stop when people go home. It also covers how secure areas are left and checked when not in use.

You should:

  • Lock and secure secure areas when vacant
    – Doors locked, access control armed (if applicable), windows closed and secured.
    – No door props, wedges or “temporary” overrides.
  • Inspect regularly
    – Scheduled checks of secure areas for signs of tampering, damage, or anything out of place.
    – Verification that doors, locks, and tamper seals (if used) are intact.
  • Use tamper-evident mechanisms where appropriate
    – Tamper switches on cabinets and critical equipment.
    – Seals on rarely used emergency exits or access panels.
  • Integrate with monitoring
    – Ensure secure areas are covered by physical security monitoring (CCTV, alarms) aligned with your Control 7.4 arrangements.

This shows that ISO 27001 Control 7.6 is in place even when nobody is physically present.

Step 6 – Make Emergency Procedures Clear and Compatible with Security

Emergencies change priorities: life safety always comes first. But ISO 27001 Control 7.6 expects you to plan for this rather than let security fall apart by accident.

You should:

  • Display emergency procedures clearly
    – Evacuation routes, muster points, and emergency contact numbers available and visible in or near secure areas.
    – Include any special steps relevant to that area (e.g. shutting down certain systems, safe handling of gas suppression).
  • Train staff on secure evacuations
    – How to leave quickly without leaving doors wide open or systems in an unnecessarily vulnerable state, if it’s safe to secure them.
    – What should be grabbed (if anything) and what should be left.
  • Plan for re-entry and checks
    – After an emergency evacuation, define who checks secure areas and how they confirm they’ve not been tampered with before normal operations resume.

Auditors aren’t expecting heroics, just evidence that you’ve thought about the balance between safety and security in secure areas.

Step 7 – Support It All with Training, Audits and Monitoring

Finally, ISO 27001 Control 7.6 expects you to keep secure area practices alive and under review.

That means:

  • Training and awareness
    – Induction or specific briefings for anyone granted access to secure areas.
    – Periodic refreshers on rules, what’s allowed, and how to report concerns.
  • Audits and walk-throughs
    – Include secure areas in internal audits and spot checks:
    • Are doors closing properly?
    • Are rules about recording devices being followed?
    • Are access lists still appropriate?
  • Incident reporting
    – Treat unusual activity in secure areas (propped doors, tailgating, unescorted visitors, missing labels) as potential security incidents.
    – Record and investigate, then improve controls where needed.
  • Documentation
    – Keep procedures for secure areas up to date and easy to access for authorised staff.
    – Make sure people know who owns and approves those procedures.

This is what shows an auditor that working in secure areas under ISO 27001 Control 7.6 is actively managed, not just written down once and forgotten.

Quick Implementation Checklist for ISO 27001 Control 7.6

Use this to test where you are with secure areas:

  • ISO 27001 Control 7.6 (Working in secure areas) is documented in your physical security / access management procedures.
  • You have a defined list of secure areas, with clarity on what they protect.
  • Awareness of secure areas and their purpose is limited to need-to-know personnel.
  • Access to secure areas is restricted to authorised individuals with role-based rights and regular reviews.
  • There are clear rules against tailgating and unnecessary presence in secure areas.
  • There are documented working practices for secure areas (supervision, behaviour, handling information and media).
  • Recording devices and personal endpoints are controlled or prohibited in secure areas, with exceptions formally approved.
  • Secure areas are locked, monitored and periodically inspected when vacant.
  • Emergency procedures specific to secure areas are documented, visible and covered in training.
  • Training, audits and incident handling explicitly cover working in secure areas.

Bringing It All Together

ISO 27001 Control 7.6 – Working in secure areas – is about making sure your most sensitive spaces are treated as such in day-to-day behaviour, not just by sticking a sign on the door.

If you:

  • Clearly define your secure areas,
  • Restrict and manage access,
  • Set and enforce practical rules for how work is done inside, and
  • Back it all up with training, monitoring and checks,

you’ll significantly reduce the risk of accidental or deliberate compromise in the areas that matter most – and you’ll be in a strong position to show an auditor that working in secure areas is properly controlled under ISO 27001.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG