top of page

ISO 27001 Control 7.2: Physical Entry

Writer's picture: Alan ParkerAlan Parker

Securing Physical Entry

Safeguarding physical access to an organisation’s premises and information assets is paramount. Control 7.2, "Physical Entry," provides detailed guidance on how organisations can implement robust controls to ensure the confidentiality, integrity, and availability of their information.


This article delves into the purpose, guidelines, and practical steps for achieving compliance with this critical control.


Purpose of Physical Entry Controls

The primary objective of Control 7.2 is to ensure that only authorised individuals can access an organisation’s information and associated assets. By preventing unauthorised physical access, organisations mitigate risks such as theft, damage, or tampering with sensitive information. This not only protects the organisation’s operations but also upholds trust with stakeholders.


General Guidelines for Physical Entry Controls

To effectively implement physical entry controls, organisations should focus on both preventing unauthorised access and monitoring authorised access.


Below are key recommendations:


1. Site and Building Access

  • Restrict access to authorised personnel only.

  • Develop a process for managing physical access rights, including periodic reviews and timely revocation of access when no longer required.

  • Implement secure mechanisms for logging and monitoring access activities, such as electronic audit trails or physical logbooks.


2. Access to Secure Areas

  • Use robust authentication mechanisms, such as access cards, biometrics, or two-factor authentication (e.g., card and PIN).

  • Consider installing double security doors for highly sensitive areas.

  • Set up monitored reception areas to control access and verify visitor identities.


3. Identification and Monitoring

  • Require personnel and visitors to wear visible identification badges at all times.

  • Implement processes to report unescorted visitors or individuals without proper identification immediately.

  • Use distinguishable badges to differentiate employees, suppliers, and visitors.


4. Emergency Exits and Key Management

  • Secure emergency exits to prevent unauthorised access.

  • Establish a key management process, ensuring physical keys and lock codes are securely controlled and audited annually.


Visitor Management

Visitors pose unique challenges to physical security. The following steps can help organisations manage visitor access effectively:

  • Authenticate visitor identities through appropriate means.

  • Record entry and exit times for all visitors.

  • Provide access only for specific purposes and ensure visitors are informed of security and emergency procedures.

  • Supervise visitors unless explicitly authorised otherwise.


Delivery and Loading Areas

Delivery and loading areas are critical access points that require strict controls to prevent unauthorised entry. Best practices include:

  • Restrict access to authorised personnel.

  • Design areas to facilitate deliveries without granting delivery personnel access to other parts of the building.

  • Secure external doors to delivery areas, particularly when doors to restricted zones are open.

  • Inspect incoming deliveries for evidence of tampering or hazardous materials before moving them further into the premises.

  • Physically segregate incoming and outgoing shipments to avoid confusion and potential security breaches.


Strengthening Physical Security in Dynamic Environments

Organisations must be prepared to enhance physical security measures in response to changing risk environments. This includes:

  • Adapting security protocols during heightened threat levels.

  • Regularly reviewing and updating physical access controls.

  • Ensuring personnel are trained to identify and report suspicious activities promptly.


Conclusion

Control 7.2 of ISO 27001 provides a comprehensive framework for securing physical access to organisational assets. By implementing these controls, organisations can significantly reduce the risk of physical breaches, ensuring the confidentiality, integrity, and availability of their information. Regular reviews, employee training, and robust monitoring mechanisms are key to maintaining a secure physical environment that supports broader information security objectives.


Comments

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page