Contact
ISO 27001
Annex A Controls — Physical
Access Control To Premises | Annex A 7.2

ISO 27001 Annex A 7.2: Access Control to Premises Explained (Physical Entry)

Physical security remains one of the most underestimated components of information security. While organisations invest heavily in cybersecurity tools, a single uncontrolled door, shared workspace, or unlogged visitor can undermine even the most mature digital controls. ISO 27001 Annex A 7.2 exists to address this exact risk by requiring organisations to establish and maintain effective access control to premises where information and information-processing facilities are located.

Lucy Murphy
Head of Customer Success
Ask AI to summarize Access Control To Premises | Annex A 7.2

This article provides a comprehensive, end-to-end explanation of ISO 27001:2022 Annex A 7.2 – Access Control to Premises (Physical Entry). It explains what the control requires, how auditors assess it, how to implement it in practice, how it integrates with the ISMS, and how organisations can maintain compliance at scale.

Understanding ISO 27001 Annex A 7.2

What Annex A 7.2 Covers

Annex A 7.2 focuses on controlling physical entry to secure areas. Its purpose is to prevent unauthorised physical access, damage, or interference with information and information-processing facilities. This includes offices, data centres, server rooms, network closets, archive rooms, and any location where sensitive information is handled, processed, or stored.

The control requires organisations to implement appropriate entry controls, based on risk, to ensure that only authorised individuals can access these areas. These controls must be documented, implemented, monitored, and auditable.

Why Physical Entry Controls Matter in Modern ISMS Programs

Physical access is often the weakest link in security programs. A threat actor does not always need to exploit software vulnerabilities if they can simply walk into a building, tailgate an employee, or access unsecured equipment.

Annex A 7.2 addresses risks such as:

  • Theft or tampering with physical assets
  • Unauthorised access to systems via local ports
  • Exposure of confidential paper records
  • Insider threats enabled by uncontrolled access
  • Breaches caused by visitors, contractors, or shared spaces

By enforcing physical entry controls, organisations protect the confidentiality, integrity, and availability (CIA) of information at the most fundamental level.

Relationship to the Physical Controls Domain

Annex A 7.2 sits within the Physical Controls category of ISO 27001:2022. While many organisations associate ISO 27001 primarily with digital controls, physical controls are equally critical.

Annex A 7.2 works closely with:

  • Physical security perimeters
  • Equipment security
  • Secure disposal
  • Environmental protections
  • Personnel security controls

Together, these controls ensure that physical environments do not undermine the effectiveness of technical or organisational safeguards.

What ISO 27001 Annex A 7.2 Requires

Core Requirement Explained

ISO 27001 Annex A 7.2 requires organisations to:

  • Define secure areas
  • Control physical entry points
  • Authorise access based on role and need
  • Prevent unauthorised access
  • Monitor and record access
  • Protect access records
  • Review and revoke access when required

The control does not prescribe specific technologies. Instead, it mandates a risk-based approach, allowing organisations to select controls appropriate to their environment, size, and threat profile.

Identifying Secure Areas

The first step in implementing Annex A 7.2 is identifying which areas require controlled access. Secure areas are not limited to server rooms or data centres.

Examples include:

  • Corporate offices
  • Shared workspaces
  • R&D labs
  • HR or finance departments
  • Archive rooms
  • Network cabinets
  • Cloud provider cages
  • Remote or satellite offices

Each secure area must be defined within the ISMS scope and linked to asset and risk registers.

Authorised vs Unauthorised Access

Annex A 7.2 requires organisations to distinguish clearly between authorised and unauthorised individuals.

Authorised individuals may include:

  • Employees
  • Contractors
  • Temporary staff
  • Approved visitors
  • Maintenance personnel

Authorisation must be documented, role-based, and reviewed regularly. Access should never be implicit or assumed.

Physical Entry Controls in Practice

Types of Physical Access Controls

Organisations may implement a combination of physical, technical, and procedural controls to meet Annex A 7.2 requirements.

Common examples include:

  • Mechanical locks and keys
  • Electronic access cards
  • PIN codes
  • Biometric authentication
  • Security guards
  • Turnstiles
  • Mantraps
  • CCTV systems
  • Intrusion detection systems

Controls should be layered, ensuring that failure of one mechanism does not result in unrestricted access.

Visitor Management Requirements

Visitor access is one of the most common sources of audit findings.

A compliant visitor management process typically includes:

  • Pre-approval of visits
  • Identity verification on arrival
  • Visitor registration
  • Issuing temporary badges
  • Escorting visitors in secure areas
  • Logging entry and exit times
  • Returning badges on exit

Visitor logs must be protected, retained, and reviewed as part of ISMS monitoring.

Managing Contractors and Third Parties

Contractors and third parties often require access to secure areas but present increased risk due to limited organisational oversight.

Annex A 7.2 requires organisations to:

  • Authorise contractor access explicitly
  • Limit access to required areas only
  • Time-bound access permissions
  • Supervise or escort where appropriate
  • Revoke access promptly when contracts end

These requirements align closely with supplier security and personnel screening controls.

Risk-Based Design of Physical Entry Controls

Applying Risk Assessments to Physical Access

ISO 27001 requires controls to be selected based on risk assessment outcomes. Physical entry controls must therefore reflect:

  • Sensitivity of information
  • Criticality of systems
  • Threat likelihood
  • Impact of unauthorised access

For example, a publicly accessible office may require lighter controls than a data centre hosting regulated customer data.

Zoning and Access Segmentation

Many organisations implement security zones to align controls with risk levels.

Typical zones include:

  • Public areas
  • General office areas
  • Restricted areas
  • Highly restricted areas

Each zone has progressively stronger access controls, reducing unnecessary exposure while maintaining operational efficiency.

Shared Offices and Co-Working Environments

Shared spaces introduce unique challenges for Annex A 7.2 compliance.

Organisations using co-working environments must:

  • Clearly define their controlled areas
  • Implement access segregation
  • Secure equipment and documents
  • Manage visitor access within shared premises
  • Document compensating controls

Auditors will assess whether physical risks in shared environments have been adequately identified and treated.

Monitoring, Logging, and Evidence

Access Logs and Audit Trails

ISO 27001 Annex A 7.2 requires organisations to maintain records of physical access where appropriate.

These records may include:

  • Badge access logs
  • Visitor sign-in logs
  • CCTV footage
  • Security incident reports

Logs must be protected from unauthorised access and tampering, retained for defined periods, and available for audit.

CCTV and Surveillance Considerations

CCTV can be an effective supporting control but must be implemented carefully.

Organisations must consider:

  • Privacy and data protection laws
  • Purpose limitation
  • Retention periods
  • Access restrictions
  • Signage and transparency

CCTV should support, not replace, access control mechanisms.

Protecting Access Records

Access records themselves are sensitive information and must be protected under the ISMS.

Controls should ensure:

  • Restricted access to logs
  • Integrity of records
  • Secure storage
  • Defined retention and disposal policies

Failure to protect access logs is a common audit finding.

Integration with Other ISO 27001 Controls

Relationship with Personnel Security Controls

Annex A 7.2 works closely with personnel security controls such as employee screening, onboarding, and disciplinary processes.

Access to premises must align with:

  • Employment status
  • Role changes
  • Disciplinary actions
  • Termination processes

Physical access should be revoked promptly when personnel leave or change roles.

Alignment with Asset Management

Physical access controls must reflect asset ownership and classification.

Sensitive assets should be located in appropriately secured areas, with access limited to authorised asset owners or custodians.

Incident Management and Physical Breaches

Physical security incidents must be handled through the organisation’s incident management process.

Examples include:

  • Lost access cards
  • Forced entry
  • Tailgating incidents
  • Visitor violations

Incidents should trigger investigation, corrective actions, and updates to risk assessments.

Auditor Expectations for Annex A 7.2

What Auditors Look For

During ISO 27001 audits, auditors typically assess:

  • Defined secure areas
  • Documented access control procedures
  • Evidence of access authorisation
  • Visitor management records
  • Physical access logs
  • Monitoring mechanisms
  • Review and revocation processes

Auditors will also conduct walkthroughs to validate that documented controls reflect reality.

Common Nonconformities

Frequent findings include:

  • Uncontrolled visitor access
  • Missing or incomplete visitor logs
  • Shared access cards
  • Access not revoked for leavers
  • Lack of monitoring or review
  • Poor alignment between documentation and practice

Avoiding these issues requires ongoing operational discipline.

Maintaining Compliance Over Time

Reviewing Physical Access Regularly

Physical access controls must be reviewed periodically to ensure continued effectiveness.

Reviews may be triggered by:

  • Organisational changes
  • Office moves
  • New facilities
  • Incidents
  • Audit findings
  • Changes in risk profile

Regular reviews help ensure controls evolve alongside the business.

Managing Changes to Premises

Any change to physical premises should trigger reassessment under the ISMS.

This includes:

  • Renovations
  • New offices
  • Expansion
  • Downsizing
  • Relocation

Failure to update access controls during changes is a major source of risk.

Training and Awareness

Employees must understand their responsibilities regarding physical security.

Awareness activities should cover:

  • Badge usage
  • Tailgating prevention
  • Visitor handling
  • Incident reporting

Human behaviour is a critical component of physical security effectiveness.

Best Practices for Implementing Annex A 7.2

Centralising Access Management

Using centralised systems for managing access improves consistency, visibility, and auditability.

Benefits include:

  • Easier reviews
  • Faster revocation
  • Better reporting
  • Reduced errors

Documenting Exception Handling

Not all access scenarios fit standard processes.

Organisations should document:

  • Temporary access procedures
  • Emergency access
  • Maintenance access
  • Executive exceptions

All exceptions must be justified, approved, and time-bound.

Testing Physical Controls

Testing ensures controls work as intended.

Examples include:

  • Access reviews
  • Tailgating tests
  • Badge deactivation tests
  • Incident simulations

Testing demonstrates proactive security management to auditors.

Why Annex A 7.2 Matters

ISO 27001 Annex A 7.2 is not simply about doors and locks. It is about establishing trust boundaries in the physical world, ensuring that sensitive information and systems are protected from unauthorised physical access.

A mature implementation integrates physical access controls into the broader ISMS, aligns them with risk assessments, supports audit readiness, and evolves alongside organisational change. Organisations that treat physical security as an afterthought often discover weaknesses too late — during audits or after incidents.

Strengthen Physical Access Governance with Hicomply

Managing physical access controls, evidence, reviews, and audits manually becomes increasingly difficult as organisations grow, expand locations, and onboard third parties.

Hicomply helps organisations centralise ISMS governance, track access controls, maintain evidence, manage reviews, and demonstrate compliance with ISO 27001 Annex A 7.2 — without spreadsheets or fragmented tools.

If you want to simplify physical security compliance, reduce audit risk, and maintain continuous ISO 27001 alignment, book a demo with Hicomply to see how your ISMS can be managed more effectively.

Ready to Take Control of Your Privacy Compliance?

Hicomply’s platform provides an all-in-one solution to streamline, automate, and centralise your compliance activities, ensuring complete control and efficiency.

Book a demo
Last updated
December 15, 2025
Category
Annex A Controls — Physical
Topics
No items found.
Lucy Murphy
Head of Customer Success

Lucy works closely with customers to help them get the most out of the Hicomply platform, from onboarding to audit success. She brings a user-focused mindset to everything she does, making her well-placed to write about day-to-day challenges, shortcuts, and success strategies. Her content is grounded in what real InfoSec and compliance teams need to know — and how to get there faster.Expect helpful walkthroughs, product tips, and practical insights.

Read more industry insights by Lucy Murphy

Popular Access Control To Premises | Annex A 7.2 queries, answered!

What is ISO 27001 Annex A 7.2?

ISO 27001 Annex A 7.2 is a physical security control that requires organisations to protect secure areas by implementing appropriate physical entry controls, ensuring only authorised individuals can access locations where sensitive information or systems are present.

Does Annex A 7.2 require electronic access controls?

No. ISO 27001 does not mandate specific technologies. Organisations may use mechanical, electronic, biometric, or procedural controls based on risk, provided they effectively prevent unauthorised access and are auditable.

Are visitor logs mandatory under Annex A 7.2?

Visitor logs are not explicitly mandated, but they are a widely accepted and expected form of evidence. Auditors typically expect organisations to record and monitor visitor access to secure areas.

How does Annex A 7.2 apply to remote or shared offices?

Organisations must assess physical risks in shared or remote environments and implement compensating controls. This may include secured cabinets, restricted rooms, visitor management, and documented procedures.

What evidence is required to demonstrate compliance?

Typical evidence includes access control policies, secure area definitions, access logs, visitor records, monitoring outputs, incident records, and review documentation.

Contents

Heading 2

Unlock Your Path to ISO 27001 Success

Download our Ultimate ISO 27001 Compliance Checklist for clear, step-by-step guidance to fast-track your certification.

Get the Checklist

End to end ISO 27001 compliance documentation

Your hub for the fundamentals of ISO 27001 compliance, curated best practices, and resources for GRC professionals.

ISO 27001 Overview

Achieve ISO 27001 Certification

ISO 27001 is the globally recognised standard for building a structured Information Security Management System (ISMS) that protects the confidentiality, integrity and availability of information. This article explains what ISO 27001 is, how it works, the core principles behind it, and what organisations must do to achieve certification. You’ll learn the standard’s structure, its key requirements, how the certification process unfolds, and the practical steps needed to implement an ISMS that is both compliant and effective.

Learn more about Achieve ISO 27001 Certification

Benefits Of ISO 27001 For Businesses

ISO 27001 certification is one of the most credible ways for businesses to prove they protect sensitive information with structure, consistency, and internationally recognised best practice. This guide explains what ISO 27001 certification is, why companies pursue it, the core business benefits, the costs involved, and how organisations of any size can achieve and maintain certification. Whether you're preparing for your first audit or strengthening your security posture, this article gives you the clarity, detail, and practical steps to move forward with confidence.

Learn more about Benefits Of ISO 27001 For Businesses

History And Evolution Of ISO 27001

ISO 27001 is now recognised as the world’s leading standard for managing information security, but its journey spans decades of technological change, emerging cyber threats, and global collaboration. This article traces the origins of ISO 27001, from its earliest foundations to the modern 2022 revision. You’ll learn how the framework developed, why it became globally adopted, how ISO 27002 fits into the picture, and how ISO standards evolved more broadly over time.

Learn more about History And Evolution Of ISO 27001
ISO 27001:2022 Requirements

Actions To Address Risks And Opportunities | Clause 6.1

Clause 6.1 of ISO 27001 defines how organisations must identify, assess, and treat information security risks — and how they must uncover opportunities to strengthen their Information Security Management System (ISMS). This clause acts as the engine of the ISO framework: it drives risk-based thinking, aligns controls to real-world threats, and ensures continual improvement. In this guide, we break down Clause 6.1 line by line, explain its relationship with Annex A, show you what documentation is required, and provide examples and best practices to help you implement it correctly and confidently.

Learn more about Actions To Address Risks And Opportunities | Clause 6.1

ISO27001 Awareness | Clause 7.3

In this article, we explore everything you need to know about ISO 27001 Clause 7.3—its purpose, what the standard requires, how awareness strengthens your ISMS, and how to build a practical, auditor-ready awareness program that supports continuous security improvement.

Learn more about ISO27001 Awareness | Clause 7.3

ISO 27001 Communication | Clause 7.4

In this guide, we break down exactly what ISO 27001 Clause 7.4 requires, why structured communication is essential to an effective ISMS, and how organisations can build a clear, compliant communication process supported by practical, real-world examples.

Learn more about ISO 27001 Communication | Clause 7.4
Information Security Management System (ISMS)

ISO 27001 ISMS Audit And Review Process

The audit and review process is one of the most important pillars of ISO 27001. It ensures your Information Security Management System (ISMS) is working as intended, risks are managed effectively, controls are operating correctly, and continual improvement is actively taking place. This guide explains every component of the ISO 27001 audit lifecycle — internal audits, external audits, certification audits, surveillance audits, and management reviews — and shows you how to prepare, what evidence auditors expect, and how to maintain long-term compliance.

Learn more about ISO 27001 ISMS Audit And Review Process

ISO 27001 ISMS Continuous Improvement Cycle

In this end-to-end guide, you’ll learn how continual improvement works in ISO 27001, why it’s essential for long-term security maturity, how the PDCA cycle operates inside an ISMS, and what processes, documentation, and actions are required to maintain compliance year after year.

Learn more about ISO 27001 ISMS Continuous Improvement Cycle
Annex A Controls — Organizational

Acceptable Use Of Assets | Annex A 5.10

Information security policies serve as the foundation of any robust cybersecurity program. Without clearly defined rules for acceptable use of information assets, organizations face increased vulnerability to data breaches, compliance violations, and operational disruptions. Control 5.10 of ISO 27001:2022 specifically addresses this critical aspect of information security management, requiring organizations to establish formal guidelines for how information and associated assets should be handled.

Learn more about Acceptable Use Of Assets | Annex A 5.10

Access Control Policies | Annex A 5.14

Information rarely stays still. Every organisation transfers data daily—between teams, systems, partners, customers, cloud platforms, and suppliers. Emails are sent, files are shared, storage media is moved, meetings are held, and conversations take place across calls and video conferences. Each transfer represents a moment of heightened risk.

Learn more about Access Control Policies | Annex A 5.14

Access Rights Management | Annex A 5.16

ISO 27001 Annex A 5.16 focuses on how organisations manage access rights by governing the full lifecycle of identities. This control ensures that only authorised users, systems, and services can access information assets, and that access is removed when no longer required.

Learn more about Access Rights Management | Annex A 5.16
Annex A Controls — People

Confidentiality And NDA Management | Annex A 6.6

Confidentiality obligations sit at the very core of information security. Without enforceable confidentiality controls, even the strongest technical safeguards can be rendered ineffective by human behaviour, contractual gaps, or unclear responsibilities. ISO 27001:2022 Annex A 6.6 formalises this reality by requiring organisations to define, implement, communicate, and enforce confidentiality and non-disclosure obligations across employees, contractors, suppliers, and other relevant parties.

Learn more about Confidentiality And NDA Management | Annex A 6.6

Disciplinary Process And Enforcement | Annex A 6.4

Establishing a fair disciplinary process is essential for organizations that want to effectively manage security violations while maintaining employee trust. When security breaches occur, organizations often struggle to respond consistently, which can lead to resentment, legal complications, or ineffective deterrence. Consequently, ISO 27001 includes specific requirements under Annex A 6.4 to ensure disciplinary processes are both fair and effective.

Learn more about Disciplinary Process And Enforcement | Annex A 6.4

Employee Screening And Background Checks | Annex A 6.1

In this guide, we explain everything organisations need to know about ISO 27001:2022 Annex A 6.1 — Employee Screening and Background Checks. You’ll learn what the control requires, why it exists, how auditors assess compliance, what evidence is expected, and how to design a screening process that is legally compliant, proportionate, and effective across different roles and risk levels.

Learn more about Employee Screening And Background Checks | Annex A 6.1
Annex A Controls — Physical

Access Control To Premises | Annex A 7.2

Physical security remains one of the most underestimated components of information security. While organisations invest heavily in cybersecurity tools, a single uncontrolled door, shared workspace, or unlogged visitor can undermine even the most mature digital controls. ISO 27001 Annex A 7.2 exists to address this exact risk by requiring organisations to establish and maintain effective access control to premises where information and information-processing facilities are located.

Learn more about Access Control To Premises | Annex A 7.2

Cabling And Electrical Security | Annex A 7.12

Modern technologies rely heavily on fiber, network, and power cables to function correctly. When we focus on ISO cyber security, we often overlook these critical components' physical vulnerabilities. Power and information cables face risks of damage and interception. Cyber criminals who gain access to fiber cables can disrupt all network traffic with simple techniques like 'bending the fiber.' This makes data and information unavailable.

Learn more about Cabling And Electrical Security | Annex A 7.12
Annex A Controls — Technological
No items found.
ISO 27001 Certification Process
No items found.
ISO 27001 Audit Preparation
No items found.
Automating ISO 27001 Compliance
No items found.
ISO 27001 Resources And Tools
No items found.

Your ISO 27001 Compliance Newsletter

Stay ahead with the latest expert insights, news, and updates on compliance.
Decorative