Physical Security Perimeters
Define clear physical boundaries to protect sensitive areas and assets from unauthorized access.
Plain language
This control is about setting up clear physical boundaries to keep unauthorised people from accessing important areas and assets, like confidential files or important equipment. If you don’t do this, someone could easily sneak into your business and steal or damage valuable information, which could seriously harm your operations and reputation.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Security perimeters shall be defined and used to protect areas that contain information and other associated assets.
Why it matters
Poorly defined physical perimeters leave critical areas like server rooms vulnerable to unauthorised access, leading to potential data breaches or equipment theft.
Operational notes
Document physical perimeters for secure areas (walls/doors/fencing), minimise entry points, use clear signage, and periodically verify barriers, locks and access controls match the defined boundary.
Implementation tips
- The facility manager should identify and map out areas in your building that contain sensitive information or equipment. Use physical barriers like walls and fences to clearly mark these areas, ensuring they're sound and without gaps.
- The security team needs to ensure all entry points, such as doors and windows, are secured with appropriate locks and alarms. Test these locks regularly and monitor them with cameras linking back to a security office.
- IT staff should coordinate with security to install and maintain alarm systems on fire doors. These alarms should be checked regularly to make sure they work properly and operate in a fail-safe manner.
- Management should establish procedures to lock windows and doors when the area is unattended. Regular training should be provided to employees about these procedures to ensure compliance.
- Facilities management needs to conduct regular security assessments based on ASD Essential Eight to strengthen security barriers against heightened threats, aligning with Australian Privacy Act 1988 to protect personal data.
Audit / evidence tips
-
AskRequest the facility's security perimeter plan or maps.
GoodA detailed layout showing all sensitive areas marked with solid barriers and access control systems.
-
AskRequest maintenance logs of security systems and alarms.
GoodComprehensive logs showing consistent maintenance checks and prompt resolutions.
-
AskRequest a demonstration of the physical access control systems (e.g., alarm and camera systems).
GoodFully operational systems that provide immediate alerts and comprehensive surveillance.
-
AskRequest records of security training sessions.
GoodDetailed records showing frequent and well-documented training on security procedures.
-
AskRequest access control logs or audits.
GoodComplete access logs showing adherence to policies, with any incidents promptly addressed.
Cross-framework mappings
How Annex A 7.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (6) expand_less | ||
| ISM-0235 | ISM-0235 prohibits use of speakerphones in TOP SECRET areas unless the telephone system is in an audio secure room, the room remains audi... | |
| ISM-0810 | ISM-0810 requires that facilities hosting classified systems meet the requirements of an appropriate security zone for the classification | |
| ISM-1053 | ISM-1053 requires classified ICT and cryptographic equipment to be located in secure server/communications rooms that satisfy security zo... | |
| ISM-1074 | ISM-1074 requires keys or equivalent access mechanisms to server rooms, communications rooms and security containers to be appropriately ... | |
| ISM-1098 | ISM-1098 requires SECRET cabling to be terminated at cabinet boundaries (or separated by a division plate in small systems), limiting whe... | |
| ISM-1974 | ISM-1974 requires non-classified servers, network devices, and cryptographic equipment to be secured in suitably secure server rooms or c... | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0735 | ISM-0735 requires classified systems to be kept in secure locations appropriate to their classification level, which typically depends on... | |
| ISM-1137 | ISM-1137 necessitates contacting ASD for an emanation security threat assessment for high-security systems | |
| ISM-1296 | ISM-1296 requires physical security measures to protect network devices located in public areas from physical damage or unauthorised access | |
| handshake Supports (9) expand_less | ||
| ISM-0161 | ISM-0161 requires securing IT equipment and media when not in use to prevent unauthorised access | |
| ISM-0164 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| ISM-0217 | ISM-0217 focuses on physical separation within a cabinet and strict access controls for co-located patch panels | |
| ISM-0559 | ISM-0559 requires preventing use of microphones and webcams on non-SECRET workstations within SECRET areas to limit compromise opportunit... | |
| ISM-0813 | Annex A 7.1 requires security perimeters to be defined and used to protect areas containing information and associated assets | |
| ISM-1103 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| ISM-1633 | ISM-1633 requires the organisation to determine the system boundary and security objectives based on compromise impact | |
| ISM-1975 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| ISM-2070 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| link Related (2) expand_less | ||
| ISM-0225 | Annex A 7.1 requires security perimeters to be defined and used to protect areas containing information and associated assets | |
| ISM-0829 | Annex A 7.1 requires defined physical security perimeters to protect sensitive areas and assets from unauthorised access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.