Physical access controls for secure areas
Ensure only authorised people can enter secure areas and prevent unauthorised access.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Physical controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 Maturity levels
N/A
Secure areas shall be protected by appropriate entry controls and access points.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure only people who are allowed can enter secure areas of a business, like server rooms or archives. It matters because if unauthorised people can get in, they might steal or damage important information or equipment, putting the organisation at risk.
Why it matters
Unauthorised access to secure areas can enable theft or tampering with systems and media, leading to data breaches, outages and reputational damage.
Operational notes
Review access lists and entry logs for secure areas, test door and badge controls, and revoke access promptly when roles change or staff leave.
Implementation tips
- The IT manager should ensure that access points such as doors to secure areas have appropriate locks or access control systems. This can be done by installing systems like key card readers or biometric scanners to ensure only those with permission can enter.
- The HR department should maintain an updated list of staff members who have access to secure areas. They can do this by regularly reviewing and updating records, especially when people join, leave, or change roles within the organisation.
- Security personnel or office managers should conduct physical checks and log visitor information. This means staffing reception areas to monitor entry, and requiring visitors to sign in and out, wearing visible identification at all times.
- Facility managers should ensure that delivery and loading areas are isolated from main buildings. They can achieve this by having separate entrances and ensuring these areas are monitored to prevent unauthorised access to restricted zones.
- The board or senior management should develop and regularly review a policy on granting and revoking access. They should ensure all changes are tracked, and any breaches or incidents are investigated and resolved promptly, in line with ISO 27002:2022 guidance and the Privacy Act 1988.
Audit / evidence tips
-
Ask: Ask for the access control policy for secure areas.
Good: The policy is clear, up to date, and includes a process for regular reviews and updating access rights.
-
Ask: Ask for logs of access to secure areas.
Good: Logs are comprehensive, securely maintained, and show consistent and authorised access patterns.
-
Ask: Ask to observe the entry process at a secure area.
Good: Entry processes are strictly followed with no unauthorised individuals gaining access.
-
Ask: Ask about the visitor management system in place.
Good: Visitor logs are accurate, complete, and show visitors are accompanied or supervised at all times.
-
Ask: Ask for records of reviews and updates of physical access rights.
Good: Records show timely reviews and proper documentation of changes to access rights.
Cross-framework mappings
How Annex A 7.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (4) | ||
| ISM-0225 | ISM-0225 requires that unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas to reduce eavesdropping/exfiltrati... | |
| ISM-0810 | ISM-0810 requires classified systems to be hosted in facilities that meet the requirements for a security zone appropriate to their class... | |
| ISM-1105 | ISM-1105 requires that wall outlet boxes used for SECRET and TOP SECRET contain only cables of the same classification, preventing cross-... | |
| ISM-2070 | ISM-2070 requires organisations to prevent unauthorised photographic and video recording devices from being brought into SECRET and TOP S... | |
| Partially overlaps (7) | ||
| ISM-0306 | Annex A 7.2 requires secure areas to be protected by entry controls so only authorised people can enter | |
| ISM-0813 | Annex A 7.2 requires secure areas to be protected by appropriate entry controls and managed access points so only authorised people can e... | |
| ISM-1053 | Annex A 7.2 requires protecting secure areas through appropriate entry controls and access points | |
| ISM-1074 | Annex A 7.2 requires organisations to protect secure areas through controlled entry and access points | |
| ISM-1296 | ISM-1296 requires physical security to prevent unauthorised access to network devices in public areas and to reduce the likelihood of tam... | |
| ISM-1327 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| ISM-1975 | ISM-1975 requires non-classified servers, network devices and cryptographic equipment to be secured in suitably secure security container... | |
| Supports (6) | ||
| ISM-0161 | ISM-0161 requires IT equipment and media to be secured when not in use to prevent unauthorised access | |
| ISM-0345 | ISM-0345 requires disabling DMA-capable external interfaces to mitigate direct memory access attacks that often require physical connecti... | |
| ISM-0418 | Annex A 7.2 requires controlling entry to secure areas so only authorised people can gain access | |
| ISM-1957 | ISM-1957 requires that Microsoft AD CS CA private keys are stored and protected in an HSM | |
| ISM-1973 | Annex A 7.2 requires secure areas to be protected by appropriate entry controls and controlled access points | |
| ISM-2007 | ISM-2007 requires organisations to control medical devices in SECRET and TOP SECRET areas by maintaining and verifying an authorised devi... | |
| Depends on (1) | ||
| ISM-1974 | ISM-1974 requires non-classified servers, network devices, and cryptographic equipment to be secured in suitably secure server rooms or c... | |
| Related (1) | ||
| ISM-0164 | ISM-0164 requires preventing unauthorised viewing of workstation displays and keyboards inside facilities | |