Physical Security for Offices and Facilities
Ensure physical security to prevent unauthorized access to offices and facilities.
Plain language
This control is about keeping your office and facilities secure so only the right people can get in. It's important because if unauthorised people get in, they could steal information, cause damage, or disrupt your operations.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Physical security for offices, rooms and facilities shall be designed and implemented.
Why it matters
Without strong physical security, intruders can bypass digital defences, access sensitive equipment, and compromise or steal critical data.
Operational notes
Regularly test and update locks, alarms and badge access; review visitor logs to prevent unauthorised entry.
Implementation tips
- The premises manager should work with security experts to plan secure locations for important areas. Make sure these areas are not easy for the public to access or see. Review entry points and ensure they are limited and well-protected.
- IT staff need to configure security systems to prevent data leakage. This might include ensuring walls and windows are soundproof and possibly setting up electromagnetic shielding. Regular checks should be done to verify these protective measures are in place and effective.
- Facility managers should make the exterior of the building look non-descript. Avoid signs that indicate sensitive operations inside. Ensure that no visual or audible indicators give away the nature of the work done inside the building.
- HR should control the distribution of internal directories and location maps. They should ensure only authorised personnel can access these, possibly by storing them on secure internal systems rather than sharing paper copies.
- The security officer should install security systems like alarms and video surveillance in critical areas. These systems need to be correctly set up, regularly tested, and monitored to ensure they work effectively if a breach is attempted.
Audit / evidence tips
-
Askthe building security plan or risk assessment
Gooda documented plan with clearly defined access controls and designated secure zones
-
Askrecords of maintenance and checks of security systems
-
Askto access directories or maps that identify secure locations
-
Askabout procedures for shielding against electromagnetic interference and information leaks
-
Askto see video surveillance policies and logs
Cross-framework mappings
How Annex A 7.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (19) expand_less | ||
| ISM-0194 | ISM-0194 requires using a visible smear of conduit glue to seal plastic conduit joints and TOP SECRET conduits connected by threaded lock... | |
| ISM-0198 | ISM-0198 requires that when an organisation intends to penetrate (i.e | |
| ISM-0216 | ISM-0216 mandates a specific physical protection measure for TOP SECRET communications infrastructure by requiring patch panels to be hou... | |
| ISM-0225 | ISM-0225 mandates preventing unauthorised RF/IR devices from entering SECRET and TOP SECRET areas | |
| ISM-0735 | ISM-0735 requires classified systems to be kept in secure locations appropriate to their classification level, focusing on facility-level... | |
| ISM-0810 | Annex A 7.3 requires physical security for offices, rooms and facilities to be designed and implemented | |
| ISM-0813 | Annex A 7.3 requires the design and implementation of physical security for offices, rooms and facilities to prevent unauthorised access | |
| ISM-1036 | ISM-1036 requires organisations to position MFDs so their use is observable, providing physical oversight of printing, scanning and copyi... | |
| ISM-1053 | Annex A 7.3 requires physical security for offices, rooms and facilities to be designed and implemented to control physical access | |
| ISM-1107 | ISM-1107 mandates a facility visual-identification convention by prohibiting salmon pink or red colouring on certain wall outlet boxes to... | |
| ISM-1116 | ISM-1116 requires a visible gap between TOP SECRET and non-TOP SECRET cabinets as a physical security and handling safeguard for classifi... | |
| ISM-1130 | ISM-1130 addresses a specific physical security design requirement for cabling in shared facilities by mandating enclosed cable reticulat... | |
| ISM-1164 | ISM-1164 mandates a specific physical design choice in shared facilities: using clear plastic covers/trays/fittings to ensure cable pathw... | |
| ISM-1296 | ISM-1296 requires physical security to protect network devices located in public areas from physical damage or unauthorised access | |
| ISM-1645 | ISM-1645 requires organisations to develop, maintain, and regularly verify floor plan diagrams to ensure they remain accurate and usable | |
| ISM-1720 | ISM-1720 mandates a specific identification standard: SECRET wall outlet boxes are salmon pink to support correct handling within facilities | |
| ISM-1973 | Annex A 7.3 requires physical security for offices, rooms and facilities to be designed and implemented to prevent unauthorised access | |
| ISM-1974 | Annex A 7.3 requires an organisation-wide approach to designing and implementing physical security for offices, rooms and facilities | |
| ISM-1975 | Annex A 7.3 requires physical security controls to protect offices, rooms and facilities from unauthorised access | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1327 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| handshake Supports (1) expand_less | ||
| ISM-0161 | ISM-0161 requires physical protection of IT equipment and media when they are not actively being used | |
| link Related (1) expand_less | ||
| ISM-0164 | ISM-0164 requires that unauthorised individuals cannot observe system displays and keyboards within facilities | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.