Protecting against physical and environmental threats
Plan and implement actions to prevent damage from natural and human threats to physical infrastructure.
Plain language
This control means setting up safeguards to protect your business’s physical infrastructure from potential hazards like natural disasters or intentional harm. Imagine a flood or fire hitting your office unexpectedly; without preparations, your important documents and systems could be destroyed, potentially halting operations and leading to significant losses.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.
Why it matters
Without protections for fire, flood, power loss or unauthorised access, facilities and equipment may be damaged, causing outages, data loss and major financial/reputational harm.
Operational notes
Test and maintain controls for fire, flood and power events (alarms, UPS/generators, HVAC, leak detection), and review site risks and physical access arrangements after changes.
Implementation tips
- The Facilities Manager should assess the location and physical condition of your premises. This includes checking for risks of floods, fires, and other environmental threats and considering relocation or structural improvements if significant risks are identified. Use local risk assessments and expert advice as outlined in the ISO 27002:2022 guidance.
- The IT Manager should implement measures to protect data and equipment from physical damage. This can include installing fire alarms, water detection systems, and surge protectors that comply with the ISO standards and consult Australian regulations like the Privacy Act 1988 when handling sensitive data.
- An Operations Manager needs to develop and maintain an emergency response plan. This plan should cover evacuation procedures, contact lists, and business continuity actions, ensuring everyone knows their role and can access the plan easily.
- The Board should allocate budget and resources for necessary physical security upgrades. This might involve investing in secure storage solutions like safes or protective boundary features suggested by crime prevention through environmental design principles.
- Human Resources should conduct regular training for staff on recognising and responding to physical threats. Use practical drills to familiarise staff with emergency procedures, enhancing preparedness for dealing with incidents such as fire or civil unrest.
Audit / evidence tips
-
AskRequest the most recent risk assessment reports related to physical and environmental threats.
-
AskAsk for documentation on emergency response plans and training schedules.
-
AskRequest maintenance records for physical security systems like fire alarms or water sensors.
-
AskAsk for incident reports related to physical security breaches or threats.
-
AskRequest to see documentation of board-level discussions on physical security upgrades.
Cross-framework mappings
How Annex A 7.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-1164 | ISM-1164 requires clear plastic cable containment in shared facilities to improve visibility and make concealed physical interference wit... | |
| ISM-1645 | ISM-1645 requires organisations to develop, maintain, and regularly verify floor plan diagrams to ensure the diagrams accurately represen... | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0734 | Annex A 7.5 requires organisations to design and implement protection against physical and environmental threats, including natural disas... | |
| ISM-0735 | ISM-0735 addresses keeping classified systems in secure locations suitable for their classification, which includes ensuring the environm... | |
| ISM-1119 | ISM-1119 requires cables in TOP SECRET areas to be fully inspectable for their entire length to reduce the risk of undetected physical co... | |
| ISM-1296 | ISM-1296 requires protecting network devices in public areas from physical damage and unauthorised access | |
| handshake Supports (2) expand_less | ||
| ISM-0810 | Annex A 7.5 requires organisations to implement protections against physical and environmental threats to infrastructure | |
| ISM-1053 | Annex A 7.5 requires organisations to protect infrastructure from physical and environmental threats through appropriate design and imple... | |
| link Related (10) expand_less | ||
| ISM-0164 | Annex A 7.5 requires organisations to implement protections against physical threats that could compromise information and infrastructure | |
| ISM-0194 | Annex A 7.5 requires protection against physical threats to infrastructure, including preventing unauthorised physical access or tampering | |
| ISM-0195 | Annex A 7.5 requires protections to prevent or reduce harm from intentional or unintentional physical threats to infrastructure | |
| ISM-0216 | Annex A 7.5 requires organisations to implement protections against physical threats to infrastructure, including preventing unauthorised... | |
| ISM-0813 | Annex A 7.5 requires organisations to design and implement protections against physical and environmental threats to infrastructure | |
| ISM-0829 | Annex A 7.5 requires protections against intentional physical threats to infrastructure | |
| ISM-1074 | Annex A 7.5 requires safeguards that protect infrastructure from physical threats and environmental events | |
| ISM-1116 | Annex A 7.5 requires organisations to design and implement measures that protect physical infrastructure from threats, including preventi... | |
| ISM-1973 | Annex A 7.5 requires organisations to implement protections against physical threats (e.g | |
| ISM-1975 | Annex A 7.5 requires design and implementation of protections against physical threats to infrastructure and equipment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.