Security Measures for Working in Secure Areas
Implement security measures to control and protect activities in secure areas.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Physical controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Security measures for working in secure areas shall be designed and implemented.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure that any rooms or areas in your business that need to be secure stay that way. It's important because if these areas aren't properly managed, sensitive information or valuable assets can be exposed to damage or theft, leading to financial loss or damage to your reputation.
Why it matters
Poor control of secure areas can lead to unauthorised access, device misuse, and data breaches, harming reputation and finances.
Operational notes
Audit secure-area work, supervise entry and visitors, restrict devices, and enforce clean-desk, screen-locking, and secure handling/disposal of sensitive media.
Implementation tips
- The facilities manager should limit access to secure areas by issuing access cards or keys only to authorised personnel. They can do this by maintaining a log of who has access and reviewing this regularly to ensure only current employees who need access have it.
- The IT manager needs to ensure that any devices taken into secure areas are monitored and controlled. This can be done by setting up policies that require devices to be registered and checked for any unauthorised recording capabilities that might be used to breach security.
- Supervisors should ensure that no one is working alone in secure areas without oversight. This can be done by implementing a buddy system or scheduling multiple employees to work together in these areas, reducing both safety risks and the opportunity for misconduct.
- Security personnel should inspect vacant secure areas regularly to ensure everything is intact and nothing has been tampered with. This involves setting up a regular inspection schedule and maintaining a checklist of what to look for during these inspections.
- The HR department needs to make sure all employees are aware of emergency procedures and restrictions in secure areas. This can be achieved by holding regular training sessions and displaying procedures prominently within these areas in line with the ISO 27002:2022 guidance.
Audit / evidence tips
-
Ask: Request access logs for secure areas.
Good: Logs should show that only authorised personnel have accessed the secure areas and that access is logged consistently.
-
Ask: Ask to see the policy on carrying and using devices in secure areas.
Good: The policy should have clear rules that are communicated to employees and provide guidance on how to comply with restrictions.
-
Ask: Request the training schedule and materials for personnel working in secure areas.
Good: There should be a well-documented training program with evidence of attendance by all relevant staff.
-
Ask: Ask for records of inspections of vacant secure areas.
Good: Records should confirm that regular inspections occur and note any issues found and resolved promptly.
-
Ask: Inquire about the buddy system or supervision logs for personnel in secure areas.
Good: The presence of regular supervision or a working buddy system is documented and consistently followed.
Cross-framework mappings
How Annex A 7.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (10) | ||
| ISM-0218 | ISM-0218 mandates a physical protection and identification method for long TOP SECRET fibre-optic fly leads (protective, easily inspected... | |
| ISM-0236 | ISM-0236 requires organisations to implement off-hook audio protection on telephone systems in areas where background conversations may e... | |
| ISM-0559 | ISM-0559 requires that microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET ... | |
| ISM-0829 | ISM-0829 requires security measures to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas | |
| ISM-0931 | ISM-0931 requires that, in SECRET and TOP SECRET areas, push-to-talk handsets or headsets are used to meet off-hook audio protection requ... | |
| ISM-1013 | ISM-1013 requires RF shielding to limit the effective range of SECRET or TOP SECRET wireless networks outside the organisation’s area of ... | |
| ISM-1101 | ISM-1101 requires a specific security measure for TOP SECRET environments: terminating cable reticulation systems as close as possible to... | |
| ISM-1103 | ISM-1103 mandates a specific physical security measure for TOP SECRET secure areas: terminating cabling at the cabinet boundary when cabi... | |
| ISM-1450 | ISM-1450 requires that microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP... | |
| ISM-1720 | ISM-1720 requires SECRET wall outlet boxes to be coloured salmon pink so personnel can correctly and quickly identify the required securi... | |
| Partially overlaps (2) | ||
| ISM-0735 | ISM-0735 requires classified systems to be housed in secure locations commensurate with their classification, implying controlled environ... | |
| ISM-1137 | ISM-1137 requires system owners of SECRET or TOP SECRET systems to contact ASD for an emanation threat assessment | |
| Supports (3) | ||
| ISM-1721 | ISM-1721 requires TOP SECRET wall outlet boxes to be coloured red for clear identification in secure spaces | |
| ISM-1821 | ISM-1821 requires physical separation of TOP SECRET cabling by using dedicated bundles or conduits | |
| ISM-1885 | ISM-1885 requires system owners to implement TEMPEST requirement statements to reduce the risk of electromagnetic/emanations-based inform... | |
| Related (6) | ||
| ISM-0164 | Annex A 7.6 requires security measures to control and protect activities in secure areas, including preventing information exposure durin... | |
| ISM-0225 | Annex A 7.6 requires security measures to be designed and implemented for working in secure areas to protect activities and information | |
| ISM-1635 | ISM-1635 requires system owners to implement controls for systems and their operating environments | |
| ISM-2008 | Annex A 7.6 requires organisations to implement security measures governing work practices within secure areas | |
| ISM-2069 | Annex A 7.6 requires the design and implementation of security measures that control and protect work within secure areas | |
| ISM-2070 | Annex A 7.6 requires security measures to be designed and implemented for working in secure areas to protect activities occurring there | |