Annex A 7.6 verified ISO/IEC 27001:2022
Security Measures for Working in Secure Areas
Implement security measures to control and protect activities in secure areas.
record_voice_over
Plain language
This control is about making sure that any rooms or areas in your business that need to be secure stay that way. It's important because if these areas aren't properly managed, sensitive information or valuable assets can be exposed to damage or theft, leading to financial loss or damage to your reputation.
01 - Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
Security measures for working in secure areas shall be designed and implemented.
verified ISO/IEC 27001:2022 Annex A 7.6
priority_high
Why it matters
Poor control of secure areas can lead to unauthorised access, device misuse, and data breaches, harming reputation and finances.
settings
Operational notes
Audit secure-area work, supervise entry and visitors, restrict devices, and enforce clean-desk, screen-locking, and secure handling/disposal of sensitive media.
02 - Implement
build
Implementation tips
- The facilities manager should limit access to secure areas by issuing access cards or keys only to authorised personnel. They can do this by maintaining a log of who has access and reviewing this regularly to ensure only current employees who need access have it.
- The IT manager needs to ensure that any devices taken into secure areas are monitored and controlled. This can be done by setting up policies that require devices to be registered and checked for any unauthorised recording capabilities that might be used to breach security.
- Supervisors should ensure that no one is working alone in secure areas without oversight. This can be done by implementing a buddy system or scheduling multiple employees to work together in these areas, reducing both safety risks and the opportunity for misconduct.
- Security personnel should inspect vacant secure areas regularly to ensure everything is intact and nothing has been tampered with. This involves setting up a regular inspection schedule and maintaining a checklist of what to look for during these inspections.
- The HR department needs to make sure all employees are aware of emergency procedures and restrictions in secure areas. This can be achieved by holding regular training sessions and displaying procedures prominently within these areas in line with the ISO 27002:2022 guidance.
03 - Audit
fact_check
Audit / evidence tips
- AskRequest access logs for secure areas. GoodLogs should show that only authorised personnel have accessed the secure areas and that access is logged consistently.
- AskAsk to see the policy on carrying and using devices in secure areas. GoodThe policy should have clear rules that are communicated to employees and provide guidance on how to comply with restrictions.
- AskRequest the training schedule and materials for personnel working in secure areas. GoodThere should be a well-documented training program with evidence of attendance by all relevant staff.
- AskAsk for records of inspections of vacant secure areas. GoodRecords should confirm that regular inspections occur and note any issues found and resolved promptly.
- AskInquire about the buddy system or supervision logs for personnel in secure areas. GoodThe presence of regular supervision or a working buddy system is documented and consistently followed.
04 - Mappings
link
Cross-framework mappings
How Annex A 7.6 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (6) expand_less | ||
| ISM-0218 | ISM-0218 mandates a physical protection and identification method for long TOP SECRET fibre-optic fly leads (protective, easily inspected... | |
| ISM-0236 | ISM-0236 requires organisations to implement off-hook audio protection on telephone systems in areas where background conversations may e... | |
| ISM-0931 | ISM-0931 requires that, in SECRET and TOP SECRET areas, push-to-talk handsets or headsets are used to meet off-hook audio protection requ... | |
| ISM-1013 | ISM-1013 requires RF shielding to limit the effective range of SECRET or TOP SECRET wireless networks outside the organisation’s area of ... | |
| ISM-1101 | ISM-1101 requires a specific security measure for TOP SECRET environments: terminating cable reticulation systems as close as possible to... | |
| ISM-1720 | ISM-1720 requires SECRET wall outlet boxes to be coloured salmon pink so personnel can correctly and quickly identify the required securi... | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0735 | ISM-0735 requires classified systems to be housed in secure locations commensurate with their classification, implying controlled environ... | |
| ISM-0810 | Annex A 7.6 requires organisations to design and implement security measures for working in secure areas to protect sensitive activities ... | |
| ISM-1137 | ISM-1137 requires system owners of SECRET or TOP SECRET systems to contact ASD for an emanation threat assessment | |
| ISM-1296 | Annex A 7.6 concerns security within secure areas, not public spaces | |
| ISM-1973 | Annex A 7.6 requires organisations to implement security measures governing activities and behaviours when working in secure areas | |
| handshake Supports (3) expand_less | ||
| ISM-1721 | ISM-1721 requires TOP SECRET wall outlet boxes to be coloured red for clear identification in secure spaces | |
| ISM-1821 | ISM-1821 requires physical separation of TOP SECRET cabling by using dedicated bundles or conduits | |
| ISM-1885 | ISM-1885 requires system owners to implement TEMPEST requirement statements to reduce the risk of electromagnetic/emanations-based inform... | |
| link Related (10) expand_less | ||
| ISM-0164 | Annex A 7.6 requires security measures to control and protect activities in secure areas, including preventing information exposure durin... | |
| ISM-0225 | Annex A 7.6 requires organisations to design and implement security measures to control and protect how people work within secure areas | |
| ISM-0559 | Annex A 7.6 requires organisations to implement controls for working in secure areas that prevent compromise of sensitive information and... | |
| ISM-0829 | Annex A 7.6 requires security measures that protect activities conducted in secure areas, including controls to prevent, detect, and resp... | |
| ISM-1103 | Annex A 7.6 requires security measures to control and protect work conducted in secure areas, including protecting supporting infrastruct... | |
| ISM-1450 | Annex A 7.6 requires organisations to implement security measures governing what is permitted when working in secure areas | |
| ISM-1635 | ISM-1635 requires system owners to implement controls for systems and their operating environments | |
| ISM-2008 | Annex A 7.6 requires organisations to implement security measures governing work practices within secure areas | |
| ISM-2069 | Annex A 7.6 requires the design and implementation of security measures that control and protect work within secure areas | |
| ISM-2070 | Annex A 7.6 requires measures to control and protect activities and behaviours within secure areas | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
school
Want to implement this control?
Mindset Cyber runs PECB-accredited ISO/IEC 27001 training that maps directly to the controls in this library.