Physical Controls in ISO 27001

The Essential Measures for Information Security

ISO 27001 is the international standard for information security management systems (ISMS). It defines requirements for the implementation and maintenance of an ISMS to protect the confidentiality, integrity, and availability of information.

To ensure that information in organisations is properly protected, a comprehensive information security management system (ISMS) should be implemented. An ISMS consists of a set of measures that help to ensure the security of information.

Physical controls are an essential part of an ISMS. This control set helps you to protect yourself from physical and environmental threats such as theft, natural disasters, and intentional destruction.

Control Categories from Annex A: Organizational, People, Physical, and Technological

Annex A of ISO 27001:2022 contains a list of 93 controls that organisations can implement to improve their information security. These controls are divided into four categories:

This article focuses on the physical controls from Annex A of ISO 27001:2022.

What are physical controls?

Physical controls include security monitoring, maintenance, facility security, and storage media. This set of controls contains measures that protect the physical security of information and information systems. They include measures to secure buildings, rooms, and facilities, to control access to these areas, and to prevent damage to information systems.

Physical measures ensure that the organisation's premises and storage media are maintained, monitored, and protected from unauthorised access and destruction.

Physical controls include, among others:

Protecting all physical premises and controlling access to prevent unauthorised access and damage.
Protecting premises and information from physical and environmental damage.
Providing secure workplaces to protect information in secure areas from damage.
Establishing guidelines for handling equipment and storage media to avoid damage, loss, or theft.

ISO 27001: New physical controls

ISO 27001:2022 includes a new physical measure that responds to the current information security challenges. That is:

7.4: Physical security monitoring: Organisations should constantly monitor their physical premises to prevent unauthorised access.

What physical controls are there?

Physical controls are a key part of a comprehensive information security strategy, which is particularly focused on the appropriate securing of premises, access, and storage of information. The area includes 14 measures that you can implement.

We have created a list with a comprehensive overview of all physical controls from Annex A of ISO 27001:

Physical Controls	Annex A 7.1	Physical Security Perimeters
Physical Controls	Annex A 7.2	Physical Entry
Physical Controls	Annex A 7.3	Securing Offices, Rooms and Facilities
Physical Controls	Annex A 7.4	Physical Security Monitoring
Physical Controls	Annex A 7.5	Protecting Against Physical and Environmental Threats
Physical Controls	Annex A 7.6	Working In Secure Areas
Physical Controls	Annex A 7.7	Clear Desk and Clear Screen
Physical Controls	Annex A 7.8	Equipment Siting and Protection
Physical Controls	Annex A 7.9	Security of Assets Off-Premises
Physical Controls	Annex A 7.10	Storage Media
Physical Controls	Annex A 7.11	Supporting Utilities
Physical Controls	Annex A 7.12	Cabling Security
Physical Controls	Annex A 7.13	Equipment Maintenance
Physical Controls	Annex A 7.14	Secure Disposal or Re-Use of Equipment

How are physical controls implemented?

The implementation of physical controls should be based on a risk assessment. The organisation should identify the potential threats to its information and information systems and then implement the appropriate controls to mitigate them.

The process of implementing physical controls can be divided into the following steps:

Risk assessment

The first phase identifies the potential threats to the organisation's information and information systems. The following factors can be considered:

External threats: theft, sabotage, natural disasters
Internal threats: employee errors, fraud, espionage

Control selection

After the risk assessment, the organisation can select the appropriate controls to mitigate the identified threats. It is important to weigh the costs and benefits of the controls.

Control design

In the third phase, the design of the controls is determined. This includes specifying the technical and organisational measures required to implement the controls.

Control implementation

In the fourth phase, the controls are implemented. This includes procuring and installing the necessary hardware and software, as well as training employees.

Control monitoring

The controls must be regularly monitored to ensure that they function properly and achieve the desired results. This includes regular audits and tests of the controls.

Physical controls to strengthen your information security

Physical controls play a vital role in ISMS by safeguarding information and information systems from physical threats such as theft, destruction, and damage.

The ISO 27001:2022 version considers the current challenges of information security and offers opportunities to establish an appropriate approach to current conditions.

To find the right controls for your organization, you can use our ISO 27001 checklist to learn about the measures you need to implement to implement ISO 27001.