Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

ISO 27001 - Annex A.11 - Physical and Environmental Security

Physical and Environmental Security is a key factor in implementing and maintaining information security in an organisation. Annex a 11 of ISO 27001 guides organisations on how data breaches can occur in the physical environment and how precautions can be taken.

Even if you have the strongest firewalls, procedures and methodology, if there is a breach in physical security, issues may arise. This is why ISO 27001 covers more than only the application of technical controls. 

In this article, we take a look at the Annex that is designated for physical security, its objectives, controls, and how this Annex helps your organisation in your journey of information security.

What is Annex A 11?

Annex a 11 is the physical and environmental security of your organisation. Sometimes, organisations may be under the impression that data breaches, losses and cyber threats could only occur via technology. However, Annex a 11 of ISO 27001 brings light upon the physical landscape of the organisation that otherwise may be overlooked. 

Annex a 11 covers a range of controls that define and protect organisations from incidences that may occur in the physical landscape of an organisation such as:

  • Natural disasters
  • Theft
  • Intentional destruction
  • Unintentional destruction
  • hardware failures
  • Power failures

Instances such as theft and intentional destruction may occur due to unauthorised access, careless handling of records, improper disposal of records, etc.

These incidents can be prevented and avoided if adequate physical security measures are taken timely and the physical environment of the organisation is inspected frequently for its functionality.

There are two main controls under Annex a 11 that define the main reasons as to why it must be implemented in an organisation. 

What is the objective of Annex A 11?

Each of the two main controls under Annex a 11 have similar but different objectives. 

The two main controls are: A.11.1 Secure areas and A.11.2 Equipment.

Objective of  A.11.1 Secure areas

Physical and environmental security are at the core of Annex A.11.1. The objective of this  control is to prevent unauthorised physical access and damage to the organisation's stored data.

Objective of A.11.2 Equipment

Equipment is equally important as secure areas of Annex A.11.2. The objective of this control is to avoid asset loss, damage and or theft as well as disruption of business activities.

What is physical and environmental security?

Physical and environmental security refers to the precautions put in place to protect systems, buildings, and supporting equipment against physical threats. It refers to the protection of people's data, property data, and physical asset data against physical threats such natural disasters, theft, and intentional destruction.

Physical and environmental security, according to ISO 27001, are sometimes overlooked yet remain critical in safeguarding information.

There are three principles that organisations must follow when it comes to physical and environmental security. They are: physical deterrence, detection of intruders, and response to those risks. 

Let us go over these concepts in depth as they're included throughout Annex A 11's list of controls.

What are the Annex A 11 controls?

A.11.1.1 Physical Security Perimeter

Security perimeters as well as each parameter's location must be provided. Your organisation can use the risk assessment results, as well as the security needs of the assets within the perimeter, should be used to decide this. 

ISO 27001 defines a physical security perimeter as "any transition barrier between two locations with varying security protection demands." Therefore employees, persons who work from home, or an office may all have access to data that is designated as part of your physical security perimeter.

A.11.1.2 Physical Entry Controls

Once you have established physical security perimeters, you are required to install entry controls to manage who may move between secure areas of the premises.

Handheld metal detectors, walk-through metal detectors, swipe cards, and keycodes are all options for gaining access to different areas of your organisation. Different degrees of protection might be used in different sections of your organisation. The approach you take to build and administer security restrictions should align with the significance of the data you are storing.

A.11.1.3 Securing Offices, Rooms and Facilities

Annex A 11 focuses on an organisation's physical environment security (which means it does not just monitor the data it holds), but also focuses on safeguarding where that data is stored. 

Equipment containing sensitive information is kept in various rooms, offices, and facilities, and these locations may not be as secure as we believe. Even though the information contained on these devices is of lesser importance, any type of unauthorised access is harmful to the organisation.

Firstly, organisations must identify the equipment stored in these spaces and the types of data stored in them. Then they must grade the importance of each type of data set found on each device and implement security controls accordingly.

A.11.1.4 Protecting against External & Environmental Threats

This control is about how natural disasters such as fires, earthquakes, tsunamis, snowfall, and floods may damage an organisation's physical premises. This component is purely dependent on natural occurrences that might result in infrastructure damage and the loss of data storage devices like files, hard drives, and pen drives. 

The key to preventing your organisation from being damaged in such scenarios is to analyse the environment in which it operates and detect macro and micro external threats.

Following the analysis of these possibilities, it is recommended that your organisation take the required steps and measures to protect the physical premises of your organisation so that natural occurrences cause little to no harm on the premises.

A.11.1.5 Working in Secure Areas

Certain operations that must be completed inside an organisation may be restricted to senior employees alone. As a result, your company may need to isolate this type of work from the rest of the workforce and have it done in an undisclosed location. 

Any suspicious behaviour carried out by internal and external unauthorised access can be detected using surveillance cameras and screen monitors.

A.11.1.6 Delivery & Loading Areas

This control is not limited to businesses in the manufacturing industry. Even if you're a service provider, you may almost certainly have one or more delivery and loading areas on your premises. 

This area/areas might be utilised to unload new electronics gadgets, furniture, food, and other items that your company might purchase. Unauthorised persons can exploit this area/areas as a swift entry point into the premises, placing your organisation's physical and environmental safety at risk.

Your organisation must identify delivery and loading entry points and add security personnel, surveillance cameras, and a staff member to monitor the unloading and loading of items within the premises. 

If your company is housed in a shared workplace, such as a coworking space, you may be restricted to the security measures available at the point of entry. However, there should always be someone in the office who can immediately spot any suspicious conduct and take appropriate action before it occurs.

Why is physical and environmental security important for your organisation?

An organisation requires administrative, technological and physical control in order to carry out business operations smoothly. While it is important that an organisations digital assets and systems infrastructure are protected, organisations must also protect its physical environment that includes but is not limited to:

  • Offices, rooms and facilities
  • Delivery and loading areas
  • Entry and exit points of buildings
  • Physical data storage devices such as computers, hard drives and pen drives.

Paying attention to and protecting these physical components of the organisation will help improve overall information security implementation. This will help protect existing and new data sets of employees and customers that flow into the organisation.

Protecting your organisation's physical security's primary goal is to protect the company's most precious asset: its employees and customers.


Annex a 11 is one of the 114 controls in ISO 27001 that organisations can choose to adopt as part of their information security procedures. Physical security, on the other hand, is advised to be chosen as one of those controls, and should be prioritised since it protects your company from physical data breaches in the long run.

Annex a 11 and other controls are all important for your organisation's ISO 27001 implementation. ISO 27001 certification not only helps you showcase strong security procedures, it also gives you a competitive edge over your competitors.

If you are interested in setting up data privacy and information security procedures within your organisation and want to become ISO 27001 certified, schedule a no-obligation call with our Infosec specialists today.

Book an appointment



About the author