Navigating ISO 27001

Physical Controls in ISO 27001

The Essential Measures for Information Security

Get your free guide


Get your free guide

ISO 27001 is the international standard for information security management systems (ISMS). It defines requirements for the implementation and maintenance of an ISMS to protect the confidentiality, integrity, and availability of information.

To ensure that information in organisations is properly protected, a comprehensive information security management system (ISMS) should be implemented. An ISMS consists of a set of measures that help to ensure the security of information.

Physical controls are an essential part of an ISMS. This control set helps you to protect yourself from physical and environmental threats such as theft, natural disasters, and intentional destruction.

Control Categories from Annex A: Organizational, People, Physical, and Technological

Annex A of ISO 27001:2022 contains a list of 93 controls that organisations can implement to improve their information security. These controls are divided into four categories:

This article focuses on the physical controls from Annex A of ISO 27001:2022.

What are physical controls?

Physical controls include security monitoring, maintenance, facility security, and storage media. This set of controls contains measures that protect the physical security of information and information systems. They include measures to secure buildings, rooms, and facilities, to control access to these areas, and to prevent damage to information systems.

Physical measures ensure that the organisation's premises and storage media are maintained, monitored, and protected from unauthorised access and destruction.

Physical controls include, among others:

  • Protecting all physical premises and controlling access to prevent unauthorised access and damage.

  • Protecting premises and information from physical and environmental damage.

  • Providing secure workplaces to protect information in secure areas from damage.

  • Establishing guidelines for handling equipment and storage media to avoid damage, loss, or theft.

Get ready for the ISO 27001 audit with up to 75% less workload

100% first-try pass rate in external audits on ISO 27001 

Demo buchen
DG Seal ISO 27001

ISO 27001: New physical controls

ISO 27001:2022 includes a new physical measure that responds to the current information security challenges. That is:

7.4: Physical security monitoring: Organisations should constantly monitor their physical premises to prevent unauthorised access.

What physical controls are there?

Physical controls are a key part of a comprehensive information security strategy, which is particularly focused on the appropriate securing of premises, access, and storage of information. The area includes 14 measures that you can implement.

We have created a list with a comprehensive overview of all physical controls from Annex A of ISO 27001:

Physical Controls

Annex A 7.1

Physical Security Perimeters

Physical Controls

Annex A 7.2

Physical Entry

Physical Controls

Annex A 7.3

Securing Offices, Rooms and Facilities

Physical Controls

Annex A 7.4

Physical Security Monitoring

Physical Controls

Annex A 7.5

Protecting Against Physical and Environmental Threats

Physical Controls

Annex A 7.6

Working In Secure Areas

Physical Controls

Annex A 7.7

Clear Desk and Clear Screen

Physical Controls

Annex A 7.8

Equipment Siting and Protection

Physical Controls

Annex A 7.9

Security of Assets Off-Premises

Physical Controls

Annex A 7.10

Storage Media

Physical Controls

Annex A 7.11

Supporting Utilities

Physical Controls

Annex A 7.12

Cabling Security

Physical Controls

Annex A 7.13

Equipment Maintenance

Physical Controls

Annex A 7.14

Secure Disposal or Re-Use of Equipment

How are physical controls implemented?

The implementation of physical controls should be based on a risk assessment. The organisation should identify the potential threats to its information and information systems and then implement the appropriate controls to mitigate them.

The process of implementing physical controls can be divided into the following steps:

Risk assessment

The first phase identifies the potential threats to the organisation's information and information systems. The following factors can be considered:

  • External threats: theft, sabotage, natural disasters
  • Internal threats: employee errors, fraud, espionage

Control selection

After the risk assessment, the organisation can select the appropriate controls to mitigate the identified threats. It is important to weigh the costs and benefits of the controls.

Control design

In the third phase, the design of the controls is determined. This includes specifying the technical and organisational measures required to implement the controls.

Control implementation

In the fourth phase, the controls are implemented. This includes procuring and installing the necessary hardware and software, as well as training employees.

Control monitoring

The controls must be regularly monitored to ensure that they function properly and achieve the desired results. This includes regular audits and tests of the controls.

Physical controls to strengthen your information security

Physical controls play a vital role in ISMS by safeguarding information and information systems from physical threats such as theft, destruction, and damage.

The ISO 27001:2022 version considers the current challenges of information security and offers opportunities to establish an appropriate approach to current conditions.

To find the right controls for your organization, you can use our ISO 27001 checklist to learn about the measures you need to implement to implement ISO 27001.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants


up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate


First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Book a demo




External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts



Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit



Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.