Your-ultimate-guide-to-ISO-27001-Certification-Background

Navigating ISO 27001

Physical Controls in ISO 27001

The Essential Measures for Information Security

Get your free guide

 

Get your free guide

ISO 27001 is the international standard for information security management systems (ISMS). It defines requirements for the implementation and maintenance of an ISMS to protect the confidentiality, integrity, and availability of information.

To ensure that information in organisations is properly protected, a comprehensive information security management system (ISMS) should be implemented. An ISMS consists of a set of measures that help to ensure the security of information.

Physical controls are an essential part of an ISMS. This control set helps you to protect yourself from physical and environmental threats such as theft, natural disasters, and intentional destruction.

Control Categories from Annex A: Organizational, People, Physical, and Technological

Annex A of ISO 27001:2022 contains a list of 93 controls that organisations can implement to improve their information security. These controls are divided into four categories:

  • Organizational controls

  • Personnel controls

  • Technological controls

  • Physical controls

This article focuses on the physical controls from Annex A of ISO 27001:2022.

What are physical controls?

Physical controls include security monitoring, maintenance, facility security, and storage media. This set of controls contains measures that protect the physical security of information and information systems. They include measures to secure buildings, rooms, and facilities, to control access to these areas, and to prevent damage to information systems.

Physical measures ensure that the organisation's premises and storage media are maintained, monitored, and protected from unauthorised access and destruction.

Physical controls include, among others:

  • Protecting all physical premises and controlling access to prevent unauthorised access and damage.

  • Protecting premises and information from physical and environmental damage.

  • Providing secure workplaces to protect information in secure areas from damage.

  • Establishing guidelines for handling equipment and storage media to avoid damage, loss, or theft.

Get ready for the ISO 27001 audit with up to 75% less workload

100% first-try pass rate in external audits on ISO 27001 

Demo buchen
DG Seal ISO 27001

ISO 27001: New physical controls

ISO 27001:2022 includes a new physical measure that responds to the current information security challenges. That is:

7.4: Physical security monitoring: Organisations should constantly monitor their physical premises to prevent unauthorised access.

What physical controls are there?

Physical controls are a key part of a comprehensive information security strategy, which is particularly focused on the appropriate securing of premises, access, and storage of information. The area includes 14 measures that you can implement.

We have created a list with a comprehensive overview of all physical controls from Annex A of ISO 27001:

Physical Controls

Annex A 7.1

Physical Security Perimeters

Physical Controls

Annex A 7.2

Physical Entry

Physical Controls

Annex A 7.3

Securing Offices, Rooms and Facilities

Physical Controls

Annex A 7.4

Physical Security Monitoring

Physical Controls

Annex A 7.5

Protecting Against Physical and Environmental Threats

Physical Controls

Annex A 7.6

Working In Secure Areas

Physical Controls

Annex A 7.7

Clear Desk and Clear Screen

Physical Controls

Annex A 7.8

Equipment Siting and Protection

Physical Controls

Annex A 7.9

Security of Assets Off-Premises

Physical Controls

Annex A 7.10

Storage Media

Physical Controls

Annex A 7.11

Supporting Utilities

Physical Controls

Annex A 7.12

Cabling Security

Physical Controls

Annex A 7.13

Equipment Maintenance

Physical Controls

Annex A 7.14

Secure Disposal or Re-Use of Equipment

How are physical controls implemented?

The implementation of physical controls should be based on a risk assessment. The organisation should identify the potential threats to its information and information systems and then implement the appropriate controls to mitigate them.

The process of implementing physical controls can be divided into the following steps:

Risk assessment

The first phase identifies the potential threats to the organisation's information and information systems. The following factors can be considered:

  • External threats: theft, sabotage, natural disasters
  • Internal threats: employee errors, fraud, espionage

Control selection

After the risk assessment, the organisation can select the appropriate controls to mitigate the identified threats. It is important to weigh the costs and benefits of the controls.

Control design

In the third phase, the design of the controls is determined. This includes specifying the technical and organisational measures required to implement the controls.

Control implementation

In the fourth phase, the controls are implemented. This includes procuring and installing the necessary hardware and software, as well as training employees.

Control monitoring

The controls must be regularly monitored to ensure that they function properly and achieve the desired results. This includes regular audits and tests of the controls.

Physical controls to strengthen your information security

Physical controls play a vital role in ISMS by safeguarding information and information systems from physical threats such as theft, destruction, and damage.

The ISO 27001:2022 version considers the current challenges of information security and offers opportunities to establish an appropriate approach to current conditions.

To find the right controls for your organization, you can use our ISO 27001 checklist to learn about the measures you need to implement to implement ISO 27001.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants

Opt-in

up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate

100%

First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Book a demo

P I C

p

PRIVACY

External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts

i

INFOSEC

Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit

c

COMPLIANCE

Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates

ISO 27001:2022 requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information security policy

5.3 Organisational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Nonconformity and corrective action

10.2 Continual improvement

 

ISO 27001 Annex A

 

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.

 

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk