Skip to content
AuditFront
A.7.1 ISO 27001

ISO 27001 A.7.1: Physical security perimeters

What This Control Requires

Security perimeters shall be defined and used to protect areas that contain information and other associated assets.

In Plain Language

If someone can walk straight up to your server rack without passing through a single locked door, you have a problem. Physical security perimeters are the boundaries - walls, doors, fences, locked rooms - that separate sensitive areas from the rest of the world. The idea is layered defence. Your building entrance is the first perimeter. Inside, the general office is the next layer. Then the server room, comms closet, or archive room sits behind yet another controlled boundary. Each layer should be harder to get through than the last. How strong each perimeter needs to be depends on what it is protecting. A data centre housing production systems needs solid walls, electronic access control, and monitoring. A general office with laptops and a few filing cabinets needs less, but still needs something. Auditors will look for a documented zoning plan that shows you have thought this through and that there are no obvious gaps someone could walk around.

How to Implement

Start with a physical security assessment. Walk the site and identify every area that holds sensitive information or processing equipment. Draw up a zoning map with clear categories: public areas (reception, lobbies), controlled areas (general office space), restricted areas (server rooms, network closets), and high-security areas (data centres, archive rooms). For each zone, put appropriate barriers in place. External perimeters need solid construction, locked doors and windows, security fencing where applicable, and vehicle barriers for high-risk sites. Internal perimeters need walls that go from real floor to real ceiling - not partition walls you can climb over - plus controlled-access doors with proper locking mechanisms. Fit access control at every entry point. Electronic badges or cards work for most zones. Add biometric readers for high-security areas. Use PIN keypads as a secondary factor where needed. For data centres, consider mantrap or airlock configurations. Staff reception for visitor management at the main entrance. Layer in detection and monitoring. Install intruder detection - door contacts, motion sensors, glass break sensors, vibration sensors as appropriate. Put CCTV at entry points and along perimeters. Add security lighting around external boundaries. For high-value facilities, consider on-site security guards. Sort out emergency access. Fire exits must meet safety regulations, but they also need to alert security when used. Define how you re-secure the perimeter after an emergency evacuation. Inspect everything regularly. Check walls, doors, windows, and locks for damage. Verify access control systems are working. Test alarms and detection systems. Review CCTV footage coverage for blind spots. Fix deficiencies quickly - an auditor who spots a broken lock on a server room door will not be impressed.

Evidence Your Auditor Will Request

  • Physical security zoning plan or perimeter map
  • Access control system configuration and access point inventory
  • Intrusion detection system specifications and testing records
  • CCTV coverage maps and retention configuration
  • Physical security inspection reports and remediation records

Common Mistakes

  • Security perimeters are not defined or documented for the facility
  • Partition walls or false ceilings allow bypass of access-controlled doors
  • Emergency exits compromise perimeter security without compensating controls
  • Access control systems are not maintained and some entry points are uncontrolled
  • CCTV coverage has blind spots around critical perimeter areas

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.4 Equivalent
NIS2 Art.21(2)(a) Partial overlap

Frequently Asked Questions

Do we need physical security perimeters for cloud-hosted environments?
If everything is in AWS or Azure, the cloud provider handles the data centre perimeters - and their SOC 2 or ISO 27001 certs are your evidence for that. But you still need perimeters around your own offices, especially wherever network equipment, backup media, or sensitive documents live. Auditors will check both sides: the provider's physical controls (via their certifications) and your own office security.
What about shared office spaces or co-working environments?
Co-working spaces make this trickier, but it is still doable. Lock down your specific area - use a private office or at minimum a locked cage for equipment. Enforce clean desk policies strictly. Store sensitive materials in locked cabinets. Use privacy screens on monitors. And make sure the building's own access controls meet a reasonable baseline. If they do not, document compensating controls like encrypted drives, VPN-only access, and stricter logical controls.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment