Skip to content
AuditFront
A.7.2 ISO 27001

ISO 27001 A.7.2: Physical entry

What This Control Requires

Secure areas shall be protected by appropriate entry controls and access points.

In Plain Language

Knowing who is in your building right now - and who was there last Tuesday at 2am - is fundamental to physical security. Entry controls make sure only the right people get into the right areas, and that you have a record of it. The level of control should match the sensitivity of the area. Badge access for the general office is fine. The server room needs a second factor - a PIN or biometric on top of the badge. A data centre might warrant a mantrap entry that physically prevents tailgating. This applies to everyone: employees, contractors, visitors, delivery drivers. Each group needs different rules. Auditors will want to see that you have thought through normal access, visitor handling, after-hours entry, and emergency situations - and that you are logging all of it.

How to Implement

Map entry controls to your security zones. General office areas get electronic badge readers at main entry points. Restricted areas like server rooms and network closets get two-factor physical authentication (badge plus PIN or badge plus biometric). High-security areas should have mantrap doors, anti-tailgating controls, and multi-factor authentication. Set up a proper visitor management process. Register all visitors at reception before they enter controlled areas. Check government-issued ID. Issue temporary visitor badges that look obviously different from employee badges. Require escorts in restricted areas. Log entry and exit times. Collect badges when visitors leave. Handle contractor and maintenance access with care. Pre-authorise visits through a formal request process. Verify identity on arrival. Issue temporary badges restricted to the relevant zones. Decide whether each contractor type needs an escort or can work unescorted, and document the rationale. Revoke temporary access the moment work is finished. Set up delivery management. Designate a loading dock or reception area that is separated from secure zones. Inspect incoming deliveries before moving them into restricted areas. Log everything. Never let delivery personnel wander into restricted areas unescorted. Keep access logs for every entry point. Electronic systems should log every badge swipe with a timestamp automatically. For manually controlled doors, maintain a sign-in sheet. Review logs regularly for red flags - unusual access times, repeated failed attempts, access by people who should not be in that zone. Define a retention period and stick to it. Review physical access rights on a regular cycle. Confirm that each person's access matches their current role. Remove access for leavers and role-changers promptly. Audit active badges to make sure none belong to people who left six months ago. Test the entry controls periodically, including anti-tailgating measures.

Evidence Your Auditor Will Request

  • Physical access control system configuration and entry point inventory
  • Visitor management procedures and sample visitor logs
  • Physical access rights records showing authorized personnel by zone
  • Access log reports showing entry and exit records
  • Physical access review records showing periodic verification of access rights

Common Mistakes

  • Tailgating is common and anti-tailgating controls are not implemented
  • Visitor management is informal with no logging or badge issuance
  • Physical access rights are not reviewed when personnel change roles or leave
  • Access logs are not monitored for anomalies or retained for a sufficient period
  • After-hours access to sensitive areas is not controlled or monitored

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.4 Equivalent
NIS2 Art.21(2)(a) Partial overlap

Frequently Asked Questions

How do we prevent tailgating at access-controlled doors?
It depends on the risk level. For general office doors, awareness training and "do not hold the door" signage go a long way. Add anti-passback features in your access control system so a badge cannot be used twice in a row without exiting first. For higher-security zones, look at turnstiles, security revolving doors, or mantrap entries. Video analytics that flag tailgating attempts are getting more affordable too. Match the investment to the sensitivity of the area.
Should we use biometric access controls?
For server rooms and data centres, biometrics make a lot of sense - they are hard to share or lose, unlike badges. But there are trade-offs. Under GDPR, biometric data is special category personal data, so you need a proper legal basis and a DPIA. You also need to think about reliability (fingerprint readers struggle with dirty or wet hands), fallback procedures for when the system goes down, and cost. For most organisations, biometrics at two or three high-value entry points is the sweet spot rather than rolling them out everywhere.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment