Skip to content
AuditFront
A.7.3 ISO 27001

ISO 27001 A.7.3: Securing offices, rooms and facilities

What This Control Requires

Physical security for offices, rooms and facilities shall be designed and implemented.

In Plain Language

Perimeters and entry controls get you part of the way, but the rooms themselves need to be set up properly too. A server room with no fire suppression, a meeting room where confidential conversations can be overheard through thin walls, an office where screens face the window - these are all gaps that auditors will pick up on. The security measures inside each space should match what happens there. A server room needs environmental monitoring, gas-based fire suppression, and controlled cooling. A meeting room used for board discussions needs soundproofing. A general office needs clean desk enforcement and screen positioning that stops passers-by from reading what is on screen. This control also covers thoughtful design. Where you place windows, how you position printers, whether you put signage on your data centre door - all of these choices either help or hurt your physical security posture.

How to Implement

Walk through every office, room, and facility and assess what information and assets each one contains. Classify each space by sensitivity, then match security measures to the classification. For general office areas: enforce clean desk requirements, provide lockable storage for sensitive documents, position screens so they cannot be read from public corridors or windows, set up secure print release so documents are not sitting in printer trays, and put locks on individual offices or zones that hold sensitive information. For meeting rooms used for confidential discussions: add soundproofing or sound masking to prevent eavesdropping, remove or disable voice assistants and smart speakers, establish a procedure for wiping whiteboards after sensitive meetings, check that no documents are left behind after each session, and use booking systems that restrict access to authorised groups where needed. For server rooms and technical areas: install gas-based fire suppression (FM-200, Novec 1230, or inert gas - never water sprinklers around servers), set up environmental monitoring for temperature, humidity, and water leaks, provide UPS and backup power, use raised floors for cable management and water protection, block or obscure windows to prevent observation, and install separate HVAC where necessary. For archive and storage rooms: use fire-resistant construction and appropriate suppression, control the climate to prevent document degradation, restrict access to authorised personnel only, log who goes in and what they take out, and arrange pest control for physical document stores. Look at external risks too. Assess flood risk and put critical facilities above potential flood levels. Consider earthquake, storm, or other natural disaster exposure. Check what is next door - a chemical warehouse sharing a wall with your server room is a problem. Avoid putting signs on the building that say "Data Centre" - keep a low profile for sensitive facilities.

Evidence Your Auditor Will Request

  • Physical security assessment and classification of offices, rooms, and facilities
  • Security measures implemented for each classified space
  • Environmental monitoring records for server rooms and data centers
  • Fire suppression system specifications and testing records
  • Clean desk policy and compliance audit results

Common Mistakes

  • Server rooms lack appropriate environmental controls such as fire suppression and cooling
  • Meeting rooms are not soundproofed and confidential discussions can be overheard
  • Clean desk policies are not enforced in areas containing sensitive information
  • Windows allow visibility into areas where sensitive information is displayed
  • No assessment of external risks to the facility from its location or neighboring properties

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.4 Related
SOC 2 A1.1 Partial overlap

Frequently Asked Questions

Do we need environmental monitoring in server rooms?
Absolutely. At a minimum, monitor temperature (keep it between 18-27C), humidity (40-60% RH), water leaks, smoke, and power status. Set up alerts so someone gets notified the moment conditions go out of range - not the next morning. Environmental failures cause a surprising amount of unplanned downtime and can permanently destroy equipment and data. This is one of those controls where the cost of monitoring is trivial compared to the cost of a failure.
What fire suppression is appropriate for data centers?
Gas-based systems like FM-200, Novec 1230, or inert gas systems. They put out fires without soaking your servers in water, which would cause as much damage as the fire itself. Pair the suppression system with Very Early Smoke Detection Apparatus (VESDA) for early warning before a fire fully develops. And test it regularly - a suppression system that has not been tested in three years is not something you want to rely on.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment