ISO 27001 A.7.5: Protecting against physical and environmental threats
What This Control Requires
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.
In Plain Language
Floods, fires, earthquakes, storms, even a burst pipe in the room above your server rack - physical and environmental threats can take down your infrastructure faster than any cyber attack. This control is about identifying what could physically harm your facilities and putting protections in place before it happens. The starting point is a risk assessment specific to each location. A facility in a flood plain faces different threats than one on a hilltop. A building next to a chemical plant has risks that a suburban office park does not. You need to understand the threat profile for your specific geography, climate, and neighbourhood. Protection measures range from building design and construction standards to fire suppression, environmental monitoring, and emergency response procedures. The goal is to prevent damage where you can and minimise impact and recovery time when something does happen.
How to Implement
Run a physical and environmental threat assessment for each facility. Go through the list: flood risk (check local flood maps and proximity to water), fire risk (building construction, neighbouring facilities, electrical systems), earthquake risk (seismic zone), severe weather (storms, tornados, lightning), and man-made threats (nearby industrial sites, civil unrest potential, terrorism risk). Use publicly available hazard data to back up your assessment. Put structural and design protections in place. For flood protection: keep critical facilities above potential flood levels, install water detection sensors, waterproof basement areas, and maintain drainage systems. For fire protection: install detection and suppression systems matched to what each area contains, maintain fire-resistant construction, keep fire exits clear, and run regular fire drills. For earthquake zones: make sure structural engineering meets seismic requirements, bolt down equipment racks and heavy items, and set up automatic power shutdown for severe events. Install environmental monitoring. Temperature and humidity monitoring with alerts for critical facilities is non-negotiable. Add water leak detection in any area above or next to equipment rooms. Fit lightning protection including surge arrestors and UPS. Put fire detection with automatic suppression in equipment rooms. Write emergency response procedures for each identified threat. Cover evacuation routes, assembly points, and communication chains. Build relationships with local emergency services before you need them. Keep emergency supplies and equipment on hand. Run drills regularly and capture lessons learned. For critical facilities, think about geographic redundancy. If losing one site would be catastrophic, your backup or disaster recovery site should be far enough away that the same flood, earthquake, or storm cannot take out both locations simultaneously.
Evidence Your Auditor Will Request
- Physical and environmental threat assessment for each facility
- Fire detection and suppression system specifications and testing records
- Environmental monitoring system configuration and alert records
- Emergency response procedures for identified threats
- Emergency drill records and lessons learned
Common Mistakes
- No formal assessment of physical and environmental threats to the facility
- Fire detection or suppression systems are not appropriate for the area they protect
- Environmental monitoring does not cover all critical areas
- Emergency response procedures are not tested through regular drills
- Critical facilities are located in areas vulnerable to known threats without mitigation
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | A1.1 | Equivalent |
| NIS2 | Art.21(2)(c) | Related |
Frequently Asked Questions
How do we assess environmental threats for our specific location?
What environmental controls are needed for a server room?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment