Skip to content
AuditFront
A.7.5 ISO 27001

ISO 27001 A.7.5: Protecting against physical and environmental threats

What This Control Requires

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.

In Plain Language

Floods, fires, earthquakes, storms, even a burst pipe in the room above your server rack - physical and environmental threats can take down your infrastructure faster than any cyber attack. This control is about identifying what could physically harm your facilities and putting protections in place before it happens. The starting point is a risk assessment specific to each location. A facility in a flood plain faces different threats than one on a hilltop. A building next to a chemical plant has risks that a suburban office park does not. You need to understand the threat profile for your specific geography, climate, and neighbourhood. Protection measures range from building design and construction standards to fire suppression, environmental monitoring, and emergency response procedures. The goal is to prevent damage where you can and minimise impact and recovery time when something does happen.

How to Implement

Run a physical and environmental threat assessment for each facility. Go through the list: flood risk (check local flood maps and proximity to water), fire risk (building construction, neighbouring facilities, electrical systems), earthquake risk (seismic zone), severe weather (storms, tornados, lightning), and man-made threats (nearby industrial sites, civil unrest potential, terrorism risk). Use publicly available hazard data to back up your assessment. Put structural and design protections in place. For flood protection: keep critical facilities above potential flood levels, install water detection sensors, waterproof basement areas, and maintain drainage systems. For fire protection: install detection and suppression systems matched to what each area contains, maintain fire-resistant construction, keep fire exits clear, and run regular fire drills. For earthquake zones: make sure structural engineering meets seismic requirements, bolt down equipment racks and heavy items, and set up automatic power shutdown for severe events. Install environmental monitoring. Temperature and humidity monitoring with alerts for critical facilities is non-negotiable. Add water leak detection in any area above or next to equipment rooms. Fit lightning protection including surge arrestors and UPS. Put fire detection with automatic suppression in equipment rooms. Write emergency response procedures for each identified threat. Cover evacuation routes, assembly points, and communication chains. Build relationships with local emergency services before you need them. Keep emergency supplies and equipment on hand. Run drills regularly and capture lessons learned. For critical facilities, think about geographic redundancy. If losing one site would be catastrophic, your backup or disaster recovery site should be far enough away that the same flood, earthquake, or storm cannot take out both locations simultaneously.

Evidence Your Auditor Will Request

  • Physical and environmental threat assessment for each facility
  • Fire detection and suppression system specifications and testing records
  • Environmental monitoring system configuration and alert records
  • Emergency response procedures for identified threats
  • Emergency drill records and lessons learned

Common Mistakes

  • No formal assessment of physical and environmental threats to the facility
  • Fire detection or suppression systems are not appropriate for the area they protect
  • Environmental monitoring does not cover all critical areas
  • Emergency response procedures are not tested through regular drills
  • Critical facilities are located in areas vulnerable to known threats without mitigation

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 A1.1 Equivalent
NIS2 Art.21(2)(c) Related

Frequently Asked Questions

How do we assess environmental threats for our specific location?
Start with publicly available data - flood maps, seismic zone maps, storm frequency records. Check local authority emergency planning documents. Look at historical incident data for your area. Walk around the immediate neighbourhood and note any hazards like industrial facilities or construction sites. For high-value facilities, bring in a physical security consultant. Your insurance company's risk assessment, if available, can also be a useful input.
What environmental controls are needed for a server room?
At a minimum: fire detection (ideally VESDA or similar early warning), gas-based fire suppression (FM-200 or Novec 1230 - not water), temperature and humidity monitoring with alerting, water leak detection, UPS and backup power, redundant cooling, and structural protection appropriate to local threats. The exact spec depends on the size and criticality of what you are hosting. A two-rack comms closet does not need the same setup as a 50-rack data centre, but even small rooms need the basics covered.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment