ISO 27001 A.7.6: Working in secure areas
What This Control Requires
Security measures for working in secure areas shall be designed and implemented.
In Plain Language
Getting into the server room is one thing. What people do once they are inside is another matter entirely. A contractor left alone in a data centre with a smartphone can photograph configurations, plug in a USB device, or accidentally trip over a power cable. This control addresses the rules and behaviours that apply inside secure areas. Secure area working rules tackle risks like unauthorised observation or recording, deliberate or accidental damage to equipment, introduction of rogue devices, and removal of assets. These are risks that access control alone cannot prevent - you need specific rules about what people can and cannot do once they are through the door. The rules need to cover who can work there, what activities are allowed, what can be brought in and out, whether supervision is required, and how people are expected to behave. Everyone who accesses a secure area needs to know the rules, and auditors will check whether you actually enforce them.
How to Implement
Define working rules for each category of secure area. Make them proportionate to sensitivity. For server rooms and data centres: restrict access to authorised personnel only, require sign-in and sign-out, enforce a dual-person rule for critical maintenance activities, restrict photography and recording devices, monitor all activity via CCTV, require change management approval before any modifications, and maintain a current list of who is authorised for each specific area. For secure processing areas: implement clean room policies - no personal items, mobile phones, or removable media. Use supervised entry and exit with bag checks where appropriate. Control what materials go in and come out. Monitor via CCTV and access logging. Consider personnel rotation to reduce collusion risk. General rules for all secure areas: lock vacant secure areas and check them periodically, supervise third-party support personnel unless they hold appropriate clearances, restrict or prohibit photography and audio/video recording, ban food and drink near equipment, and define emergency procedures specific to each secure area. Back up the rules with technical controls. Access control systems should restrict entry to authorised people. CCTV should cover the interior of secure areas, not just the doors. For the highest-security zones, consider mobile device detection systems. Train everyone who accesses secure areas on the rules and why they exist. Run periodic compliance checks and audits. Handle violations through the disciplinary process. Review and update the rules as threats and operations change.
Evidence Your Auditor Will Request
- Documented rules for working in each category of secure area
- Access authorization records for secure area personnel
- Sign-in and sign-out logs for secure areas
- CCTV monitoring records for secure areas
- Compliance audit records for secure area rules
Common Mistakes
- No specific rules defined for working in secure areas beyond access control
- Mobile phones and recording devices are not restricted in data centers
- Third-party maintenance personnel work unsupervised in secure areas
- Sign-in logs are not maintained or enforced for secure area access
- Secure areas are not locked when unoccupied
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.4 | Partial overlap |
Frequently Asked Questions
Should we prohibit mobile phones in all secure areas?
Is the dual-person rule required for all secure area access?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment