Annex A 7.1: Physical Security Perimeters

A 27001 auditor will not accept “we have locks and badges” as proof of Annex a 7.1: physical security perimeters requirement. They will look for a clear perimeter model (what is protected, where the boundary is, and how entry is controlled), plus evidence that the model runs consistently: access rights are approved, visitors are handled, doors and mantraps work, and exceptions are tracked.

This control is also where many service organizations get tripped up by hybrid operations. Your “facility” may be a leased office, a co-lo cage, a shared data hall with a third party operator, a warehouse, or a small network closet in a coworking space. Annex A 7.1 still applies; you just need to define the perimeter you control, the perimeter a third party controls, and the controls that bridge the gap (contracts, site rules, attestations, and monitoring).

Below is requirement-level implementation guidance designed for a Compliance Officer, CCO, or GRC lead to turn the control into a working practice quickly: scope, design, procedures, evidence, common audit traps, and an execution plan.

Regulatory text

Framework reference (excerpt): “ISO/IEC 27001:2022 Annex A control 7.1 implementation expectation (Physical Security Perimeters).” ¹

What the operator must do:
You must establish physical security perimeters that protect information and information processing facilities. In practical terms, this means you identify which locations and areas are “secure,” define where the physical boundary is, implement barriers and controlled entry at the boundary, and operate the perimeter with consistent procedures and monitoring that you can evidence during an audit. ¹

Plain-English interpretation of the requirement

Annex a 7.1: physical security perimeters requirement asks one basic question: Where does “authorized space” end and “unauthorized space” begin, and how do you enforce that boundary every day?

A perimeter can be:

• A site boundary (fence, gate, staffed reception)
• A building boundary (badge-controlled doors)
• An internal boundary (floor access, office suite doors)
• A high-security boundary (server room door, cage, cabinet, or rack)

Auditors expect “defense in depth” thinking: more sensitive assets get tighter perimeters and fewer entry paths.

Who it applies to

Entity scope: Service organizations implementing ISO/IEC 27001. ²

Operational contexts where this control is examined hard:

• Corporate offices with network closets or small server rooms
• Data centers (owned, leased, colocation cages)
• Warehouses and operations floors where devices or records exist
• Mixed-use buildings where your space is inside a shared perimeter controlled by a landlord
• Locations with frequent visitors, contractors, or third parties (cleaning, security guards, MSP field techs)

People/process scope: Facilities, IT, Security, HR (badging lifecycle), and any third party providing physical security or building management.

What you actually need to do (step-by-step)

1) Define your “secure areas” and perimeter levels

Create a short list of area types and map them to the information assets inside. Example perimeter levels you can run:

• Level 1: General office space (low sensitivity)
• Level 2: Network closets / telecom rooms
• Level 3: Server rooms / labs
• Level 4: Colocation cages / locked cabinets holding production systems

For each level, define:

• Boundary description (door, wall, cage, cabinet)
• Allowed entrants (roles or named groups)
• Entry method (badge, key, biometrics, escort)
• Monitoring (CCTV coverage, door alarms, guard logs)
• Fail-secure expectations (what happens on power loss, door forced open)

Deliverable: a “Physical Security Perimeter Register” that ties spaces to controls.

2) Document entry and visitor rules that match reality

Write procedures that operators can follow without interpretation:

• Employee access: request, approval, provisioning, periodic review, and removal on termination or role change.
• Visitor handling: sign-in, identity check (as appropriate), badge issuance, escort requirements, and sign-out.
• Third party access: pre-approval, time-bound access, escort rules, and confirmation of work completion.

Make sure your procedures cover edge cases auditors probe:

• Deliveries after hours
• Fire doors and emergency exits
• Temporary badges and lost badges
• Shared spaces (landlord reception, shared loading docks)

3) Implement physical barriers and controlled entry points

Confirm each secure area has:

• A clearly identifiable boundary (walls/doors/cage)
• Controlled entry (badge readers, keys in a controlled key cabinet, or staffed reception)
• Reduced entry paths (avoid “side doors” propped open)
• Signage for restricted areas (where appropriate)

If you rely on a third party controlled perimeter (building security or data center operator), document what they control and collect their evidence (site rules, visitor process, access control description, or attestations).

4) Align access rights with HR and IT joiner/mover/leaver

Physical access should follow the same governance you expect for logical access:

• Access request includes business justification and area(s) requested
• Approver is accountable (area owner, Facilities/Security)
• Provisioning is traceable (ticket ID, badge ID, access group)
• Removal is prompt and evidenced (termination checklist, badge deactivation)

This is where many ISO programs fail: badge access lives in a separate system with weak approvals and no periodic review.

5) Operational monitoring and recurring checks

Run lightweight recurring checks and retain evidence:

• Review access lists for secure areas against current roles
• Check for “always-open” doors, broken locks, or bypassed readers
• Validate visitor logs exist and are complete for sampled days
• Confirm CCTV retention exists where you claim it does

If you need a practical way to stay audit-ready, Daydream can track control tasks and evidence requests on a schedule, so perimeter checks and access reviews do not depend on one person remembering.

6) Manage exceptions without breaking the control

You will have exceptions: construction, emergency repairs, executive requests, or temporary projects. Handle them with an exception workflow:

• Scope and reason
• Compensating controls (escort, temporary camera, sign-in log)
• Time limit
• Approval and closure evidence

Auditors accept exceptions when they are controlled, time-bound, and documented.

Required evidence and artifacts to retain

Use this as an audit evidence checklist:

Design / scope evidence

• Secure area inventory (perimeter register) with owners and classifications
• Floor plans or simple diagrams marking boundaries and entry points
• Data center/colocation scope statement (what you control vs the provider)

Operating evidence

• Access control system extracts (who has access to which areas)
• Access request/approval tickets
• Joiner/mover/leaver termination checklists with badge deactivation
• Visitor logs (sign-in/out), visitor badge process, escort records where required
• Periodic access reviews and findings (including remediation)
• Physical inspection checklists (doors, locks, readers, alarms)
• Incident records for tailgating, forced doors, lost badges, or unauthorized entry attempts
• Third party evidence: building/security provider procedures, SOC reports if available, or contractual clauses describing physical controls

Keep evidence organized by secure area and by time period so sampling is painless.

Common exam/audit questions and hangups

Auditors and customers tend to ask:

• “Show me your secure areas and the boundaries. Where are they documented?”
• “Who approves access to the server room, and how do you remove it after termination?”
• “How do you control visitors and contractors? Show logs for a sample period.”
• “Do you have any doors that bypass the badge reader (loading dock, emergency exit)?”
• “For colocation, what controls does the provider operate, and what proof do you have?”
• “How do you detect tailgating or propped doors?”

Hangups that delay audits:

• No single “source of truth” for secure areas
• Badge access not reviewed, or reviews happen but aren’t evidenced
• Visitor logs exist but are incomplete or not retained
• Overstated controls (“CCTV everywhere”) without coverage maps or retention proof

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
Treating the whole office as the only perimeter	Sensitive assets need tighter internal boundaries	Add layered perimeters for closets, server rooms, records storage
Access granted by email or hallway conversations	No traceability, weak approvals	Require tickets with approver and area scope
No clear ownership of secure areas	Findings linger, nobody remediates	Assign an area owner per secure zone
Relying on a landlord or data center without evidence	You can’t show operation	Collect provider procedures/attestations; document shared responsibility
Visitor logs are informal or not retained	Sampling fails	Standardize sign-in/out and retention; spot-check completeness
Exceptions become permanent	Perimeter weakens over time	Time-box exceptions and require closure evidence

Enforcement context and risk implications

ISO 27001 is a certifiable standard rather than a regulator with published penalties, and no public enforcement cases were provided in the source catalog for this requirement. ¹

The risk is still concrete: weak perimeters enable device theft, unauthorized network access via exposed ports, tampering with systems, and loss of sensitive paper records. From an assurance perspective, physical security gaps often cascade into customer security reviews, failed certification audits, and contractual noncompliance where physical safeguards are promised.

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Name owners for each location and each secure area.
• Build the secure area inventory and perimeter register (start with the highest-risk areas).
• Collect current access lists and visitor process artifacts from Facilities/Security.
• Document third party dependencies (landlord security, co-lo operator) and request their physical security procedures.

Days 31–60 (implement control mechanics and evidence)

• Standardize the access request/approval workflow and tie it to badge provisioning.
• Launch a visitor management procedure that matches actual reception flow.
• Create inspection checklists for doors, locks, and badge readers for secure areas.
• Start an exception log with approvals and closure requirements.

Days 61–90 (prove operation and close audit gaps)

• Run the first formal access review for each secure area and remediate findings.
• Perform a perimeter walk-through and document issues, tickets, and fixes.
• Validate you can produce evidence quickly: diagrams, logs, approvals, reviews.
• Put recurring evidence capture on a schedule (Daydream can automate reminders and evidence collection so the control stays “always on”).

Frequently Asked Questions

We’re fully cloud-hosted. Do we still need Annex A 7.1?

Yes if you have offices, network closets, laptops stored onsite, or paper records. If your only “facility” risk is end-user devices, scope the control to those locations and document reliance on cloud provider physical security separately.

Does a locked door count as a “physical security perimeter”?

A locked door can be part of a perimeter, but auditors look for controlled entry rules, approval governance, and operational evidence. A lock without access governance and logs is usually weak for higher-risk areas.

Our building has shared reception and elevators. How do we handle the perimeter?

Treat the building perimeter as third party controlled and define your perimeter at your suite entrance and internal secure areas. Keep landlord/building security evidence and document the shared responsibility boundary.

What evidence is most likely to be sampled in an ISO 27001 audit?

Auditors commonly sample access approvals for secure areas, current access lists, visitor logs for specific dates, and proof of periodic access review with remediation. They also ask for diagrams showing boundaries and entry points.

How do we operationalize this for a colocation cage?

Define the cage as a secure area with an owner, list the entry method and authorized persons, and retain provider access/visitor procedures plus your own approvals and access reviews. Document who escorts whom, and when.

Can we meet the requirement without CCTV?

Sometimes, depending on risk and context, but you must still show a controlled perimeter and detection/response for unauthorized entry. If you claim monitoring, be ready to show where it exists and how long logs/footage are retained.

Footnotes

1. ISO/IEC 27001 overview; ISMS.online Annex A control index

2. ISO/IEC 27001 overview