Annex A 7.2: Physical Entry

9 min readLast verified: February 2026By

Annex a 7.2: physical entry requirement means you must control, authorize, and record physical access to sites and rooms where information and supporting systems are processed or stored, and prevent unauthorized entry. Operationalize it by defining “secure areas,” enforcing identity/access rules (badges, keys, escorts), logging access and visitors, and retaining evidence that controls run consistently.

Key takeaways:

  • Define and maintain a clear list of secure areas, owners, and entry rules tied to your ISMS scope 1.
  • Implement controlled entry (authorization, identity proofing, escort rules) plus logging and periodic review to prove operation 2.
  • Evidence wins audits: access lists, visitor logs, exception approvals, and review records mapped to the control 2.

Physical access failures regularly become information security failures: an unlocked server closet, a propped door, a shared badge, or an unlogged contractor visit can bypass strong logical controls. Annex a 7.2: physical entry requirement focuses on preventing that bypass by establishing controlled entry to facilities and defined secure areas that support the confidentiality, integrity, and availability of information. 1

For a CCO, GRC lead, or security compliance owner, the fastest path to operationalizing Annex A 7.2 is to treat it as a repeatable control with clear scope, decision points, and proof. Your auditor will not only ask whether doors lock; they will test whether your organization consistently authorizes access, manages exceptions, and can produce records that show who entered secure areas and why. 2

This page gives requirement-level implementation guidance you can hand to Facilities, IT, and Security Operations without rewriting it into theory. It is written to help you define “what good looks like,” execute quickly, and capture evidence as you go. 1

What Annex A 7.2 requires (plain-English)

Annex a 7.2: physical entry requirement expects you to restrict and control physical entry to areas where information is processed, stored, or supported (for example, offices with sensitive records, network closets, data rooms, and other secure zones). You need rules for who may enter, how entry is granted and revoked, how visitors are handled, and how you detect and investigate unauthorized access attempts. 2

A practical interpretation for operators:

  • If an area contains in-scope systems, infrastructure, or sensitive information, it must have defined entry controls.
  • Entry must be intentional (authorized), attributable (tied to a person), and reviewable (logged or otherwise provable).
  • Exceptions must be controlled the same way you control logical access exceptions: documented, time-bounded, and approved.

Regulatory text

Provided excerpt: “ISO/IEC 27001:2022 Annex A control 7.2 implementation expectation (Physical Entry).” 1

Operator meaning: You must implement physical entry controls that match your risk and scope, and you must be able to demonstrate those controls are in place and operating. Treat this like an auditable control: define secure areas, define entry mechanisms and rules (employees, contractors, visitors), and retain access/visitor records plus periodic reviews. 2

Who it applies to (entity + operational context)

This control applies to any organization implementing an ISO/IEC 27001 ISMS, including service organizations, where physical locations support in-scope information processing. 1

Operational contexts that commonly fall into scope:

  • Corporate offices where customer or regulated data is handled.
  • Data rooms, network closets, telecom rooms, wiring cabinets.
  • Records storage (paper archives) containing sensitive information.
  • Shared offices or coworking spaces, where “secure areas” may need to be defined inside a larger shared facility.
  • Third-party operated sites where your in-scope assets reside (colocation cages, managed service provider floors). Your control still needs coverage, even if the mechanism is contract/SOC evidence.

What you actually need to do (step-by-step)

Step 1: Define “secure areas” and control objectives

  1. Inventory physical locations in ISMS scope (sites, floors, rooms, cages, closets).
  2. Classify areas by sensitivity (example tiers: public, office, restricted, high-security).
  3. Assign an area owner (Facilities, IT, Data Center Ops) and a control operator (who runs access provisioning and reviews).
  4. Write entry rules per tier: who can enter, escort requirements, allowed hours, prohibited behaviors (tailgating, door propping), and required logging. 2

Deliverable: a “Secure Areas Register” that auditors can trace to systems and data.

Step 2: Implement controlled entry mechanisms

Pick mechanisms that fit the site and risk. Auditors care less about brand names and more about control effectiveness and evidence. Common patterns:

  • Badge access for restricted areas, with unique IDs.
  • Keys/codes only where badges are impractical; avoid shared codes where possible, or treat them as high-risk exceptions with extra monitoring.
  • Mantraps, turnstiles, reception checkpoints for high-security areas.
  • Locks and alarms for closets and records rooms.

Control requirements you should enforce:

  • No anonymous entry to restricted/high-security areas.
  • Access is approved before it is granted, with a clear approver role (area owner or delegated manager).
  • Access is removed promptly upon role change/termination through your offboarding workflow.
  • Temporary access is time-bounded and expires automatically or is reviewed. 2

Step 3: Establish visitor and contractor handling

Minimum operational rules:

  • Visitors sign in (digital or paper) with name, organization, host, purpose, time in/out.
  • Identity verification at reception for restricted areas (check ID where feasible).
  • Visitor badges visually distinct from employee badges.
  • Escort rules defined per area tier (for example, always escorted in restricted/high-security zones unless specifically authorized).
  • Contractor access treated like a privileged access pattern: limited to required areas and times, documented scope of work, and sponsor/host responsibility.

If you use third parties for cleaning, maintenance, or cabling, document how you prevent uncontrolled after-hours access and how you log entry. 2

Step 4: Logging, monitoring, and periodic review

Auditors commonly test whether logs exist and whether you review them, not just whether the door locks.

Implement:

  • Physical access logs from badge system (or manual logs where electronic is unavailable).
  • Visitor logs retained and reviewable.
  • Review cadence appropriate to risk: review access lists for restricted/high-security areas, confirm approvals, and investigate anomalies (for example, access outside expected hours, repeated denied attempts).
  • Exception tracking: door malfunctions, lost badges/keys, emergency access, propped doors. Each exception should have a ticket, owner, remediation action, and closure evidence. 2

Step 5: Document the control and map evidence (audit-ready)

Write a short control procedure that answers:

  • What areas are controlled, and how?
  • Who approves and who provisions?
  • How are visitors handled?
  • What gets logged and reviewed?
  • How do you manage exceptions and emergencies?

Then map each requirement to recurring evidence capture so you are never “reconstructing” months of activity right before an audit. This “control-to-evidence mapping” is explicitly aligned with the recommended best practice to document operation and recurring evidence capture. 2

Practical note: Daydream is useful here as a control operations hub to map Annex A 7.2 to tasks, owners, and an evidence calendar, so reviews and log exports land in the same place each cycle instead of living in inboxes.

Required evidence and artifacts to retain

Keep artifacts that prove both design (what you intended) and operation (what actually happened).

Design evidence (static, updated as needed):

  • Secure Areas Register (areas, tier, owner, entry method).
  • Physical access control policy/procedure covering employees, visitors, contractors.
  • Role/approval matrix for granting access (who can approve what).
  • Onboarding/offboarding workflow showing physical access steps.

Operating evidence (recurring):

  • Current access list for each restricted/high-security area (who has access, why).
  • Access provisioning tickets/requests with approvals.
  • Visitor logs (sign-in/out) and host assignment.
  • Badge system access logs exports or reports.
  • Periodic access reviews (attestations, review notes, remediation tickets).
  • Incident/exception tickets (lost badge, forced door, lock failures) and closure proof. 2

Common exam/audit questions and hangups

Auditors and certification bodies tend to probe predictable weak points:

  1. “Show me your secure areas.” Do you have a definitive list, or is it tribal knowledge?
  2. “Who approved this person’s access?” Can you trace each entry permission to an approver and a business need?
  3. “How do you handle visitors?” Are visitor logs complete, and do they match escort rules in practice?
  4. “How do you remove access?” Offboarding failures are a classic hangup: badges remain active after termination or transfer.
  5. “Do you review physical access?” If you can only produce raw logs but no evidence of review, expect a finding. 2

Frequent implementation mistakes (and how to avoid them)

Mistake Why it fails Fix
Treating “building badge access” as sufficient Secure areas inside the building stay uncontrolled (closets, records rooms) Define secure area tiers and control each tier explicitly 2
Shared door codes for restricted rooms No attribution; codes spread and persist Use named badges/keys; if codes exist, document compensating controls and rotation process
Visitor log exists but is incomplete Auditors sample entries; gaps undermine trust Train reception/hosts; add required fields and periodic checks
No documented approvals Access appears ad hoc Route all access through a ticketing/approval workflow with retention
No periodic access review Access creep accumulates Schedule recurring reviews and track removals to closure evidence 2

Enforcement context and risk implications

Public enforcement cases specific to ISO Annex A 7.2 are not provided in the source catalog, so this page does not cite any. Practically, physical entry weaknesses increase the chance of data theft, system tampering, service disruption, and safety incidents. Treat physical entry as a control that supports broader risk outcomes and customer trust, especially for service organizations with shared infrastructure or high-availability commitments. 1

Practical execution plan (30/60/90-day)

No public sources in the provided catalog define a required day-count implementation timeline. The plan below is an execution pattern you can adapt to your environment.

First 30 days (Immediate stabilization)

  • Confirm ISMS scope sites and identify candidate secure areas (start with network closets, server rooms, records storage).
  • Stand up the Secure Areas Register with owners and entry methods.
  • Freeze ad hoc access grants: require tickets/approvals for new access to restricted/high-security areas.
  • Implement/standardize visitor sign-in, visitor badges, and host responsibility at primary sites.

Days 31–60 (Control operation and evidence rhythm)

  • Implement a standard access request + approval workflow for physical access (ticketing or GRC workflow).
  • Export baseline access lists for each secure area and remediate obvious over-permissioning.
  • Define and run the first periodic access review; record results and removals.
  • Define exception handling: lost badge, lock failure, emergency entry, and after-hours work.

Days 61–90 (Hardening + audit readiness)

  • Expand coverage to remaining sites and “hidden” areas (IDF closets, file rooms, lab spaces).
  • Add monitoring/reporting: denied entry patterns, off-hours access, stale visitor badges.
  • Run a tabletop test for a physical intrusion scenario (tailgating, forced door) and document corrective actions.
  • Centralize evidence and map it directly to Annex A 7.2 so audits become retrieval, not reconstruction. 2

Frequently Asked Questions

Do we need electronic badge readers to meet annex a 7.2: physical entry requirement?

No specific technology is mandated in the provided ISO summary, but you must control and be able to demonstrate authorized entry to secure areas. If you use keys or manual logs, tighten attribution, approvals, and retention to offset weaker automation. 2

How do we handle coworking spaces or shared offices?

Define secure areas within the shared facility (locked cabinets, restricted rooms) and apply your entry rules there. For base-building controls you don’t own, document reliance on the landlord/coworking provider and retain supporting evidence where available. 1

What’s the minimum evidence an auditor will expect?

Expect to show a list of secure areas, current authorized access lists, proof of approvals, visitor logs, and at least one completed access review cycle with remediation actions. Make evidence collection recurring, not ad hoc. 2

Are visitor logs required for all areas?

Apply visitor logging based on your secure area tiers. Public lobby traffic may not need formal logs, but restricted/high-security areas generally do because you need traceability of who entered and why. 2

How do we treat third-party technicians (HVAC, cabling, cleaning crews)?

Treat them as visitors or time-bounded authorized personnel with a sponsor, defined areas, and documented work orders. Maintain sign-in/out records and control after-hours access paths through escort rules or monitored entry. 2

What if our badge system logs are messy or hard to export?

Don’t wait for perfect tooling. Define a repeatable export/report process, store outputs with each review cycle, and document any limitations plus compensating checks until you improve logging. 2

Footnotes

  1. ISO/IEC 27001 overview

  2. ISMS.online Annex A control index

Frequently Asked Questions

Do we need electronic badge readers to meet annex a 7.2: physical entry requirement?

No specific technology is mandated in the provided ISO summary, but you must control and be able to demonstrate authorized entry to secure areas. If you use keys or manual logs, tighten attribution, approvals, and retention to offset weaker automation. (Source: ISMS.online Annex A control index)

How do we handle coworking spaces or shared offices?

Define secure areas within the shared facility (locked cabinets, restricted rooms) and apply your entry rules there. For base-building controls you don’t own, document reliance on the landlord/coworking provider and retain supporting evidence where available. (Source: ISO/IEC 27001 overview)

What’s the minimum evidence an auditor will expect?

Expect to show a list of secure areas, current authorized access lists, proof of approvals, visitor logs, and at least one completed access review cycle with remediation actions. Make evidence collection recurring, not ad hoc. (Source: ISMS.online Annex A control index)

Are visitor logs required for all areas?

Apply visitor logging based on your secure area tiers. Public lobby traffic may not need formal logs, but restricted/high-security areas generally do because you need traceability of who entered and why. (Source: ISMS.online Annex A control index)

How do we treat third-party technicians (HVAC, cabling, cleaning crews)?

Treat them as visitors or time-bounded authorized personnel with a sponsor, defined areas, and documented work orders. Maintain sign-in/out records and control after-hours access paths through escort rules or monitored entry. (Source: ISMS.online Annex A control index)

What if our badge system logs are messy or hard to export?

Don’t wait for perfect tooling. Define a repeatable export/report process, store outputs with each review cycle, and document any limitations plus compensating checks until you improve logging. (Source: ISMS.online Annex A control index)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream