A contractor tailgates through a badge-secured door, plugs a rogue device into a network port inside the server room, and walks out fifteen minutes later. No log entry, no alert, no escort. Every firewall rule and encryption key in your stack just became irrelevant. ISO 27001 Control 7.2 exists to prevent exactly this — and most organizations get it wrong.
What 7.2 Requires
ISO/IEC 27001:2022 Annex A 7.2 requires organizations to implement secure entry controls and authentication mechanisms at all access points to ensure that only authorized personnel can enter secure areas, maintaining audit trails of physical access where appropriate. In practical terms, this means every door that leads to a server room, network closet, records archive, or any space housing sensitive assets needs a documented, enforceable access control mechanism — not just a lock someone propped open last Tuesday.
The control demands three things working together. First, authentication: the organization must verify identity before granting access, using mechanisms appropriate to the sensitivity of the area — badge readers, biometric scanners, PINs, or combinations of these. Second, authorization: a defined process must determine who is permitted to enter which areas, tied to role, need, and approval workflows. Third, accountability: audit trails must record who entered, when, and — where feasible — why, creating a reviewable log that supports both incident investigation and compliance evidence.
7.2 takes a risk-based approach. A general office may need only badge access, while a data center hosting production systems warrants multi-factor physical authentication and mantraps. The controls must be proportional to the value of what they protect and the consequences of unauthorized access. This proportionality principle is central to ISO 27001 certification — auditors expect to see documented rationale for the controls you chose.
Why 7.2 Matters
Picture this: a vendor technician arrives for a scheduled HVAC maintenance visit. Reception waves them through without verifying the appointment or issuing a visitor badge. The technician — who is actually a social engineer — detours into the server room, photographs rack labels and network diagrams, and installs a cellular-enabled drop box behind a switch. That device now provides persistent remote access to the internal network, bypassing every digital control the security team has spent years building.
Physical access is the master key. Once someone stands in front of a server, a workstation, or a network port, software-based protections become obstacles to slow them down, not barriers to stop them. They can install hardware keyloggers, clone hard drives, reset BIOS passwords, or simply walk out with a device under their jacket. Research from Market.us and Pro-Vigil found that over the past five years, 60% of companies experienced breaches in their physical security measures — and the estimated average cost of addressing a physical security breach is approximately $100,000, before accounting for downstream data breach consequences. When physical compromise leads to a full data breach, the financial impact escalates dramatically — IBM’s 2024 Cost of a Data Breach Report puts the global average at $4.88 million per incident.
The consequence chain is predictable: unauthorized entry leads to device theft or tampering, which enables data exfiltration, which triggers regulatory penalties and reputational damage. Control 7.2 breaks this chain at the first link.
What attackers exploit
Physical penetration testers and real-world attackers repeatedly exploit the same failure modes:
- Tailgating — following an authorized employee through a secured door before it closes
- Uncollected visitor badges — reusing a temporary badge to return after hours
- No access logs or unreviewed logs — entering without any record, or entering knowing no one checks the records
- Shared access codes — PINs posted on sticky notes or distributed to entire teams and never rotated
- Unsecured loading docks — delivery entrances that bypass reception and lead directly to internal areas
- Emergency exit abuse — propping open fire exits for convenience, creating unmonitored entry points
- Orphaned credentials — active access cards belonging to former employees or contractors whose access was never revoked
How to Implement 7.2
For your organization (first-party)
Implementing 7.2 starts with knowing what you are protecting and works outward to the controls that protect it.
1. Identify and classify secure areas. Map every space that houses sensitive assets — server rooms, network closets, records archives, executive offices, backup storage, and communications rooms. Classify each by sensitivity level (e.g., restricted, confidential, general) so you can apply proportional controls. Document the classification in your physical access policy and review it whenever the facility layout changes or new assets are deployed.
2. Deploy layered access controls. Match the mechanism to the risk. General offices may need badge readers; server rooms warrant badge-plus-PIN or biometric verification; the most sensitive areas may require mantraps (interlocking doors that prevent tailgating by design). Consider technologies like proximity card systems (HID, ASSA ABLOY), biometric scanners (fingerprint, iris), or mobile credential platforms depending on your environment and budget. Never rely on a single mechanism alone — defense in depth applies to physical security just as it does to network security.
3. Establish visitor management procedures. Require pre-registration for all visitors. Verify identity on arrival against a government-issued ID. Issue temporary, visually distinct badges. Mandate escort for all visitors in restricted areas. Maintain sign-in/sign-out logs that record name, host, purpose, arrival time, departure time, and badge return confirmation.
4. Deploy monitoring at entry points. Install CCTV covering all access-controlled doors and integrate intrusion detection on emergency exits. Monitoring serves as both a deterrent and an evidence source when access events need investigation. Ensure camera angles capture faces clearly enough for identification, and define a retention policy that meets both your compliance requirements and local privacy regulations.
5. Manage physical keys and credentials rigorously. Maintain a register of all physical keys, access cards, and PINs with assigned holders. Store spare keys securely. Conduct annual audits of the key inventory. Revoke credentials immediately — not next week, not after the offboarding ticket is processed — on the day of termination.
6. Secure delivery and loading areas. Physically separate delivery zones from IT facilities and secure areas. Restrict access to authorized delivery personnel only. Inspect inbound deliveries before moving them into the building. Never allow delivery staff unsupervised access to interior areas.
7. Train staff on physical security awareness. Employees are your first line of defense against tailgating. Train them to challenge unfamiliar faces, refuse to hold doors, and report unescorted visitors immediately. Make it culturally acceptable — even expected — to ask “Can I see your badge?”
8. Review and revoke access regularly. Conduct quarterly reviews of physical access rights. Cross-reference against HR records to catch role changes, transfers, and departures. Revoke access immediately when someone leaves or changes to a role that no longer requires it. Automate this where possible — integrating your access control system with HR and identity management platforms reduces the window between a personnel change and the corresponding access adjustment from days to minutes.
Common mistakes to avoid:
- Relying on a single access control mechanism with no backup
- Not revoking physical access on the day of termination
- Treating visitor logs as a compliance checkbox instead of a security tool
- Ignoring loading docks and emergency exits as entry vectors
- Never reviewing access logs for anomalies or unauthorized patterns
For your vendors (third-party assessment)
When your data lives in a vendor’s facility, their physical entry controls become your risk. A thorough third-party risk assessment should include these questions:
- “Describe your physical access control mechanisms for facilities hosting our data.”
- “How do you manage visitor and contractor access to areas where our data is processed or stored?”
- “What is your process for revoking physical access upon termination or contract end?”
Evidence to request: facility photos showing access control mechanisms, documented physical access policy, sample visitor logs (redacted), and the physical security section of their SOC 2 Type II report.
Red flags during assessment:
- Vendor operates from shared office space with no description of compensating controls
- No documented visitor management policy
- Access logs are paper-based or nonexistent
- Physical access review cycle exceeds 12 months
- Inability to demonstrate immediate revocation capability
Verification methods: Negotiate a right-to-audit clause in the contract. Review SOC 2 Type II findings specifically for physical security exceptions. Confirm data center certifications (ISO 27001, SOC 2) and request the most recent certificate of compliance. For critical vendors, consider scheduling an on-site visit to physically inspect entry controls, visitor procedures, and monitoring systems — documentation alone does not guarantee operational effectiveness. A mature vendor risk management program tracks these assessments continuously, not just at onboarding.
Audit Evidence for 7.2
Auditors assess 7.2 by reviewing documentation and testing operational effectiveness. Preparing for an ISO 27001 audit starts with assembling the evidence artifacts listed below.
| Evidence Type | Example Artifact |
|---|---|
| Physical Access Policy | Documented policy defining secure areas, access levels, approval workflows, and review cadence |
| Access Control Logs | Electronic logs from badge/biometric systems showing entry/exit timestamps per individual |
| Visitor Register | Sign-in/sign-out records with visitor name, host, purpose, arrival/departure times, and badge return confirmation |
| Access Review Records | Quarterly review documentation showing access rights validated, changes made, and approvals |
| Key/Credential Inventory | Register of all physical keys, access cards, and PINs with assigned holders and last audit date |
| Termination Checklist | HR/IT checklist confirming physical access revocation (badge deactivation, key return) on employee departure |
| CCTV Retention Policy | Policy defining camera placement, recording retention period, and access restrictions to footage |
| Incident Reports | Records of physical security incidents (tailgating, forced entry attempts) and corrective actions taken |
Prepare both policy-level evidence (what you say you do) and operational evidence (proof that you do it). Auditors will sample access logs, test badge deactivation timelines, and walk the facility to verify controls match documentation. A common audit finding is a gap between the documented policy (e.g., “access is revoked within 24 hours of termination”) and the operational reality (e.g., badges remaining active for weeks). Close this gap before the audit, not during it.
Cross-Framework Mapping
Organizations managing multiple compliance frameworks can map 7.2 to equivalent controls elsewhere. This reduces duplicate effort and demonstrates mature governance.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | PE-02 (Physical Access Authorizations) | Full |
| NIST 800-53 | PE-03 (Physical Access Control) | Full |
| NIST 800-53 | PE-04 (Access Control for Transmission) | Partial |
| NIST 800-53 | PE-05 (Access Control for Output Devices) | Partial |
| NIST 800-53 | PE-16 (Delivery and Removal) | Full |
| NIST 800-53 | PM-13 (Security and Privacy Workforce) | Partial |
| SOC 2 | CC6.4 (Physical Access Controls) | Full |
| CIS Controls v8.1 | Control 6.1-6.2 (Access Control Management) | Partial |
| NIST CSF 2.0 | PR.AC-2 (Physical access to assets is managed) | Full |
| DORA (EU) | Article 11 (ICT-related incident management — physical) | Partial |
| CPS 230 (APRA) | Operational risk management — physical security of critical operations | Partial |
No competitor in the current SERP covers this mapping in depth — yet practitioners managing multi-framework environments consistently need it. If your organization is already compliant with NIST 800-53 PE controls, much of 7.2’s evidence can be reused with minimal adaptation. Conversely, implementing 7.2 thoroughly gives you a strong foundation for satisfying the PE-02, PE-03, and PE-16 requirements if NIST compliance is on your roadmap. Use the NIST OLIR crosswalk as the authoritative reference for PE-series mappings.
Related ISO 27001 Controls
7.2 does not operate in isolation. It sits within a broader physical security ecosystem where each control addresses a different layer of protection. Understanding these relationships helps you implement 7.2 more effectively and avoid gaps between adjacent controls.
| Control ID | Control Name | Relationship |
|---|---|---|
| 7.1 | Physical Security Perimeters | 7.1 defines the boundary; 7.2 controls who crosses it |
| 7.3 | Securing Offices, Rooms, and Facilities | Extends 7.2 protections to interior spaces once entry is granted |
| 7.4 | Physical Security Monitoring | Provides detection layer (CCTV, sensors) that supports 7.2 access decisions |
| 7.5 | Protecting Against Physical and Environmental Threats | Covers environmental risks that 7.2’s access controls alone cannot prevent |
| 7.6 | Working in Secure Areas | Governs behavior inside secure areas after 7.2 grants entry |
| 5.15 | Access Control | Logical access policy mirrors 7.2’s physical access principles |
| 5.18 | Access Rights | Defines authorization lifecycle that feeds 7.2 physical access provisioning |
| 6.1 | Screening | Pre-employment checks inform who should receive 7.2 physical access |
| 6.5 | Responsibilities After Termination | Triggers 7.2 access revocation when employment ends |
| 7.14 | Secure Disposal or Re-use of Equipment | Prevents unauthorized removal of assets that 7.2 entry controls protect |
Frequently Asked Questions
What is ISO 27001 7.2?
ISO 27001 7.2 is a physical security control in Annex A of ISO/IEC 27001:2022 — detailed further in ISO 27002 — that requires organizations to implement entry controls and authentication at all access points to secure areas. It ensures only authorized personnel can enter spaces like server rooms, network closets, and records archives — and that audit trails record who accessed them and when. The control applies to all organizations seeking ISO 27001 certification regardless of size or industry.
What happens if 7.2 is not implemented?
Without 7.2 controls, unauthorized individuals can physically access servers, network infrastructure, and sensitive records — bypassing every digital security control in place. The consequences cascade: unauthorized entry enables device theft or tampering, which leads to data breaches, which trigger regulatory penalties, contractual liability, and reputational damage. Physical access is the one vulnerability that makes all other controls optional.
How do you audit 7.2?
Auditors verify 7.2 by reviewing the physical access policy, inspecting entry control mechanisms at facility access points, sampling electronic access logs for anomalies, testing badge deactivation timelines against termination records, and evaluating visitor management procedures. Common audit tests include verifying that terminated employees’ credentials are deactivated within the policy-defined window and confirming that visitor logs match actual badge issuance records.
How UpGuard Helps
Connect physical access control to your broader risk posture
UpGuard’s User Risk product helps organizations monitor and manage user-level risk factors — including physical access control gaps — across their workforce. Map physical security compliance to your overall risk posture and identify where access control weaknesses create exposure.