When someone bypasses your firewalls by walking through an unlocked door, every digital control you’ve invested in becomes irrelevant. Physical security failures lead to data theft, hardware tampering, and compliance breakdowns that no software patch can fix. ISO 27001 Control 7.3 exists to close this gap — requiring organizations to secure offices, rooms, and facilities with physical measures proportional to the assets inside.
What 7.3 Requires
ISO/IEC 27001:2022 Annex A Control 7.3 requires organizations to design and implement physical security measures for offices, rooms, and facilities where information is processed or stored. The objective is straightforward: prevent unauthorized physical access to spaces containing sensitive assets.
The control mandates that physical barriers must be proportional to the value of the assets they protect. A general office area doesn’t need the same protections as a data center or a room housing financial records. Organizations must assess what’s inside each space and match their security measures accordingly.
This means you can’t claim to protect data if anyone — employee, visitor, or intruder — can walk into the room where it lives. Control 7.3 demands deliberate, documented decisions about who can access what, and physical mechanisms that enforce those decisions.
The scope extends beyond server rooms. Any office where sensitive information is discussed, any facility where critical equipment operates, and any room where confidential documents are stored falls under 7.3’s requirements. As part of a broader information security management system, these physical controls form a critical layer that supports every other security domain in the ISO 27001 standard.
Why 7.3 Matters
Consider a scenario that plays out more often than most organizations admit: a visitor signs in at reception, receives a generic badge, and walks unescorted through an office. They pass an open door to a comms room, glance at a whiteboard listing network credentials, and photograph it. No alarm sounds. No log is generated. The breach won’t be discovered until the damage is done.
Physical breaches bypass every digital control in your stack. Encryption doesn’t help when someone is standing at the keyboard. Network segmentation is meaningless when an attacker has physical access to the switch. Multi-factor authentication, endpoint detection, and zero-trust architectures all assume the attacker is remote — none of them account for someone who can simply unplug a drive or insert a rogue device directly into the network. According to research from Market.us, over the past five years, 60% of companies have encountered breaches in their physical security measures — a figure that underscores how common these failures are.
The risk classes are clear: unauthorized access to restricted areas, theft of hardware or data, tampering with equipment, and eavesdropping on confidential discussions. Each one can trigger regulatory penalties, contractual breaches, and loss of customer trust.
What makes physical security failures particularly damaging is their cascading effect. A single unauthorized entry can compromise multiple systems simultaneously — a stolen laptop contains credentials, a tampered switch redirects traffic, a photographed whiteboard exposes an entire project. Unlike a phishing email that targets one account, physical access often grants broad, unmonitored reach across systems that were never designed to resist an attacker already inside the building.
What Attackers Exploit
- Unlocked or propped-open doors to restricted areas
- Absent or unenforced visitor management procedures
- Tailgating through access-controlled entry points
- Visible signage advertising sensitive areas (e.g., “Server Room”)
- Ground-floor windows without privacy controls near sensitive work areas
- Lack of CCTV or monitoring in critical zones
How to Implement 7.3
Implementing 7.3 requires a structured approach that balances security with operational practicality. Over-securing low-risk areas wastes resources, while under-protecting critical spaces creates the exact vulnerabilities attackers look for. The key is proportionality — matching controls to the actual value and sensitivity of what each space contains.
For Your Organization (First-Party)
Implementation starts with understanding what you’re protecting and where it lives. An ISO 27001 implementation checklist can help structure the process, but for 7.3 specifically, focus on these steps.
1. Conduct a physical risk assessment. Identify every room and area containing sensitive data, critical equipment, or information processing systems. Document the asset value and threat exposure for each location.
2. Define security zones. Establish a tiered zoning model — public areas, staff-only areas, and restricted zones — with protections proportional to the assets in each zone. A reception area needs different controls than a server room. Most organizations benefit from three to four tiers: public (lobby, meeting rooms), general staff (open offices), sensitive (finance, HR records), and restricted (server rooms, network closets). Document each zone’s classification and the rationale behind it.
3. Deploy access controls at zone boundaries. Install badge readers, keypads, or biometric systems at transitions between zones. Every entry point to a restricted area should authenticate and log access. The choice of mechanism should match the zone’s sensitivity — a keypad may suffice for staff-only areas, while restricted zones may warrant two-factor authentication combining a badge and biometric scan.
4. Implement environmental protections. Install fire suppression systems, water leak detection, and climate control in areas housing critical equipment. Environmental threats destroy assets just as effectively as unauthorized access. Server rooms require specific attention — temperature and humidity monitoring with automated alerts, gas-based fire suppression that won’t damage electronics, and raised flooring to mitigate water damage. These controls should be tested regularly, not just installed.
5. Enforce visitor management. Require sign-in, escort requirements, and temporary badges for all visitors. Define which zones visitors may enter and ensure they are accompanied at all times in restricted areas. Visitor badges should be visually distinct from employee badges so that unescorted visitors are immediately identifiable. Establish a process for collecting badges at sign-out and investigating unreturned badges promptly.
6. Apply visual and acoustic privacy measures. Use frosted glass, privacy screens, and soundproofing in areas where sensitive information is discussed or displayed. Screens visible from corridors or windows are a control failure. Consider the layout of open-plan offices carefully — positioning monitors away from high-traffic walkways and external windows reduces the risk of shoulder surfing. For meeting rooms where sensitive discussions take place regularly, invest in sound masking systems in addition to standard soundproofing.
7. Keep sensitive areas low-profile. Use neutral signage — don’t label doors “Server Room” or “Security Operations Center.” Restrict distribution of floor plans showing sensitive areas.
8. Conduct regular access reviews and physical walk-throughs. Quarterly reviews should verify that access lists match current staff roles and that physical controls are functioning as intended. Walk-throughs should check for degradation — propped doors, disabled cameras, expired visitor badges left at desks, and access cards that should have been revoked. Document findings and track corrective actions to closure.
Common mistakes to avoid:
- Treating all areas with the same level of protection instead of risk-based zoning
- No process for revoking physical access when staff leave or change roles
- Propping open access-controlled doors for convenience
- Relying on locks alone without logging or monitoring
- Ignoring visual exposure — screens visible from corridors or external windows
Tooling categories: Physical access control systems (PACS), CCTV platforms, visitor management systems, environmental monitoring sensors. When selecting tooling, prioritize systems that generate auditable logs — auditors will need evidence that controls are operating as documented, not just that they exist.
For Your Vendors (Third-Party Assessment)
When assessing vendor compliance with 7.3, go beyond self-attestation. A structured vendor risk assessment should include physical security as a dedicated evaluation category, and a physical security questionnaire template can standardize your approach.
Security questionnaire items to include:
- What is your physical security zoning strategy?
- What access control mechanisms protect restricted areas?
- What are your visitor management procedures?
- What environmental protections are in place for data processing facilities?
Evidence to request: Physical security policy, electronic access logs, CCTV retention policy, and visitor register samples. Ask for evidence covering at least the past 90 days to verify that controls are actively maintained, not just documented. Where possible, request evidence from different time periods rather than a single snapshot — consistent records over multiple months demonstrate operational maturity rather than one-time compliance preparation.
Red flags during assessment:
- No documented physical security policy
- Single-factor access (key only) to areas housing sensitive data
- No visitor logs or escort requirements
- Reliance on “building management handles it” without oversight or audit trail
- Inability to describe their security zoning model or produce a current floor plan showing restricted areas
Verification beyond self-attestation: Request photographs of access control hardware, ask for third-party audit results, and confirm whether the vendor’s ISO 27001 certification scope explicitly includes physical premises. Understanding a vendor’s full ISO 27001 third-party risk requirements helps you evaluate whether their physical controls meet your standards.
Audit Evidence for 7.3
Auditors will expect documented evidence that your physical security controls are designed, implemented, and maintained. Thorough ISO 27001 audit preparation requires assembling specific artifacts well before the assessor arrives. The following table outlines what to prepare.
| Evidence Type | Example Artifact |
|---|---|
| Policy | Physical and Environmental Security Policy defining zoning strategy, access rules, and review cadence |
| Risk Assessment | Physical security risk assessment documenting asset locations, threat classes, and controls selected per zone |
| Access Logs | Electronic access control logs showing entry/exit events for restricted areas over the past 90 days |
| Visitor Records | Visitor register with sign-in/sign-out times, host names, and areas visited |
| Maintenance Records | Service logs for CCTV systems, fire suppression, and access control hardware |
| Floor Plan | Annotated site plan showing security zones, access control points, and camera placement |
| Review Records | Minutes from quarterly physical security walk-through reviews with corrective actions noted |
| Training Records | Evidence of staff training on physical security procedures and visitor management |
Cross-Framework Mapping
Control 7.3 maps to equivalent requirements across major compliance frameworks. This mapping helps organizations managing multiple certifications identify overlap and reduce duplicate effort. The full NIST SP 800-53 Rev. 5 catalog provides detailed control statements for each mapping below.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AT-02 (Literacy Training and Awareness) | Full |
| NIST 800-53 | PE-03 (Physical Access Control) | Full |
| NIST 800-53 | PE-05 (Access Control for Output Devices) | Full |
| NIST 800-53 | PS-08 (Personnel Sanctions) | Full |
| SOC 2 TSC | CC6.4 (Restricting Physical Access) | Full |
| CIS Controls v8.1 | Control 3 (Data Protection) | Partial |
| NIST CSF 2.0 | PR.AC (Access Control) | Partial |
| DORA (EU) | Article 11 (Physical and environmental security) | Full |
Organizations already compliant with NIST 800-53 PE-03 (Physical Access Control) will find significant overlap with 7.3’s requirements for physical access control. The SOC 2 CC6.4 mapping is particularly relevant for SaaS vendors undergoing both ISO 27001 and SOC 2 audits.
Note that “Partial” coverage means the framework addresses some but not all aspects of 7.3. CIS Controls v8.1 Control 3, for example, focuses on data protection broadly but doesn’t prescribe specific physical barrier requirements. Where coverage is partial, you’ll need to supplement with additional controls from the target framework to achieve equivalent protection.
Related ISO 27001 Controls
Control 7.3 doesn’t operate in isolation. Physical security for offices, rooms, and facilities connects directly to perimeter security, entry controls, monitoring, and the rules governing behavior inside secured spaces. The following controls, detailed in ISO/IEC 27002:2022, form a functional chain around physical security. When planning your 7.3 implementation, review these related controls to ensure your physical security program doesn’t have gaps at the boundaries between controls.
| Control ID | Control Name | Relationship |
|---|---|---|
| 7.1 | Physical Security Perimeters | Defines the outer boundary that 7.3 protects within |
| 7.2 | Physical Entry Controls | Governs how access is granted at entry points defined by 7.3 |
| 7.4 | Physical Security Monitoring | Monitors the zones established under 7.3 |
| 7.5 | Protecting Against Physical and Environmental Threats | Addresses the environmental protections referenced in 7.3 implementation |
| 7.6 | Working in Secure Areas | Rules for behavior inside the secure areas 7.3 establishes |
| 7.8 | Equipment Siting and Protection | Governs placement of equipment within the secured facilities |
| 5.15 | Access Control | Logical access control policy that parallels 7.3’s physical access requirements |
| 5.10 | Acceptable Use of Information and Other Associated Assets | Defines acceptable use rules within secured areas |
| 6.1 | Screening | HR screening of personnel who access secured areas |
Frequently Asked Questions
What is ISO 27001 7.3?
ISO 27001 Annex A Control 7.3 requires organizations to design and implement physical security for offices, rooms, and facilities where information is processed or stored. It mandates that physical barriers be proportional to the value of the assets protected, preventing unauthorized access to sensitive spaces. The control applies to any location where information assets are processed, stored, or discussed — not just data centers or server rooms.
What happens if 7.3 is not implemented?
Without 7.3 controls, unauthorized individuals can physically access sensitive areas, leading to data theft, equipment tampering, or destruction of critical assets. The operational impact extends beyond the immediate incident — forensic investigation, incident response, and remediation can take weeks. From a compliance perspective, failure to implement 7.3 results in audit non-conformity and can jeopardize ISO 27001 certification.
How do you audit 7.3?
Auditors conduct physical walk-throughs of facilities, review electronic access logs, inspect visitor registers, and verify that the actual zoning and controls match documented policy. They’ll check that access reviews happen on schedule and that corrective actions from previous reviews have been addressed. See the audit evidence table above for specific artifacts to prepare.
How UpGuard Helps
Connect physical security compliance to your broader risk posture
Assessing whether your vendors meet physical security requirements like 7.3 is one piece of a larger risk picture. UpGuard User Risk lets you evaluate vendor security posture — including physical controls — alongside cyber risk, so you can manage compliance across your entire third-party ecosystem from a single vendor risk management platform.