A flooded basement server room doesn’t send a calendar invite before it ruins your quarter. When physical protections fail, the damage isn’t hypothetical — it’s corrupted drives, lost uptime, regulatory scrutiny, and a recovery timeline measured in weeks. ISO 27001 7.5 exists because the threats that bypass your firewalls entirely are often the ones that do the most lasting harm.
What 7.5 requires
ISO 27001 Annex A 7.5 requires organizations to design and implement physical protection measures that safeguard critical infrastructure, information systems, and personnel against natural disasters, environmental hazards, and deliberate physical attacks. The control goes beyond locking doors and installing cameras. It demands a structured approach to identifying site-specific risks and deploying countermeasures that match the severity and likelihood of each threat.
Your organization must assess every facility where information assets are processed, stored, or transmitted. That assessment needs to account for natural threats (flooding, earthquakes, storms), environmental hazards (fire, HVAC failure, water ingress), and intentional interference (vandalism, sabotage, unauthorized physical access to equipment). The control expects you to treat each site individually because a coastal data center faces different risks than a landlocked office.
Once threats are identified, you need documented countermeasures in place. Fire suppression systems, uninterruptible power supplies, flood detection, environmental monitoring, and structural reinforcements all fall within scope. The control also requires that these protections are maintained and tested, not just installed and forgotten. Protecting against physical and environmental threats under ISO 27001 7.5 means building resilience into the physical layer of your Information Security Management System (ISMS), not treating it as a facilities afterthought.
Why 7.5 matters
A mid-sized financial services firm operates its primary systems from a co-located data center. During a summer heatwave, an aging HVAC unit in the server hall fails silently overnight. By morning, rack temperatures have exceeded safe operating thresholds for six hours. Three storage arrays suffer thermal damage, corrupting transaction records that take eleven days to reconstruct from backups. The firm’s clients experience service degradation, the regulator asks pointed questions, and the total cost of the incident reaches well into six figures.
This scenario plays out more often than most security teams expect. Uptime Institute found that power-related failures remain the leading cause of significant data center outages, accounting for roughly two in five serious incidents. Environmental and physical failures don’t discriminate by industry or organization size. They exploit gaps in monitoring, maintenance, and contingency planning.
Without 7.5, physical and environmental protections tend to drift. Fire suppression systems go untested. Backup generators aren’t load-tested under realistic conditions. Leak detectors are installed during construction and never inspected again. The control forces a discipline of ongoing assessment and verification that keeps these protections functional, not decorative.
What attackers and hazards exploit
- Server rooms in flood-prone basements with no water detection. Building planners often place server infrastructure in lower levels for convenience, ignoring that basements are the first areas to flood during heavy rain or plumbing failures.
- Untested or unmaintained fire suppression systems. Gas suppression systems that haven’t been serviced in years may fail to discharge, or discharge incorrectly, when an actual fire occurs.
- Single points of failure in power delivery. Facilities that rely on a single utility feed with no Uninterruptible Power Supply (UPS) or backup generator leave their entire infrastructure vulnerable to a single grid event.
- Undetected HVAC failures causing equipment overheating. Without temperature and humidity monitoring tied to alerting systems, thermal events can damage hardware for hours before anyone notices.
- Flammable materials stored near server rooms. Cardboard, cleaning supplies, and surplus equipment stored adjacent to racks increase fire risk and violate most building codes.
- No site-specific environmental risk assessment. Organizations that apply a generic template rather than evaluating each facility’s unique geography, construction, and utility infrastructure miss threats specific to that location.
- Cable runs exposed to accidental damage during building works. Construction or renovation projects near data rooms can sever network or power cabling when routes aren’t clearly documented and protected.
How to implement 7.5
For your organization (first-party)
Step 1: Conduct a site-level physical and environmental risk assessment for each facility. Walk every location where information assets reside. Document the building’s construction type, surrounding geography, flood zone status, seismic classification, proximity to industrial hazards, and utility infrastructure. Each site gets its own assessment because the threat profile at a coastal office differs fundamentally from an inland data center.
Step 2: Map identified threats to specific countermeasures. For each risk category (fire, flood, power, HVAC, seismic, intentional attack), define the controls that reduce likelihood and impact to an acceptable level. This mapping becomes the core of your 7.5 compliance documentation.
Step 3: Implement fire protection controls. Install smoke and heat detectors appropriate to the environment. Deploy gas-based suppression systems (such as FM-200 or Novec 1230) in enclosed server rooms where water-based sprinklers would damage equipment. Place appropriate fire extinguishers at accessible locations. Ensure fire doors are rated, labeled, and tested on schedule.
Step 4: Implement water and flood protection. Install leak detection sensors under raised floors, near pipe penetrations, and at any point where water could enter the server environment. Use drip trays beneath cooling units. Seal cable and pipe penetrations through walls and floors to prevent water ingress from adjacent spaces.
Step 5: Implement power protection. Install surge protection devices at the facility’s electrical entry point and at the rack level. Deploy UPS systems sized to carry the critical load long enough for generators to start. Install and maintain backup generators, and conduct load testing at least annually under conditions that simulate a real outage. Research from the Ponemon Institute found that the average cost of a single data center outage exceeds $100,000, with prolonged incidents reaching into the millions, making the investment in redundant power infrastructure a clear financial decision.
Step 6: Deploy environmental monitoring. Install temperature and humidity sensors throughout server environments. Connect them to a centralized alerting platform that notifies operations staff when thresholds are breached. Set alerts well below the point of equipment damage to allow time for intervention.
Step 7: Align with health and safety requirements. Fire doors must fail open (unlocked) during emergencies to allow safe evacuation. Suppression agents must be safe for occupied spaces. Emergency lighting and exit signage need regular testing. Physical security controls should never create conditions that endanger personnel.
Step 8: Document everything. Maintain current records of risk assessments, countermeasure designs, installation certificates, maintenance logs, and test results. Auditors will expect to see evidence that controls are not just designed but actively maintained and verified.
Common mistakes:
- Treating physical security as a facilities-only concern. When physical controls aren’t integrated into the ISMS, gaps between security policy and building operations go unnoticed.
- Conducting a one-time risk assessment that’s never updated. Building renovations, tenant changes, new equipment installations, and shifting climate patterns all alter the threat profile.
- Using cloud hosting as an excuse to skip local office protections. Workstations, network equipment, and backup media in offices still need environmental protection, even if production servers are offsite.
- Storing flammable materials in or near server rooms. Surplus packaging, paper records, and cleaning chemicals are common culprits that increase fire load unnecessarily.
- Not testing backup power under realistic load. A generator that starts successfully under no-load conditions may fail when asked to carry the actual critical infrastructure during an outage.
For your vendors (third-party assessment)
When assessing vendors against ISO 27001 7.5 requirements, your due diligence needs to go beyond accepting a certificate at face value. Ask specific questions and request specific evidence.
Questions to ask:
- What natural disaster and environmental risks have you identified for each facility where our data is processed or stored?
- What fire suppression technology is deployed in your server environments, and when was it last tested?
- What is your backup power architecture (UPS capacity, generator fuel autonomy, time to failover)?
- How do you monitor environmental conditions (temperature, humidity, water ingress) in real time?
- When was your most recent physical/environmental risk assessment conducted, and what changed as a result?
Evidence to request:
- Current physical/environmental risk assessment reports for relevant facilities
- Fire suppression system inspection and test certificates
- UPS and generator load test records from the past 12 months
- Environmental monitoring dashboards or alert configuration documentation
- Business continuity and disaster recovery plans covering physical incidents
- ISO 27001 Statement of Applicability (SoA) showing 7.5 as in scope
Red flags:
- The vendor cannot provide facility-specific risk assessments and instead offers only a generic corporate security policy.
- Fire suppression or power backup test records are more than 12 months old.
- Environmental monitoring exists but isn’t connected to real-time alerting.
- The vendor claims ISO 27001 certification but excludes physical controls from the SoA scope.
- No evidence of periodic review or update to physical protection measures.
Verification beyond self-attestation: Request permission to conduct a physical site visit, or engage a qualified third party to perform one on your behalf. Review the vendor’s most recent external audit report (SOC 2 Type II or ISO 27001 surveillance audit) for findings related to physical and environmental controls. Cross-reference their stated controls against the actual facility conditions observed during the visit.
Audit evidence for 7.5
| Evidence type | Example artifact |
|---|---|
| Risk assessment | Site-specific physical and environmental risk assessment report, dated and signed, covering each in-scope facility |
| Fire protection records | Gas suppression system inspection certificate from a qualified fire protection contractor, dated within the past 12 months |
| Power protection records | UPS battery test report and generator load test results, including test duration and load percentage |
| Environmental monitoring | Screenshot or export from the environmental monitoring platform showing sensor placement, threshold configuration, and alert history |
| Maintenance logs | Scheduled maintenance records for HVAC, fire suppression, UPS, and generator systems with technician sign-off |
| Flood/water protection | Leak detection system test records and installation diagrams showing sensor placement relative to water sources |
| Health and safety alignment | Fire door inspection log, emergency lighting test certificates, and suppression agent safety data sheets |
| Change management | Records showing physical/environmental risk assessments were updated following facility modifications or building works |
Cross-framework mapping
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | CP-06 (Alternate Storage Site) | Full |
| NIST 800-53 | CP-07 (Alternate Processing Site) | Full |
| NIST 800-53 | PE-09 (Power Equipment and Cabling) | Full |
| NIST 800-53 | PE-13 (Fire Protection) | Full |
| NIST 800-53 | PE-14 (Environmental Controls) | Full |
| NIST 800-53 | PE-15 (Water Damage Protection) | Full |
| NIST 800-53 | PE-18 (Location of System Components) | Full |
| NIST 800-53 | PE-19 (Information Leakage) | Partial |
| NIST 800-53 | PE-23 (Facility Location) | Full |
| SOC 2 | CC6.4 | Partial |
| CIS Controls v8.1 | Control 11 | Partial |
| NIST CSF 2.0 | PR.IP-5 | Full |
| DORA | Article 11 | Partial |
Related ISO 27001 controls
| Control ID | Control name | Relationship |
|---|---|---|
| 7.1 | Physical security perimeters | Defines the boundaries that 7.5 protections operate within |
| 7.2 | Physical entry controls | Controls who can access the areas 7.5 is designed to protect |
| 7.3 | Securing offices, rooms, and facilities | Addresses the structural security of the spaces containing protected assets |
| 7.4 | Physical security monitoring | Provides the surveillance layer that detects threats 7.5 countermeasures address |
| 7.6 | Working in secure areas | Governs personnel behavior in the areas protected by 7.5 controls |
| 7.7 | Clear desk and clear screen | Reduces exposure of information assets within physically protected areas |
| 7.8 | Equipment siting and protection | Complements 7.5 by addressing how equipment is positioned to minimize environmental risk |
| 7.9 | Security of assets off-premises | Extends physical protection considerations to assets outside the facilities 7.5 covers |
| 7.10 | Storage media | Covers protection of media that may be affected by the environmental threats 7.5 addresses |
| 7.11 | Supporting utilities | Directly relates to the power, HVAC, and utility infrastructure that 7.5 protections depend on |
Frequently asked questions
What is ISO 27001 7.5?
ISO 27001 Annex A 7.5 is the control that requires organizations to implement physical protections against natural disasters, environmental hazards, and intentional physical attacks on their information infrastructure. It covers fire protection, flood prevention, power resilience, environmental monitoring, and structural safeguards for every facility where information assets are processed or stored. The control applies within an ISO 27001-certified ISMS and requires ongoing maintenance and testing of all protective measures.
What happens if 7.5 is not implemented?
Without the protections 7.5 mandates, organizations face unmitigated risk from events like fires, floods, power failures, and HVAC breakdowns that can destroy hardware, corrupt data, and cause extended outages. These incidents carry direct financial costs through equipment replacement and lost revenue, regulatory consequences if data loss triggers breach notification obligations, and reputational damage that erodes client trust. During an ISO 27001 audit, a gap in 7.5 implementation would result in a nonconformity finding.
How do you audit 7.5?
Auditing ISO 27001 7.5 involves reviewing documented risk assessments for each facility, inspecting physical countermeasures on-site, and verifying that maintenance and test records are current. Auditors look for evidence that fire suppression, power backup, environmental monitoring, and flood protection systems are not only installed but regularly tested and maintained. They also confirm that risk assessments have been updated to reflect changes in the facility, its surroundings, or its use.
How UpGuard helps you monitor physical and environmental risk
Physical threats don’t stay contained. A flood that takes down a vendor data center or a fire at a critical supplier facility becomes your problem the moment it affects your data or your operations.
- Breach Risk: Continuous visibility into your external attack surface, surfacing exposed infrastructure and environmental vulnerabilities across your organization and your vendor ecosystem before they become incidents.