This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.7.2 Physical entry.
ISO 27001: 2022 Control Description
Secure areas shall be protected by appropriate entry controls and access points.
Purpose
To ensure that only authorised physical access to the organisation’s information and other associated assets occurs.
Guidance on implementation
Access points such as delivery and loading areas, and other points where unauthorised persons could enter the premises, should be controlled and, if possible, isolated from information processing facilities to prevent unauthorised access.
The following guidelines should be considered:
a) Restricting access to sites and buildings to authorised personnel only. The process for managing access rights to physical areas should include the provision, periodic review, updating, and revocation of authorisations
b) Securely maintaining and monitoring a physical logbook or electronic audit trail of all access, and protecting all logs and sensitive authentication information.
c) Establishing and implementing a process and technical mechanisms for managing access to areas where information is processed or stored. Authentication mechanisms could include the use of access cards, biometrics, or two-factor authentication, such as an access card and secret PIN.
d) Setting up a reception area monitored by personnel or other means to control physical access to the site or building.
e) Inspecting and examining the personal belongings of personnel and interested parties upon entry and exit.
Note: Local legislation and regulations may exist regarding the inspection of personal belongings.
f) Requiring all personnel and interested parties to wear visible identification and to immediately notify security personnel if they encounter unescorted visitors or anyone not wearing visible identification. Easily distinguishable badges should be considered to better identify permanent employees, suppliers, and visitors.
g) Granting supplier personnel restricted access to secure areas or information processing facilities only when required. This access should be authorised and monitored.
h) Paying special attention to physical access security in buildings housing assets for multiple organisations.
i) Designing physical security measures so that they can be strengthened when the likelihood of physical incidents increases.
j) Securing other entry points, such as emergency exits, against unauthorised access.
k) Setting up a key management process to ensure the control of physical keys or authentication information (e.g. lock codes, combination locks to offices, rooms, and facilities such as key cabinets) and to ensure a logbook or annual key audit, with controlled access to physical keys or authentication information.
Visitors
The following guidelines should be considered:
a) Authenticating the identity of visitors by an appropriate means;
b) Recording the date and time of entry and departure of visitors;
c) Only granting access to visitors for specific, authorised purposes and providing instructions on the security requirements of the area and on emergency procedures;
d) Supervising all visitors, unless an explicit exception is granted.
Delivery and Loading Areas and Incoming Material
The following guidelines should be considered:
a) Restricting access to delivery and loading areas from outside of the building to identified and authorised personnel;
b) Designing delivery and loading areas so that deliveries can be loaded and unloaded without delivery personnel gaining unauthorised access to other parts of the building;
c) Securing the external doors of delivery and loading areas when doors to restricted areas are opened;
d) Inspecting and examining incoming deliveries for explosives, chemicals, or other hazardous materials before they are moved from delivery and loading areas;
e) Registering incoming deliveries in accordance with asset management procedures upon entry to the site;
f) Physically segregating incoming and outgoing shipments, where possible;
g) Inspecting incoming deliveries for evidence of tampering en route. If tampering is discovered, it should be immediately reported to security personnel.