The basics
ISO 27001 control A.7.2 Physical entry requires companies to use entry controls to protect secure areas, in order to protect sensitive information in those secure areas.
Documentation
ISO 27001 control A.7.2 Physical entry can be documented:
- for smaller companies by defining in the Statement of Applicability (SoA) how access to the company’s areas is controlled (i.e., no separate document is needed)
- for mid-sized and larger companies by writing a Policy for Managing Physical security
Implementation
In order to comply with control A.7.2 Physical entry, you might implement the following:
- Technology — the technology to enable control of physical entry may vary from cards and PINs to physical or electronic accessing logs to provide audit trails. Companies of all sizes need to plan how to control the physical entry to their areas based on risk assessment and the sensitivity of the information stored and/or processed in the area.
- Organization/processes — you should set up criteria for selecting applicable physical entry controls and how they should be selected according to the sensitivity of the information stored and/or processed on them. You can document those processes through a Policy for Managing Physical Security.
- People — make employees aware of defined controls for physical entry and train relevant employees on how to define them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.2 Physical entry: if entry controls to protect secure areas are being used.
