ISO27001 Annex A control A7.1 speaks of perimeter defences, and Annex A control A7.3 speaks of securing offices, rooms and facilities. But there is still this control, which looks specifically at working in secure areas. The purpose is to protect information and other associated assets in secure areas from damage and unauthorised interference by personnel working in these areas.

What does the standard require?

The standard states that “Security measures for working in secure areas shall be designed and implemented.” (A7.6 – Working in secure areas).

Notice that the control requires security measures for working in secure areas. This tells us that this control is looking for a range of controls to be in place, which can include both technical and organisational measures.

Why is this required?

Authorised personnel can still pose a risk to your organisation, even if they don’t mean to. For example, what controls do you have around people storing items in secure rooms that could pose a danger to you or the equipment?

A small business we worked with decided to decorate their main office space, but when the work was done they had some paint left over. So can you guess where they stored it?  You guessed it; In the server room. After all, it’s out of the way, right? True. But it’s also highly flammable.

Another client we worked with, had suffered a catastrophic data outage, that took their business days to recover from.  What was the cause? An engineer had taken a cup of coffee into the comms room while he fixed an issue.  Sadly, one cup of coffee accidentally poured over the server caused more than a few comms issues.

Without having a range of security measures in place, secure areas can quickly become ‘unsecure’ and lead to damage and data loss.

What the auditor is looking for

The auditor will look for evidence that a range of security measures have been designed and implemented, and these measures typical include;

• Access Control Policies

• Segregation of Duties

• Visitor logs

• Directions and instructions for operating in secure areas (e.g. restriction on the use of mobile phones)

• Emergency evacuation procedures

• Training and education

Keep in mind that this is about evidencing how people work in secure areas, and what measures are in place to ensure security is maintained.

What do you need to do?

Look closely at the areas in your business which require additional security measures, such as those you identified when you worked through ISO27001 Annex A Control A7.3 (Securing offices, rooms and facilities). Consider what security measures you should implement to protect information security while operating in these areas.

For example, you might look to include a visitors log, so that you have a list of people who have entered that area.  You might also create a set of rules that people must adhere to, such as...

1. No smoking.

2. No food or drink.

3. No video, photographic or recording devices.

For training and education, you might look to educate those who have access to that area, about what they can and can’t do in that area. For example, you might stipulate that visitors and guests are to be escorted at all times. If your business is in manufacturing, some of these measures will not be unfamiliar to you, because Health & Safety requirements may already stipulate these requirements.

Q & A

What can we I do if secure areas are not under our direct control?

Sometimes you find that secure rooms and offices are not under your direct control, but this doesn’t mean you can’t outline what you expect from your personnel while working in those areas. 

Record on your risk register that these areas are not under your control, and where possible implement additional controls, such as more regular audits of access logs, CCTV etc.

Difficulty rating

We rate this a 2 out of 5 difficulty rating. This ISO27001 control isn’t difficult, as it simply requires the development of processes and policies to establish rules for working in these secure areas. As with all controls, it is important that you audit these security measures to ensure they are being complied with. This is especially important if you secure areas are not completely under your control.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.