ISO 27001:2022 A 7.6 Working in Secure Areas

 Secure areas are areas within buildings or facilities where personnel work with sensitive information or assets (e.g. classified material). Secure areas are sites where sensitive information is handled or housed. This means that anywhere IT equipment or personnel are sheltered qualifies as a secure area. Buildings, rooms and offices. These can all be secure areas. The purpose of physical security processes is to ensure that your information is protected from physical threats. And this includes both physical and digital assets. Organisations must put in place appropriate security measures that apply to all personnel working in secure areas so that they cannot access, use, modify, destruct, damage, or interfere with information assets or information facilities without authorization. Housing sensitive information assets in secure areas such as secure server rooms and implementing strict access controls is not sufficient to maintain the security of these assets. Employees with access to secure rooms may, deliberately or negligently, cause damage to the hardware equipment and digital assets stored in secure areas or access, use, destruct these information assets and facilities without permission.


Security measures for working in secure areas should be designed and implemented.


To protect information and other associated assets in secure areas from damage and unauthorized interference by personnel working in these areas.

ISO 27002 Implementation Guidance

The security measures for working in secure areas should apply to all personnel and cover all activities taking place in the secure area. The following guidelines should be considered:

  1. making personnel aware only of the existence of, or activities within, a secure area on a need-to- know basis;
  2. avoiding unsupervised work in secure areas both for safety reasons and to reduce chances for malicious activities;
  3. physically locking and periodically inspecting vacant secure areas;
  4. not allowing photographic, video, audio or other recording equipment, such as cameras in user endpoint devices, unless authorized;
  5. appropriately controlling the carrying and use of user endpoint devices in secure areas;
  6. posting emergency procedures in a readily visible or accessible manner.

The security measures should cover all personnel working in secure areas and should apply to all activities carried out in these areas. While the type and degree of security measures implemented may vary depending on the level of risk to specific information assets, organisations should adhere to:

  • Organisations should inform their personnel about the existence of secure areas and about the specific operations conducted in these areas on a need-to-know basis.
  • No personnel should be allowed to carry out any unsupervised activity in the designated secure areas.
  • Unoccupied secure areas should be locked and should be subject to periodic inspections.
  • Use of recording equipment, including those used to record audio, video, and photos, should be subject to strict authorisation procedures.
  • Carriage and use of end-point user devices such as laptops and smartphones in secure areas should be subject to strict controls.
  • Emergency procedures should be displayed in a place easily accessible to all personnel working in secure areas
  • writing an operational requirement
  • the principle of locating them in spaces where the vulnerabilities are at their lowest (e.g. away from public areas, being overlooked etc)
  • the concept of multiple layers, following the principles of deter, detect, delay etc
  • the following three central pillars of barriers, access control and detection
  • the physical measures being built using appropriate and proven materials, equipment and methods that are relevant to the threats
  • the physical security measures being commensurate and compatible with personnel, information and technical security measures. Threats to secure working areas are likely to be persistent, and security will only be as strong as the weakest link
  • the successful implementation of procedural controls to ensure security integrity.
  • A physical security perimeter – such as walls, card controlled entry gates or manned reception security desks
  • Physical entry controls – adequate and appropriate entry controls to ensure only authorised personnel are allowed access
  • Secure offices, rooms and facilities – physical corporate security solutions designed and applied
  • Protection against external and environmental threats – physical protection against fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disasters
  • Secure area protection – physical corporate security solutions designed and applied for secure areas
  • Physical security for public access, delivery and loading areas – access points where unauthorised persons may enter controlled and, if possible, isolated from information processing facilities to avoid unauthorised access

To ensure compliance, here are some physical security tips:

  • The walls, ceilings and floor of any secure area should be of the same strength. If someone can access a secure area via, say, a false ceiling you will be non-compliant.
  • The most sensitive assets should be stored in the most secure areas. Using the “onion technique”, each perimeter “layer” should house progressively more sensitive assets.
  • Ban mobile phone and camera use in secure areas.
  • Prohibit lone working in secure areas.
  • Don’t co-store other assets (such as paper, non-IT equipment or anything else) in secure areas.
  • Ensure delivery and loading areas don’t give direct access to secure areas.
  • Install a welcome desk where at where all visitors are required to report first.
  • Have security guards challenge unknown persons.
  • Monitor spaces around the perimeter with CCTV or security patrols.

Leave a Reply