Control Definition
The organization must define security perimeters and use them to protect areas containing information and other associated assets. The siting and strength of each perimeter must be proportionate to the security requirements of what sits inside it, and the barriers themselves — walls, doors, windows, ceilings — must be physically sound, with no gaps an intruder could exploit.
Control Objective
To stop unauthorized people from physically reaching, damaging, or interfering with the organization's information and the assets that support it.
What This Really Means
Think of how an airport works: anyone can walk into the terminal, only ticketed passengers pass security, only passengers on a specific flight reach the gate, and only crew enter the cockpit. Each ring is harder to cross than the last, and the strength of each barrier matches what it protects. A.7.1 asks you to design your facilities the same way — concentric zones such as street, reception, general office, server or records room, locked rack — each with a defined boundary and a deliberate level of protection.
"Proportionate" is the operative word. The standard does not demand turnstiles and bollards for a 20-person SaaS office. It demands that you consciously decide what each area contains and what barrier that justifies. A visitor lounge needs almost nothing; the room holding your network core, HR files, or signed contracts needs walls that reach the structural slab, a door that locks and closes itself, and a short list of people who can open it. Soundness matters as much as design: a perimeter drawn on a floor plan fails in reality if the wall stops at the false ceiling, the fire exit is propped open for smokers, or a ground-floor window latch has been broken since the last fit-out.
Modern operating models reshape this control without voiding it. A cloud-first company's perimeter might be one office plus a caged rack in a colocation facility — the office zones still matter for laptops, people, and network gear, while the colo cage is a perimeter you inherit through contract and verify through supplier assurance. In a coworking space you cannot rebuild the landlord's walls, so your perimeter shrinks to what you actually control: a lockable private office, a locked cabinet, encrypted devices — with the residual risk acknowledged in the risk assessment rather than wished away.
What auditors treat as the heart of A.7.1 is the match between paper and building. They want a documented zone definition that traces to asset value — your classification scheme should be visible in your floor plan — and then they will walk the route from the street to your most sensitive room, counting barriers and testing whether each one actually holds.
Why It Matters
Physical access defeats most logical controls. An attacker who reaches your equipment can boot from external media, lift disks, plant a rogue device on an open network port, or simply carry hardware out the door — bypassing years of investment in identity, encryption, and monitoring in a few unsupervised minutes. Perimeters are the control that decides whether anyone ever gets that chance.
Weak perimeters are also a quiet certification problem. Your ISO 27001 scope names physical locations, and the Stage 2 audit starts at the front door: the site tour is where zone definitions meet reality, and mismatches become findings before a single document is opened.
When security perimeters are undefined or unsound, organizations face:
- •Logical controls bypassed at the rack – Console access, stolen disks, and rogue devices turn a physical gap into a full technical compromise
- •Theft of devices and media – Laptops, backup drives, and paper records walk out of spaces that were never deliberately protected
- •Unobserved third-party access – Cleaning crews, maintenance contractors, and after-hours visitors move freely when zones exist only on paper
- •Audit findings at the site tour – A propped server-room door or a wall that stops at the suspended ceiling contradicts the documented perimeter in front of the auditor
- •Flat physical space, total exposure – With a single undifferentiated zone, one breach of the front door reaches everything the organization owns
Regional Compliance Context
For BFSI organizations in India, physical perimeters extend to outsourced infrastructure: RBI master directions expect regulated entities to retain responsibility for the security of facilities run by their service providers, so a caged rack in a Mumbai or Chennai colocation facility belongs in your zone definition, with the provider's guards, mantraps, and biometric controls verified through supplier assurance rather than assumed. SEBI's CSCRF sets similar expectations for market intermediaries.
In the Gulf, data-residency expectations under the Saudi PDPL and sector rules push workloads into in-country colocation facilities — the same principle applies: the cage is your perimeter, evidenced through the provider's certifications and your own periodic site visits.
Implementation Guidance
Map What Needs Protecting and Where It Lives
Start from the asset register (A.5.9), not the building plan. List where information and supporting assets physically sit: server and comms rooms, records storage, finance and HR areas, development floors, colocation cages. The perimeter exercise only makes sense once you know what each space contains and how it is classified.
Define Concentric Security Zones
Divide each facility into zones of increasing protection — typically public/reception, general work area, restricted rooms, and equipment cabinets or racks. Mark the zones on a floor plan and give each a short definition: what it contains, who may enter, and what barrier separates it from the zone outside. Three zones are enough for most small offices.
Set Protection Requirements Proportionate to Each Zone
For every zone boundary, decide the barrier standard the contents justify: self-closing locked doors, badge readers, reinforced walls, window protection, cabinet locks. Tie the decision to your classification scheme and risk assessment so the rationale is traceable — auditors probe why the server room got a badge reader and the stationery store did not.
Verify Physical Soundness of Every Boundary
Walk each perimeter and test it like an intruder: do walls run slab-to-slab or stop at the false ceiling, do doors close and latch unaided, are ground-floor windows secured, are fire exits alarmed rather than propped? Record findings and fix the gaps — a documented walk-through with remediation is strong evidence the control operates.
Address Perimeters You Do Not Control
For coworking spaces, multi-tenant buildings, and colocation facilities, document the split: which barriers the landlord or provider owns, which are yours. Collect assurance for the inherited part — contract clauses, the provider's ISO 27001 certificate or SOC 2 report, and a site visit for critical facilities — and compensate inside your own demise with lockable rooms and cabinets.
Document the Perimeter Definition
Capture zones, boundaries, and protection requirements in your physical security policy or procedure, supported by marked-up floor plans and a named owner per site (typically the facilities or office manager). Keep the plans access-controlled — a detailed map of your secure areas is itself sensitive information.
Review on Change and at Planned Intervals
Re-examine perimeters whenever the facility changes — office moves, renovations, new equipment rooms, a new floor — and on a planned cycle, typically an annual walk-through. Feed defects into the risk register and corrective action tracking so reviews leave a trail.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.1:
Documentation
- Physical security policy or procedure defining security zones and the protection required for each
- Marked-up floor plans or zone maps showing perimeters and what sits behind each barrier
- Risk assessment entries linking facility zones to the assets and classifications they protect
- Perimeter inspection or walk-through records with findings and remediation actions
- For colocation, coworking, or multi-tenant sites: contracts and assurance reports (provider ISO 27001 certificate, SOC 2 report) covering inherited physical controls
Interviews
- Facilities or office manager about how zones were defined, who owns each barrier, and how changes to the building are security-reviewed
- CISO or security lead about how perimeter strength traces back to asset classification and the risk assessment
- Employees about which areas they can access and what they would do on finding a secure door propped open
Observations
- The site walk-through itself — the auditor traces the path from public entrance to the most sensitive room, counting and testing barriers
- Condition of boundaries: doors that self-close and latch, walls without gaps above false ceilings, secured ground-floor windows
- Fire exits and secondary doors — alarmed, closed, and free of props, wedges, or disabled alarms
Practitioner Insights
A pattern I see across audits: the zone map says restricted, but the building says otherwise — the server room door is wedged open for cooling, the wall stops at the suspended ceiling, the fire exit alarm was disabled after one too many false activations. I walk the perimeter before I read the policy, because the building never lies. Map your zones to your classification scheme, then test each boundary the way an intruder would — after hours, from the outside, through the loading dock. If your own walk-through finds nothing, repeat it with someone who did not design the perimeter.
Startups in coworking spaces often freeze on this control because they cannot modify the building. You do not need to — define honestly what you control: a lockable office or cabinet, encrypted laptops, a clean-desk habit, with the rest documented as the provider's responsibility and backed by whatever assurance the agreement gives you. What fails audits is not the small perimeter; it is the missing definition. A one-page zone description with a marked-up floor plan takes twenty minutes and turns "we rent desks" into a defensible control.
Common Challenges & Solutions
Challenge
The organization sits in a coworking or serviced office and cannot control the building perimeter at all.
Solution
Shrink the perimeter to what you control: a lockable private office or dedicated room, locked storage for documents and spare equipment, and device-level controls (full-disk encryption, cable locks, screen privacy). Document the provider's responsibilities and house rules as inherited controls, and record the residual risk formally rather than ignoring it.
Challenge
Perimeters look solid on the floor plan but have physical gaps — walls ending at false ceilings, unalarmed fire doors, accessible service hatches.
Solution
Run a "walk the walls" inspection for every restricted room: check above the suspended ceiling and below raised floors, test that doors self-close and latch, verify fire exits alarm when opened. Log defects with photos, fix them through facilities, and re-inspect annually — the inspection record itself becomes audit evidence.
Challenge
Cloud-first teams argue the control is not applicable because production runs in AWS or Azure.
Solution
The cloud provider's data centers are out of your physical scope, but your office is not — it still holds the laptops, people, network equipment, and often paper that an attacker would target. Keep A.7.1 applicable, scope it to your premises and any colocation cage, and cover the hyperscaler's share through supplier assurance under your cloud-services controls.
Challenge
In multi-tenant buildings the lobby, lifts, and shared corridors are controlled by the landlord, not the tenant.
Solution
Treat the landlord's controls as an outer ring you verify but do not own: get the building access arrangements in writing and assess their reliability realistically. Then place your own enforceable boundary at your suite door — badge or coded entry, self-closing door, reception sightline — so a failure in the shared layers does not reach your space unimpeded.
Challenge
Zones exist but are not proportionate — the same key opens everything, or the server room is no better protected than the kitchen.
Solution
Re-derive barrier requirements from classification: list each zone, what it contains, and the strongest protection its contents justify, then fix the gaps in priority order. Separate key or badge groups per zone, fit a self-closing lock on the highest-value room first, and add a quarterly spot-check that doors are closed and access lists current.
