Control Definition
Secure areas must be protected by appropriate entry controls and managed access points, so that only authorized people get in. The control covers the whole machinery of physical entry: authenticating and recording who enters, managing visitors from arrival to departure, controlling keys and access cards through their lifecycle, and securing delivery and loading areas so goods can move in and out without people slipping through.
Control Objective
To ensure every person inside a secure area is there with authorization, having entered through a controlled point that verified them, recorded them, and can account for them afterwards.
What This Really Means
A perimeter is only as strong as its busiest door. A.7.1 builds the walls; A.7.2 governs the holes deliberately cut in them — because every secure area needs entrances, and every entrance is a controlled point of failure. This control asks a simple question with a demanding answer: for each way into each secure area, how do you know that only authorized people pass, and could you prove who did?
In practice that means three working systems. First, entry mechanisms proportionate to the zone: a badge reader with logging for the office, badge plus PIN or biometric for the server room, and — perfectly acceptably for small offices — physical keys, provided custody is tracked and recoverable. Second, visitor management as a process rather than a courtesy: pre-registration where possible, identity verification at reception, a visitor badge that expires, a named host, escort rules for anything beyond public areas, and recorded entry and exit times. Third, credential lifecycle: badges and keys issued on documented approval, returned at exit, deactivated immediately when lost, and reconciled against the current staff list on a schedule.
Two gaps recur everywhere. Delivery and loading areas are designed for goods, not security — couriers and movers end up in internal corridors because the dock door opens into the building. The control expects deliveries isolated from the rest of the facility: a holding area, a locked internal door, incoming material inspected and registered before it travels further. The second gap is tailgating: the polite held door defeats the badge reader every time. Countermeasures scale with risk, from awareness and a culture where challenging strangers is normal, up to anti-passback rules, turnstiles, or interlocking doors for genuinely high-value rooms.
What auditors treat as the heart of A.7.2 is accountability: can you say who was in the server room last Tuesday, and would your records survive cross-checking? Entry logs that exist and get reviewed, visitor records that are complete, and a badge register that reconciles cleanly with the leaver list — that is the control working. It fails quietly, by accumulation: a drawer of unreturned badges, a visitor book half-filled, a back door everyone uses because the reader is slow.
Why It Matters
Entry control is where physical security meets identity. Without it, the perimeter is decorative: the strongest wall means nothing if the door beside it opens for anyone with confidence and a clipboard. Most physical intrusion techniques — tailgating, impersonating a courier, walking in during the lunch rush — attack the entry process, not the barrier.
The threat is rarely cinematic. Unauthorized presence usually looks mundane: an ex-employee whose badge still works, a contractor wandering unescorted, a visitor who never signed out and was never missed. Each is invisible without entry discipline, and each turns into an unanswerable question the day equipment goes missing or data leaks from a room with no record of who was inside.
When physical entry is uncontrolled, organizations face:
- •Unaccountable presence – With no reliable entry records, investigations stall the moment they ask who was near the asset when it happened
- •Residual access after exit – Unreturned badges and keys are standing backdoors held by people with no current relationship to the organization
- •Tailgating as culture – One habitually held door silently defeats the entire access control investment behind it
- •Delivery areas as bypass routes – Couriers, movers, and service technicians reach internal space without verification, escort, or record
- •Easy, deniable theft – Devices and documents leave through the same uncontrolled doors people enter by, with nothing to reconstruct afterwards
Regional Compliance Context
Visitor logs, badge records, and reception ID checks all collect personal data, which pulls this control into data protection law. Under India's DPDP Act 2023 (full obligations land 13 May 2027, with Rules notified in 2025), visitor data needs notice at collection, a clear purpose, and disciplined retention — and the classic open visitor book, where each guest reads the names and numbers of everyone before them, is both a confidentiality leak and a privacy problem. Avoid photocopying government IDs unless a genuine requirement exists; sighting an ID is usually enough.
The same logic applies in the Gulf: the Saudi PDPL and UAE federal PDPL treat visitor and entry records as personal data, so reception processes that collect or copy Emirates ID or Iqama details deserve a deliberate decision on necessity and retention, not a default habit.
Implementation Guidance
Inventory Every Entry Point
List all ways into each secure area: main entrances, side and fire exits, loading docks, basement and parking access, roof hatches, and internal doors between zones. Map each against your zone plan from A.7.1 and identify which entries are controlled, which merely lock, and which stand open in practice. Most surprises in this control are found at this step.
Match Entry Mechanisms to Each Zone
Choose mechanisms proportionate to what each door protects: badge or card access with logging for general office space, badge plus PIN or biometric for server and records rooms, and managed key custody where electronic control is not justified. Ensure higher zones never depend on a weaker mechanism than the zone outside them.
Run Badge and Key Lifecycle Management
Issue credentials only on documented approval, tie return to the joiner-mover-leaver checklist shared with HR and IT, deactivate lost cards the day they are reported, and reconcile the active badge list against current staff quarterly. Keep a register covering issue date, holder, zones granted, and return or deactivation date — this register is the artifact auditors ask for first.
Build the Visitor Management Process
Define the path every visitor follows: pre-registration by the host where possible, identity verification at reception, a visitor badge that is visibly different from staff badges and expires same-day, escort requirements beyond public areas, and recorded entry and exit times. Replace open sign-in books with per-visitor slips or a digital check-in so guests cannot read each other's details.
Secure Delivery and Loading Areas
Separate goods movement from people movement: restrict dock and delivery-door access from outside, keep the internal door locked while the external one is open, hold incoming material in a defined area until inspected and registered, and require delivery personnel to stay within the delivery zone. For offices without a dock, apply the same logic to reception — couriers hand over at the desk and go no further unescorted.
Counter Tailgating Deliberately
Set the expectation that every person badges every entry — no group entries on one card — and make polite challenge normal through awareness training and visible management example. Where the risk justifies it, add anti-passback rules in the access system, turnstiles, or interlocking doors on the highest-value rooms. Test the culture occasionally: an unfamiliar face following staff through a controlled door should get stopped.
Review Logs and Access Rights on a Schedule
Review physical access rights with the same discipline as logical access: quarterly recertification of who holds access to restricted zones, sample reviews of entry logs for anomalies (out-of-hours entries, terminated staff, doors forced or held open), and defined retention for entry and visitor records. Document each review — an unreviewed log is half a control.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.2:
Documentation
- Physical entry or access control procedure covering staff entry, visitors, keys and badges, and deliveries
- Badge and key register with issuance approvals, holders, zones granted, and return or deactivation records
- Visitor records sample showing identity verification, host, escort, and entry and exit times
- Entry logs from the access control system for restricted zones, with evidence of periodic review
- Quarterly or periodic physical access rights review records reconciled against the current staff list
Interviews
- Receptionist or front-desk staff about the visitor process, ID verification, and what they do when someone refuses or bypasses it
- Facilities or security manager about badge lifecycle, lost-card handling, and how leavers' access is revoked and verified
- Employees about tailgating norms — whether badging in individually is expected and whether challenging an unbadged stranger is realistic
Observations
- Live entry behavior: whether reception intercepts unknown people, visitor badges are actually issued, and tailgating happens at controlled doors
- A test of revocation — the auditor asks for proof that a recent leaver's badge no longer works or picks a card from the register to verify
- Delivery and loading areas: external door controls, segregation from internal corridors, and where couriers actually stand during handover
Practitioner Insights
The open visitor book is the most common own-goal I see at smaller organizations: a register at reception where every guest reads the names, companies, and phone numbers of everyone who visited before them — a confidentiality leak and a privacy problem bound into one artifact. Per-visitor slips or a basic digital check-in fix it for almost nothing. And invest in the receptionist: they are the most consequential security control in the building, yet they are rarely trained on verification, escort rules, or the authority to say no to someone insistent.
Badge systems generate logs; almost nobody reads them. When I ask for the last review of physical access rights, I am usually handed the system manual instead of a review record. The gap that worries me most is the leaver loop — HR offboards, IT disables the account, and the badge stays live because facilities was never in the workflow. Put physical access on the same joiner-mover-leaver checklist as logical access, reconcile the badge list against payroll quarterly, and sample the entry logs for out-of-hours anomalies. Those three habits answer nearly every question a certification auditor will ask of this control.
Common Challenges & Solutions
Challenge
Tailgating is routine — staff hold doors out of courtesy and the badge system records a fraction of actual entries.
Solution
Attack the norm before the hardware: communicate that badging individually is expected, have managers model it, and make polite challenge socially safe with a standard line ("happy to walk you to reception"). Reserve turnstiles, anti-passback, or interlocking doors for the rooms whose contents justify the cost. Measure progress by comparing badge counts against headcount on sample days.
Challenge
Visitor management is informal — a half-filled paper book, no badges, and guests wandering to meeting rooms alone.
Solution
Stand up a minimal but complete process: host pre-registers, reception verifies identity and issues a dated visitor badge, the host collects the guest and escorts them throughout, and exit time is recorded when the badge comes back. A simple digital check-in tool or even structured slips works; what matters is that every visitor has a record, a badge, and a responsible host.
Challenge
Lost, unreturned, and orphaned badges and keys accumulate until nobody knows what still opens the building.
Solution
Run a one-time amnesty and reconciliation: pull the active credential list, match it against current staff, and deactivate everything unmatched. Then keep it clean — badge return on the leaver checklist with sign-off, same-day deactivation for reported losses, and a quarterly reconciliation. For physical keys, keep a custody register and re-core locks on the rooms that matter when keys go missing.
Challenge
The delivery door effectively bypasses reception — couriers and movers reach internal corridors unchallenged.
Solution
Create a hard boundary at the delivery area: external door controlled and never open simultaneously with the internal one, a holding zone where goods wait for inspection and registration, and a rule that delivery personnel go no further without an escort. In dock-less offices, the reception desk is the delivery boundary — packages are handed over there, not carried to desks by the courier.
Challenge
Entry logs exist but are never reviewed, and nobody can say how long they are kept or who checks anomalies.
Solution
Define the review in writing: who samples which logs, how often (monthly for restricted zones is a reasonable default), what counts as an anomaly (out-of-hours entry, deleted staff, door-held-open alerts), and where findings go. Set a retention period that balances investigation needs against privacy law, configure the system to honor it, and keep the review notes — they are the difference between having logs and having a control.
