Control Definition
The organization must design and implement physical security for its offices, rooms, and facilities — deciding where sensitive spaces sit, how they are configured, and how visible their purpose and contents are, so that the information and activity inside is protected from unauthorized access, observation, and identification.
Control Objective
To keep the specific rooms where sensitive information lives and sensitive work happens from being located, entered, observed, or overheard by people with no business there.
What This Really Means
Banks do not put neon signs on the vault. A.7.3 is the control that asks whether your building quietly advertises its own soft spots — because inside the perimeter (A.7.1) and behind the entry controls (A.7.2), individual rooms carry individual risk. The server room, the HR records cabinet, the finance office, and the boardroom each deserve a deliberate design decision, not whatever the floor plan happened to inherit.
The control reduces to three design questions per room. Where is it? Sensitive rooms belong away from public paths: not beside reception, not on the visitor route to the meeting rooms, not against ground-floor windows or next to the loading corridor. What does it announce? Minimal indication of purpose is the rule — an unlabeled door beats one stenciled SERVER ROOM at eye height, and internal directories, wall-mounted floor plans, and online maps should not hand a stranger the location of your most sensitive spaces. What escapes it? Consider what can be seen — screens and whiteboards through glass walls, documents through windows — and what can be heard through partitions that were specified for cost, not confidentiality.
Meeting rooms deserve specific attention because they are where sensitive information becomes temporarily visible: last week's architecture diagram still on the whiteboard, a deal negotiation audible in the next room, a video call running with the door open to the corridor. Most fixes are cheap and unglamorous — frosted film at eye height, a wipe-the-whiteboard norm, sound-insulated rooms reserved for sensitive discussions, booking rules that put HR conversations somewhere other than the glass box by the kitchen.
What auditors treat as the heart of A.7.3 is deliberateness. The site tour starts at the lobby, before the opening meeting: they notice the labeled server room beside the visitor toilets, the screens readable from the sofa, the directory that maps the building for anyone who walks in. What converts those observations into confidence is evidence that placement and configuration were decided — a record of which rooms are sensitive, what protection each carries, and a checkpoint that pulls security into every fit-out, renovation, and office move.
Why It Matters
Most physical information leakage is observational, not forced. Nobody breaks a door: they read a whiteboard from the corridor, overhear half a negotiation through a thin wall, photograph a screen from the visitor sofa, or follow the helpful signage straight to the room that matters. These are free attacks — no tools, no alarms, no trace — and room design is the only control that prevents them.
Poor room-level security also concentrates and advertises value simultaneously. A clearly labeled, badly sited equipment room tells an intruder exactly where thirty seconds of access does the most damage, while exposed screens and conversations quietly erode client trust long before any reportable incident: the prospect who walked past your support floor and read another customer's data has already drawn conclusions.
When offices, rooms, and facilities are not deliberately secured, organizations face:
- •Free reconnaissance – Labeled doors, lobby directories, and wall-mounted plans give an intruder the map they would otherwise have to work for
- •Shoulder-surfed and overheard information – Screens, whiteboards, and meeting-room audio leak deals, credentials, and personal data without a single control being breached
- •Targeted, fast theft – A thief who knows exactly which room holds the equipment or records needs half a minute inside, not half an hour
- •Eroded client and auditor confidence – Site tours form judgments before any document is opened, and visible sloppiness around sensitive areas reads as systemic
Implementation Guidance
Identify the Rooms That Need More Than Office-Default Security
List the spaces whose contents or conversations are sensitive: server and comms rooms, records and archive storage, HR and finance areas, executive offices, boardrooms, labs, and any room where client data is visible at scale (support floors, operations bridges). Give each an owner and record what makes it sensitive — this register drives every later decision.
Site Sensitive Rooms Away from Public Paths
During fit-out, relocation, or redesign, place sensitive rooms in the interior of your space: away from reception sightlines, visitor routes, ground-floor windows, shared corridors, and delivery paths. Where an existing room cannot move, compensate — stronger entry control, opaque glazing, repositioned equipment — and record the decision so the constraint is visibly managed rather than ignored.
Minimize Indications of Purpose
Remove or genericize signage on sensitive rooms — a room number serves staff as well as SERVER ROOM serves an intruder. Review what lobby directories, wall-mounted floor plans, intranet maps, and even external job postings reveal about where sensitive functions sit. Keep detailed floor plans access-controlled and out of shared drives.
Control What Can Be Seen
Walk visitor paths and look sideways: apply frosted film at eye height on glass-walled rooms used for sensitive work, orient monitors away from windows and corridors, fit privacy filters where reorientation is impossible, and position printers and whiteboards out of casual view. Re-check after every desk move — sightlines change faster than policies.
Control What Can Be Heard
Identify rooms where confidential conversations happen — HR, legal, deal rooms, executive offices — and verify their acoustic separation honestly: stand outside mid-meeting and listen. Designate properly insulated rooms for sensitive discussions, add door seals or sound masking where justified, and set booking guidance so a termination conversation never lands in the glass box beside the open floor.
Set Usage Rules for Meeting Rooms and Shared Spaces
Adopt simple norms with teeth: whiteboards wiped before leaving, no sensitive documents left behind, video-call screens angled away from doors, and guests never left alone in rooms with live equipment or papers. Build the reminders into booking confirmations and room signage facing inward — the rules belong to the occupants, not the visitors.
Put Security into Facilities Changes and Verify Periodically
Add a security checkpoint to every office move, renovation, expansion, and desk reshuffle — a short checklist covering siting, signage, sightlines, and acoustics, signed off before work completes. Inspect sensitive rooms against the register on a planned cycle, typically annually, and feed findings into corrective actions so the evidence trail stays alive.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.3:
Documentation
- Register of sensitive rooms and facilities with owners, what makes each sensitive, and the protection applied
- Fit-out, relocation, or facilities-change checklist showing security review of siting, signage, and sightlines
- Physical security policy or procedure section covering room design, signage minimization, and meeting-room rules
- Access-controlled floor plans, with evidence that detailed plans are not openly published
- Periodic room inspection records with findings and remediation
Interviews
- Facilities or office manager about how security enters fit-out and renovation decisions, and who signs off room placements
- CISO or security lead about how sensitive rooms were identified and how protections were matched to each
- Staff who run sensitive meetings — HR, legal, sales leadership — about room choice, whiteboard habits, and handling guests
Observations
- The tour itself: signage on sensitive rooms, what the lobby directory reveals, and whether the server room announces itself
- Sightlines from visitor paths — readable screens, whiteboards through glass, documents visible through windows
- Meeting rooms after use: whiteboards wiped or covered in last week's diagrams, papers left behind, doors open mid-call
Practitioner Insights
The site tour begins in the parking lot, not at the opening meeting. Before anyone shows me a policy, I have seen whether the server room is labeled, what I could read from the visitor sofa, and what the lobby directory tells a stranger. The pattern that fails this control is inheritance: the room was the server room when the company moved in, and nobody ever re-decided. Make the placement decision explicit and recorded, even when the conclusion is to stay put with compensating measures — that record converts a tour observation into evidence of a working control.
Organizations overspend on doors and underspend on glass. I keep seeing hardened server rooms ten meters from a meeting room where the entire product roadmap is readable from the corridor through a clear wall. The fixes are mostly cheap: frosted film at eye height, a wipe-the-board-before-leaving norm enforced through the booking confirmation, monitors rotated away from windows, and the server-room sign simply taken down. Spend an afternoon walking your own visitor route looking sideways — it finds more issues than most formal assessments.
Common Challenges & Solutions
Challenge
The server room is labeled, sits on a visitor corridor, and cannot be moved.
Solution
Compensate in place: remove the signage, upgrade the door to self-closing with badge or coded entry restricted to a named list, ensure walls run slab-to-slab, and add monitoring on the door. Record the siting constraint and the compensating measures in your risk register — auditors accept a constrained room that is visibly managed far more readily than an unacknowledged one.
Challenge
Glass-walled meeting rooms make every whiteboard and screen visible from the open floor and visitor paths.
Solution
Apply frosted or gradient film at seated-eye height — it preserves light while killing sightlines — and angle displays away from the glass. Pair it with a wiped-whiteboard rule built into booking confirmations, and designate at least one opaque, acoustically decent room for genuinely sensitive sessions so people have somewhere compliant to go.
Challenge
Open-plan offices leave nowhere to physically separate sensitive functions like HR and finance.
Solution
Zone within the floor: cluster sensitive teams away from visitor routes, give them lockable storage for papers, dedicated printers out of common paths, and privacy filters on screens. Reserve a lockable room for their confidential meetings and records. Full walls are ideal but not required — the control asks for designed protection proportionate to the work, not a rebuild.
Challenge
Facilities makes layout changes — moves, renovations, new desks — without security ever hearing about them.
Solution
Insert a lightweight checkpoint into the facilities change process: a one-page checklist (siting, signage, sightlines, acoustics, storage) that security signs before changes complete. Agree the trigger list with the facilities owner — anything that moves walls, doors, desks near sensitive rooms, or glazing. The cost is minutes per change; retrofitting after a bad move costs weeks.
Challenge
Building directories, wayfinding signage, and online maps reveal exactly where sensitive functions sit.
Solution
Audit every channel that describes your space: lobby directories, wall plans, intranet maps, address details in job postings and event invites. Replace functional labels with neutral room numbers or names, keep detailed plans on a restricted drive, and brief the landlord where shared building signage is involved. Reception and emergency plans can hold the full mapping — public surfaces should not.
