Control Definition
The organization must design and implement protection against physical and environmental threats to its infrastructure — natural events such as fire, flood, earthquake, and storm, as well as deliberate or accidental threats originating from people. The control expects each site to be assessed for the threats that could realistically affect it, with protective measures proportionate to that assessment.
Control Objective
To prevent or reduce the consequences of natural disasters, accidents, and deliberate physical attacks on the organization's facilities and the information assets they contain.
What This Really Means
Firewalls do not stop floods. This control treats your buildings as part of your attack surface and asks a blunt question: what could physically destroy or interrupt this facility — fire, flooding, earthquake, storm, lightning, power events, civil unrest, a hazardous neighbor — and what did you do about it before it happened, not after?
In practice, A.7.5 starts with a threat assessment per site, built on real local data rather than generic checklists: flood-plain and drainage history, seismic zone classification, the building's fire systems and inspection record, what the occupants next door do, and patterns of unrest or crime in the area. Protections then follow from that assessment — fire detection and suppression appropriate to the room, water and leak detection near equipment, server rooms placed above flood-prone ground floors and away from roof leaks, and design-stage choices like elevation and fire-rated construction. The cheapest time to implement this control is during site selection and fit-out; everything after that is a retrofit.
A common dismissal is "our servers are in AWS, so this is the cloud provider's problem." For their data centers, it largely is — you verify that through supplier assurance. But your offices still hold laptops, network equipment, paper records, and people. A flooded or burned-out office interrupts operations even when production workloads are untouched. Cloud adoption shrinks the scope of this control; it does not eliminate it.
What auditors treat as the heart of A.7.5 is the link between assessment and reality: a documented, site-specific threat assessment, and evidence that the resulting protections are actually maintained — suppression systems serviced on schedule, sensors that alert a named owner, drills that happened. An assessment that reads identically for two offices in different cities is a red flag, because real threat profiles never match that neatly.
Why It Matters
Environmental events are low-frequency but high-severity, which is exactly the risk profile organizations are worst at preparing for. A fire or flood does not degrade gracefully the way a software failure does — it takes out equipment, records, and workspace simultaneously, and recovery is measured in weeks, not hours.
When physical and environmental threats are left unassessed, organizations face:
- •Extended operational downtime – A single site event can halt operations entirely, and improvised recovery without pre-positioned protections takes far longer than planned recovery
- •Irreversible loss – Burned or waterlogged equipment and paper records often cannot be restored at any price, unlike most cyber incidents
- •Life-safety and legal liability – Inadequate fire protection exposes the organization to building-code violations and personal liability for directors, not just security findings
- •Insurance shortfalls – Insurers can reduce or deny claims when protections declared in the policy were not actually maintained, turning a disaster into a double loss
- •Concentration risk – When one facility hosts critical equipment, people, and records together, a single local event becomes an existential one
The control exists because these scenarios are predictable. Flood maps, seismic zones, and fire-load assessments are public knowledge — an auditor, an insurer, or a regulator will not accept "we didn't think it would happen here" for a threat that was documented in publicly available data.
Regional Compliance Context
India concentrates several of this control's threat categories at once. National seismic zoning places cities in zones II through V — Delhi NCR sits in Zone IV and the Himalayan belt in Zone V — so equipment-room placement and anchoring deserve real attention in northern offices. Monsoon flooding is the more frequent failure pattern: basement and ground-floor server rooms in low-lying commercial districts are a known weak point, and drainage history should directly influence which floor your equipment lives on. Summer grid stress adds frequent power events, which makes the overlap with supporting-utilities planning (A.7.11) tighter than in most regions.
In the Gulf, the dominant environmental threats are sustained extreme heat, fine dust from sandstorms, and dependency on district cooling in high-rise commercial towers — a cooling interruption in summer can force equipment shutdowns within hours, so cooling failure deserves its own line in the site threat assessment.
Implementation Guidance
Inventory Sites and What Each One Protects
List every facility in scope — offices, server and comms rooms, labs, storage, warehouses — and map which information assets, equipment, and records sit in each. Tie this to your asset register so the threat assessment covers real assets, not abstract buildings. Assign a named owner per site, typically the facilities or office manager.
Assess Threats Per Site Using Local Data
For each site, document the realistic threat profile: fire, flood, earthquake, storm and lightning, power events, dust and heat, civil unrest, and hazards from neighboring occupants. Use external sources — municipal flood and drainage records, seismic zone maps, the building's fire inspection history — rather than a generic checklist. Record the results in your risk register with the site owner's input.
Build Protection in at Site Selection and Fit-Out
When choosing or redesigning space, apply the assessment before signing: avoid basements and ground floors for equipment rooms in flood-prone areas, avoid top floors directly under roofs, prefer fire-rated construction around equipment rooms, and check proximity to water risers and kitchens. Design-stage decisions cost a fraction of retrofits and become permanent evidence of the control working.
Implement Fire Detection and Suppression
Install smoke detection in all equipment areas and suppression appropriate to the room — clean-agent or gas-based systems for server rooms where water would destroy what it saves, sprinklers or extinguishers elsewhere. Put maintenance on service contracts with scheduled inspections, keep the test certificates, and run evacuation drills at a defined frequency, typically annually.
Deploy Water and Environmental Detection
Place leak sensors under raised floors, near AC units, and along known pipe runs adjacent to equipment. Add temperature and humidity monitoring in server and comms rooms with alert thresholds routed to a named responder, not a shared inbox nobody reads. Inspect roofing, plumbing, and drainage near equipment areas at least annually and before each monsoon or storm season where relevant.
Align Insurance and Continuity Planning with the Assessment
Share the site threat assessment with your insurer and confirm coverage matches the actual perils and the protections you claim to maintain — discrepancies surface at claim time, which is the worst possible moment. Feed the same scenarios into business continuity and disaster recovery plans so the events you assessed are the events you rehearse.
Review After Changes and After Events
Re-run the assessment at a planned interval, typically annually, and on triggers: a site move or fit-out, a near-miss, or a significant regional event such as a flood or earthquake even if your site was spared. Record what changed, what actions followed, and who approved them — this review trail is what distinguishes a living control from a one-time document.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.5:
Documentation
- Site-specific physical and environmental threat assessments, with visible differences between sites
- Fire detection and suppression maintenance contracts, inspection records, and in-date test certificates
- Environmental monitoring records — temperature, humidity, and leak alerts with response notes
- Business continuity or disaster recovery plans referencing the assessed physical threat scenarios
- Insurance schedules or fit-out specifications showing protections aligned to the assessment
Interviews
- Facilities or administration manager about maintenance regimes, service contracts, and inspection schedules
- Risk owner or CISO about how site threats were assessed and entered into the risk register
- Local office or site manager about evacuation drills, alert response, and the last test they remember
Observations
- Fire detection and suppression present in server and comms rooms, with in-date service tags
- Leak and environmental sensors in place, with a demonstration of where alerts are delivered
- Equipment positioned away from water sources, combustible storage, and obvious environmental hazards
Practitioner Insights
A pattern I see repeatedly: the organization shows me a well-equipped server room — gas suppression, sensors, the works — but nobody can produce the threat assessment that justified any of it, or explain why the branch office got none of the same treatment. Certification auditors probe the chain from assessment to risk register to installed measure. Hardware without the assessment behind it reads as decoration, and the first things we physically check are the service tags — an extinguisher or suppression system with a lapsed inspection date undermines every other claim about this control.
Most SMBs are tenants in multi-tenant buildings, and they freeze on this control because they cannot modify the building. You do not need to. You choose which floor and which room your equipment occupies, you put the landlord's fire-system maintenance evidence on your annual collection list, and you document compensating measures where retrofit is impossible. A one-page-per-site assessment that honestly says "shared building, landlord-operated suppression, our mitigations are X and Y" passes audits; pretending the building is yours to control does not.
Common Challenges & Solutions
Challenge
The organization leases space in a multi-tenant building and cannot modify building-level fire, drainage, or structural protections.
Solution
Control what you control: room and floor selection within the lease, lockable equipment rooms, local detection sensors. Write landlord obligations into the lease or service agreement, request the building's fire-system maintenance certificates annually, and document the shared-responsibility split with compensating measures where gaps remain.
Challenge
Teams dismiss the control with "everything is in the cloud" and want it marked not applicable.
Solution
Rescope rather than remove. Assess what the loss of each office would actually interrupt — endpoints, network gear, paper records, and the people who work there — and reflect the genuinely reduced scope in the Statement of Applicability with an honest justification. A smaller, real assessment is defensible; a blanket exclusion of every physical threat rarely is.
Challenge
The threat assessment is a generic template copied identically across all sites.
Solution
Rebuild it per site with local inputs: flood and drainage history, seismic zone, building age and fire record, neighboring occupants. Involve the local office manager, who knows where water entered last year. If two sites in different cities produce identical assessments, treat that as a defect — real threat profiles differ visibly.
Challenge
Fire and water protection systems were installed at fit-out but have never been serviced or tested since.
Solution
Put every protective system on a maintenance contract with defined inspection frequencies, and mirror the schedule in a facilities calendar with a named owner and backup. File certificates centrally where the ISMS can reach them. An untested suppression system is audit evidence against you, not for you.
Challenge
Near-misses and regional events never trigger a review, so the assessment ages quietly until it is fiction.
Solution
Define explicit review triggers in the procedure — site changes, near-misses, and significant regional events — alongside the annual cycle. After any trigger, record a short post-event note feeding the risk register, and make physical-threat review a standing line in management review so staleness becomes visible to leadership.
