Control Definition
The organization must design and apply security measures governing how people behave while working inside secure areas. This covers everyone present — employees, contractors, and visitors — and addresses awareness of the area's rules, supervision of activities, restrictions on photography and recording equipment, and keeping the work performed there confidential.
Control Objective
To protect information and assets located in secure areas from damage and unauthorized interference by the very people working inside them.
What This Really Means
Badge readers decide who gets through the door; this control decides what they may do once they are inside. A.7.2 is the bouncer, A.7.6 is the house rules. Without it, the technician who legitimately entered your server room is unsupervised, unobserved, and effectively unaccountable for the next hour.
In practice the control asks for a short set of conduct rules for each secure area: people know about the area and what happens in it only on a need-to-know basis; unsupervised work — especially by third parties — is limited or logged; maintenance and cleaning crews are escorted or otherwise supervised; photography and recording devices are restricted unless explicitly authorized; vacant secure areas stay locked and get checked periodically. The rules must be written down, briefed to everyone who works there, and acknowledged.
"Secure area" scales with your organization. It might be a data hall, a comms room, a records archive, a security operations floor, an offshore delivery center bound by client contract — or a single locked cabinet room in a 20-person office. The standard does not prescribe the size or the ceremony; it prescribes that rules of conduct exist and match the sensitivity of what the area protects.
What auditors treat as the heart of A.7.6 is enforcement for non-employees. Staff behave impeccably while an auditor walks the floor; the question being probed is what happened when the air-conditioning vendor came on a Saturday. Escort and supervision logs, briefing records, and device rules that survive contact with reality are the evidence that matters — far more than the elegance of the procedure document.
Why It Matters
Most physical-security investment goes into keeping the wrong people out. This control addresses the harder residual risk: authorized people doing unauthorized things. The population inside your secure areas — staff, vendors, cleaners, inspectors — has already passed every perimeter you built, so conduct rules and supervision are the only controls still standing.
Without working rules for secure areas, organizations face:
- •Unsupervised third parties – Maintenance and cleaning crews alone with your infrastructure can copy, photograph, plug in, or break things with no witness and no record
- •Covert recording – One phone photo of a rack layout, a whiteboard, or an unlocked console leaks more operational detail than most network intrusions
- •Knowledge leakage – Casual talk about what is processed where gives social engineers their target map for free
- •Contractual breach – Client-mandated secure delivery zones carry audit rights; a rule violation found by a client auditor can put the contract itself at risk
- •Untraceable incidents – When something in a secure area is damaged or goes missing, the absence of supervision records turns an investigation into guesswork
The pattern across real incidents is consistent: the perimeter held, the entry control worked, and the loss still happened — because once inside, nothing governed behavior.
Regional Compliance Context
India's IT services, BPO, and global capability center sector lives with this control daily. Client contracts routinely mandate secure delivery floors or offshore development centers (ODCs) with rules far stricter than the ISO baseline — no mobile phones on the floor, no paper in or out, segregated badge access, and client audit rights over all of it. A.7.6 is where those contractual obligations should land in the ISMS: write the client-mandated conduct rules into your secure-area procedure once, and both your certification auditor and your client auditor are reviewing the same artifact. In the Gulf, strict no-photography norms around government and critical-infrastructure facilities make recording-device rules a legal exposure as well as a contractual one.
Implementation Guidance
Identify and Classify Your Secure Areas
List every area that qualifies — server and comms rooms, records storage, security operations floors, client-mandated delivery zones, executive areas where sensitive matters are discussed. Record them in a secure-area inventory tied to the perimeter definitions from A.7.1, each with an owner and a sensitivity level that determines how strict its rules need to be.
Write Rules of Conduct Per Area Type
Keep it to a short procedure per area type: who may work there, what requires supervision, device restrictions, and behavioral basics — doors closed, no piggybacking guests, no sensitive material left out. Proportionality is the goal; a one-rack comms room needs five rules, not a data-center operations manual.
Apply Need-to-Know to the Area Itself
Limit who knows what is processed in each secure area, not just who can enter. Use neutral room names rather than signage that advertises sensitive functions, and brief teams not to discuss secure-area work in open spaces, on calls from open-plan desks, or with visitors. Confidentiality of activities is an explicit expectation of this control, and the one most often skipped.
Control Photography and Recording Devices
State explicitly whether phones, cameras, and other recording devices are banned, restricted, or permitted in each area, and provide lockers at entry where a ban applies. Run authorizations through a documented exception process — for example, a vendor photographing a fault for support purposes — with a record of who approved what. Consider wearables and smart glasses where the sensitivity warrants it.
Set Supervision Rules for Third Parties and Sensitive Work
Require escorts or active supervision for maintenance, cleaning, and inspection visits, with a named host accountable for each visit. Log who supervised whom, when, and for what purpose — a simple register or ticket reference is enough. Reserve two-person rules for genuinely high-sensitivity work such as key ceremonies or HSM handling rather than applying them everywhere.
Lock and Periodically Inspect Vacant Secure Areas
Vacant secure areas must be locked, and someone must verify that they are. Fold checks into existing guard patrols or a monthly facilities walkthrough, record the result, and review badge logs for rarely used rooms quarterly to spot access that should no longer exist.
Brief, Acknowledge, and Refresh
Brief everyone before granting secure-area access — employees at induction, contractors at first visit — and collect a signed or digital acknowledgment of the rules. Refresh annually and whenever an area's purpose or sensitivity changes. Keep the acknowledgment records; they are the evidence that the rules were communicated, not just written.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.6:
Documentation
- Secure-area working procedure with conduct rules per area type
- Escort and supervision logs for maintenance, cleaning, and other third-party visits
- Briefing and acknowledgment records for personnel granted secure-area access
- Recording-device exception register showing who authorized what and why
- Inspection or patrol records confirming vacant secure areas are locked and checked
Interviews
- Physical security or facilities owner about how conduct rules are set, communicated, and enforced
- Employees who work in a secure area, probed on whether they actually know its rules
- A host or escort about how vendor visits are supervised and what gets recorded
Observations
- Entry arrangements in practice — device lockers, signage, and whether rules are visible where they apply
- An escorted visit or live entry to a secure area, watching whether stated practice matches behavior
- A vacant secure room found locked, with its access list current and its last inspection on record
Practitioner Insights
The probe I rely on for this control is always the maintenance vendor path. Organizations present polished procedures, and then I ask the facilities coordinator a simple question: who escorted the UPS technician on their last visit, and where is that recorded? When the answer is a blank look, the control exists on paper only. Treat third-party supervision logs as the primary evidence of A.7.6 — the procedure document is just the promise; the log is the proof. And check your own assumptions quarterly, because escort discipline decays fastest of all physical controls.
Smaller organizations sabotage themselves on this control by copying data-center theatre — twenty pages of rules for what is, in reality, one comms cabinet and a records cupboard. Write the rules you can actually follow: locked room, three named keyholders, vendors supervised by whoever booked them, no photos without asking. One page. Then make sure you can show two or three recorded instances of it working — a logged vendor visit, a signed briefing. Auditors trust a thin rule that demonstrably operates far more than a thick one that obviously does not.
Common Challenges & Solutions
Challenge
A blanket phone ban is written into the procedure but collapses immediately because staff need phones for MFA and daily work.
Solution
Scope the ban to where it earns its cost — the highest-sensitivity zones — and explicitly permit authenticated use cases like MFA elsewhere. Provide lockers where bans apply so compliance is physically possible. A narrow rule that is enforced beats a broad rule that everyone, including management, visibly ignores.
Challenge
Contractors end up working unsupervised because escorting is an unassigned duty nobody owns.
Solution
Make the person who books a vendor visit the accountable host by default, and say so in the procedure. Keep the log lightweight — visit date, vendor, purpose, supervisor — so the duty costs minutes. Spot-check a handful of recent visits each quarter against the log to keep the habit alive.
Challenge
Staff cannot say which areas count as secure areas, so the rules apply nowhere in practice.
Solution
Maintain a short, honest inventory of secure areas and brief it during induction and annual awareness training. Mark the areas discreetly — a colored door tag works better than a sign reading "Server Room." If the list has grown past what anyone can remember, it is over-classified; trim it to the areas that genuinely matter.
Challenge
Vacant-area inspections are in the procedure but never actually happen.
Solution
Attach the checks to a process that already runs — guard patrol routes or the monthly facilities walkthrough — rather than inventing a new one. Give the check a one-line entry on an existing checklist and review completion quarterly. Separately, pull badge logs for dormant rooms to confirm nobody retains access they no longer need.
Challenge
Keeping secure-area activities confidential conflicts with the daily need to coordinate work openly.
Solution
Protect the specifics, not the existence: teams can say a room is restricted without describing what runs in it. Use neutral naming, brief staff on what details stay inside the area, and avoid over-classification — when routine coordination requires constant exceptions, people will route around the rule entirely.
