Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Physical Control

A.7.1 — Physical Security Perimeters

Updated on 4 min Reviewed by: Cenedril Editorial
A.7.1 ISO 27001ISO 27002BSI INF.1BSI INF.2

The server room sits behind a reinforced door with a card reader. The door next to it — leading to the same hallway — has a standard lock and is propped open with a wedge because “it gets hot in there.” An auditor walks through that door unchallenged and stands in front of the rack. A.7.1 requires that security perimeters are physically continuous. One gap invalidates the entire zone.

The control requires organizations to define physical security perimeters around areas that contain sensitive information and information-processing facilities. The strength of the perimeter must match the classification of the assets inside.

What does the standard require?

The core requirements can be grouped into five areas:

  • Define perimeters. The organization must identify areas that contain sensitive information or information-processing facilities and define clear physical boundaries around them.
  • Proportional strength. The strength of the perimeter (wall construction, door type, lock mechanism) must be proportional to the classification of the assets within. A server room needs reinforced walls; a general office may need a locked door.
  • Continuous barriers. Perimeters must be physically continuous — solid walls from floor to ceiling, secured windows, no uncontrolled gaps. Fire doors, ventilation ducts and cable trays that penetrate the perimeter must be secured.
  • Intrusion detection. Perimeters should be equipped with detection mechanisms — alarms, sensors, surveillance cameras — to identify attempted or actual breaches.
  • Regular assessment. The adequacy of physical perimeters must be reviewed periodically and whenever the threat landscape or asset classification changes.

In practice

Create a zone map. Draw a floor plan showing each security zone, its perimeter and the entry/exit points. Mark the control mechanism at each entry point (card reader, lock, receptionist, mantrap). This map is the primary audit artifact.

Assess perimeter integrity. Walk each perimeter and check: Are walls solid floor-to-ceiling? Are windows secured (locks, break detection, bars where necessary)? Are fire doors alarmed? Are ventilation ducts too small for entry or fitted with grilles? Are cable trays sealed at perimeter crossings?

Match perimeters to asset classification. The server room containing your production systems needs stronger perimeters than a storage closet with office supplies. Use your information classification scheme to determine the required level.

Test detection mechanisms. Alarms, door contacts, motion sensors — test them on a regular schedule (e.g. quarterly). Document test results and remediate failures promptly.

Typical audit evidence

Auditors typically expect the following evidence for A.7.1:

  • Zone map / floor plan — showing security zones and perimeters (link to Physical Security Policy in the Starter Kit)
  • Perimeter specification — document describing wall construction, door types, window security
  • Risk assessment — justification for the perimeter strength chosen for each zone
  • Alarm test records — documentation of periodic testing of intrusion-detection systems
  • Maintenance records — evidence that perimeters (doors, locks, barriers) are maintained
  • Inspection logs — records of periodic perimeter walk-throughs

KPI

% of secure areas with defined and documented physical security perimeters

Measured as a percentage: how many of your designated secure areas have a documented perimeter specification, a zone map and verified detection mechanisms? Target: 100%. Organizations typically start at 50–70%, often because secondary locations (branch offices, co-location cages) are undocumented.

Supplementary KPIs:

  • Number of perimeter breaches detected per quarter
  • % of fire doors with functioning alarms and no unauthorized propping
  • Time to remediate a perimeter deficiency after identification

BSI IT-Grundschutz

A.7.1 maps extensively to BSI infrastructure modules:

  • INF.1 (General building) — the core module. Covers perimeter definition (A6), security zones (A22, A23), intrusion detection (A26, A27), fire protection at perimeter crossings (A34, A35).
  • INF.2 (Data center) — adds specific perimeter requirements for data centers: reinforced construction (A1), access control at the perimeter (A7), physical separation of server zones (A12), monitoring (A24, A28).

A.7.1 forms the foundation of the physical security chain:

Additional connections: A.7.4 (Physical security monitoring), A.7.5 (Protecting against physical and environmental threats) and A.5.15 (Access control — the organizational layer above physical entry).

Sources

Frequently asked questions

How many security zones do I need?

There is no fixed number. A common model uses three to four zones: public (lobby, reception), internal (general office areas), restricted (server rooms, archives) and high-security (safe rooms, vaults). The number depends on the sensitivity of the assets and the layout of your premises.

Does A.7.1 apply to cloud-only organizations?

Even cloud-first companies have physical premises — offices, meeting rooms, network closets. A.7.1 applies wherever information assets are physically present, including employee workstations that access cloud services.

What counts as a perimeter?

Any physical boundary that separates areas with different security levels: exterior walls, fences, interior walls, locked doors, reception desks with access control. The perimeter must be clearly defined and physically continuous — a wall with an unsecured gap is no perimeter.