Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Physical Control

A.7.2 — Physical Entry

Updated on 5 min Reviewed by: Cenedril Editorial
A.7.2 ISO 27001ISO 27002BSI INF.1BSI INF.2BSI ORP.4

A delivery driver rings the bell at the loading dock. An employee opens the door and waves the driver through — no badge scan, no ID check, no visitor log entry. The driver walks through the warehouse, past the server room and into the hallway where the finance department sits. Nobody questions why a person in a courier uniform is wandering through the building. A.7.2 requires that every entry into a secure area is controlled, logged and authorized.

The control requires organizations to implement physical entry controls that ensure only authorized personnel gain access to secure areas. Entry must be logged, visitors must be identified and supervised, and delivery areas must be separated from secure zones.

What does the standard require?

The core requirements address four aspects:

  • Access control mechanisms. Secure areas must be protected by entry controls — badge readers, locks, biometric scanners or manned reception — appropriate to the security zone.
  • Access logging. All entries and exits must be recorded. Logs should capture identity, timestamp and the area accessed.
  • Visitor management. Visitors must be identified, registered, issued with a visible badge and supervised. Their access should be limited to the areas necessary for their visit.
  • Delivery and loading areas. These must be separated from secure areas. Incoming deliveries should be inspected for tampering before being moved into the building.
  • Access-right reviews. Physical access rights must be reviewed regularly and revoked when no longer needed (e.g. after a role change or departure).

In practice

Deploy zone-appropriate controls. Reception area: manned desk or video intercom. General office: badge reader. Restricted zone: badge + PIN. High-security zone: badge + biometric + escort policy. Match the mechanism to the zone classification defined in A.7.1.

Implement a visitor management process. Pre-registration by the host, ID verification at reception, visitor badge issued (visibly different from employee badges), sign-in/sign-out log, escort to and from the meeting room, badge return upon departure.

Separate delivery areas. Deliveries should be received in a loading dock or mailroom that does not provide uncontrolled access to the rest of the building. Inspect incoming packages before distributing them.

Review access rights regularly. At least quarterly, review who has physical access to restricted and high-security zones. Compare badge assignments against the current personnel list and revoke badges for departed employees promptly.

Test the system. Periodically attempt to enter a secure area without authorization (a controlled test) to verify that controls are working and staff challenge unauthorized entry.

Typical audit evidence

Auditors typically expect the following evidence for A.7.2:

  • Physical access policy — documented rules per zone (link to Physical Security Policy in the Starter Kit)
  • Access control system logs — badge-reader logs showing entries and exits
  • Visitor log — register with name, company, host, check-in/check-out times
  • Badge assignment register — list of all issued badges with assigned zones and holders
  • Access-right review records — evidence of periodic reviews and revocations
  • Delivery inspection records — documentation that incoming packages were checked

KPI

% of secure areas with functioning access control systems

Measured as a percentage: how many of your defined secure areas have a working access control system with active logging? Target: 100%. Common gaps include secondary entrances, fire exits used as regular doors and branch offices without badge systems.

Supplementary KPIs:

  • % of visitor log entries that are complete (name, company, host, check-in, check-out)
  • Average time between employee departure and badge deactivation (target: same day)
  • Number of tailgating incidents reported or detected per quarter
  • % of access-right reviews completed on schedule

BSI IT-Grundschutz

A.7.2 maps to multiple BSI modules:

  • INF.1.A7 (Access regulation and control) — the core requirement for general buildings: badge systems, visitor management, logging.
  • INF.1.A12 (Key management) — management of physical keys, including issuance, tracking and revocation.
  • INF.1.A13 (Regulations for security areas) — rules for working in and accessing security zones.
  • INF.2.A6 (Access control to data centers) — specific access control requirements for data centers, including multi-factor authentication.
  • INF.2.A7 (Access logging for data centers) — mandatory access logging with defined retention periods.
  • ORP.4.A5 (Assigning physical access authorizations) — requires that physical access rights are formally assigned and documented.

A.7.2 builds on the perimeter and connects to monitoring:

Additional connections: A.5.15 (Access control — the organizational policy layer), A.6.1 (Screening — verifying who gets a badge) and A.6.5 (Responsibilities after termination — revoking badges).

Sources

Frequently asked questions

What authentication methods are acceptable for physical entry?

The standard does not prescribe specific technologies. Common options include badge/card readers, PIN pads, biometric scanners (fingerprint, iris) and key locks. For higher-security zones, multi-factor authentication (badge + PIN, badge + biometric) is expected.

Do visitors need to be escorted at all times?

In restricted and high-security zones, yes. In general office areas, visitor policies vary — some organizations require escort, others allow pre-authorized visitors to move freely within defined areas. Your policy should define the rules per zone.

How long should access logs be retained?

The standard does not specify a retention period. Common practice is 90 days to one year, depending on the zone classification and local regulations (e.g. GDPR considerations for visitor logs with personal data).