A.7.3 — Securing Offices, Rooms and Facilities

The HR department processes salary data, disciplinary records and medical certificates. Their office has glass walls facing the main corridor, no blinds, and the door is always open. A visitor waiting in the corridor can see the screens, read whiteboards and hear phone conversations. A.7.3 requires that the physical design of rooms matches the sensitivity of the work conducted inside.

The control requires organizations to design and implement physical security measures for offices, rooms and facilities to prevent unauthorized physical access, damage and interference with the information and assets they contain.

What does the standard require?

The core requirements focus on four principles:

Location of sensitive facilities. Critical areas (server rooms, archives, executive offices) should be located away from public areas and ground-floor windows where possible.
Discretion in signage. Buildings and rooms should not display signs that identify the nature of sensitive activities inside. A plain room number is better than a label reading “Data Center.”
Visual and acoustic shielding. Offices handling confidential information should prevent both visual observation (blinds, frosted glass, privacy screens) and eavesdropping (soundproofing, white-noise generators).
Additional hardening. Sensitive equipment may need electromagnetic shielding. Directories and maps showing the location of critical facilities should have restricted distribution.

In practice

Classify rooms by sensitivity. Use your zone model (A.7.1) and add a room-level classification: which rooms handle confidential data, which house critical infrastructure, which are used for sensitive discussions? The classification drives the measures.

Apply proportional controls. General office: lockable drawers, clean-desk policy, badge access. Meeting room for confidential discussions: soundproofing, no glass walls facing public areas. Server room: reinforced door, no windows, environmental monitoring. Executive suite: visual shielding, acoustic insulation, secure document storage.

Remove revealing signage. Audit your building for signs, nameplates and directory entries that reveal the function of sensitive rooms. Replace them with neutral identifiers.

Inspect regularly. Add room-level security to your periodic inspection checklist. Check that blinds are functional, locks are working, sensitive documents are stored properly and no unauthorized equipment has been installed.

Typical audit evidence

Auditors typically expect the following evidence for A.7.3:

Room classification register — list of rooms with their security classification and applied measures (link to Physical Security Policy in the Starter Kit)
Floor plans — showing room layout, visual-exposure analysis and shielding measures
Inspection logs — records of periodic room-security checks
Signage audit — evidence that sensitive rooms do not have revealing labels
Photographs — documented state of security measures (blinds, locks, shielding)

KPI

% of offices and facilities with implemented physical security measures

Measured as a percentage: how many of your classified rooms have all required security measures in place and verified? Target: 100%. Typical starting points are 60–80%, with gaps concentrated in meeting rooms (missing soundproofing) and network closets (missing locks).

Supplementary KPIs:

Number of rooms with outdated or missing security classification
% of inspection findings remediated within 30 days
Number of visual-exposure risks identified and mitigated

BSI IT-Grundschutz

A.7.3 maps to BSI infrastructure modules covering offices, server rooms and technical rooms:

INF.7 (Office workspace) — the primary module for office security: lockable furniture (A1), clean-desk measures, visual and acoustic privacy.
INF.1.A9 (Use of escape and rescue routes) — ensures that security measures do not compromise safety routes.
INF.1.A16 (Selection and use of appropriate locking systems) — covers lock types and key management for rooms.
INF.5 (Technical room) — security requirements for technical infrastructure rooms: access control (A1), environmental protection (A2), layout separation (A4).
INF.2.A1 (General data center requirements) — structural and access requirements for data centers.

A.7.3 complements the perimeter and entry controls:

A.7.1 — Physical security perimeters: Defines the outer boundary; A.7.3 secures the spaces within.
A.7.2 — Physical entry: Controls who enters; A.7.3 controls what they find.
A.7.4 — Physical security monitoring: Surveillance complements the physical measures.
A.7.5 — Protecting against physical and environmental threats: Environmental protection for the rooms and facilities.

Sources

ISO/IEC 27001:2022 Annex A, Control A.7.3 — Securing offices, rooms and facilities
ISO/IEC 27002:2022 Section 7.3 — Implementation guidance for securing offices, rooms and facilities
BSI IT-Grundschutz, INF.7 — Office workspace

Frequently asked questions

Does every office need physical security measures?

Every office needs measures proportional to the information it contains. A general open-plan office may need lockable drawers and a clean-desk policy. A room where board meetings are held needs soundproofing and visual shielding. A server room needs reinforced doors and environmental controls.

Should building directories list sensitive rooms?

Ideally not. Publicly visible directories or signs saying 'Server Room' or 'Finance Archive' make it easier for an intruder to find high-value targets. Use neutral labels or room numbers without functional descriptions for sensitive areas.

How do I handle open-plan offices?

Open-plan offices make visual and acoustic privacy harder. Compensate with privacy screens on monitors, lockable pedestals, soundproof meeting pods for confidential discussions and a strong clean-desk policy.

Responsible	Facility Manager
Accountable	Information Security Officer / (C)ISO
Consulted	Department Head, Facility Manager, Head of IT
Informed	Asset Owner, Top Management