A.7.5 — Protecting Against Physical and Environmental Threats

A pipe in the ceiling above the server room starts leaking on Friday evening. By Monday morning, water has pooled on the raised floor and reached two rack cabinets. Three servers are destroyed, the backup NAS is damaged and the production database is offline. The pipe had been repaired twice before, but nobody assessed the risk of placing a water-carrying pipe directly above critical infrastructure. A.7.5 requires organizations to identify environmental threats and implement proportional protection — before the damage occurs.

The control requires organizations to assess physical and environmental threats to their premises and implement measures to prevent or reduce their impact. This includes natural events (fire, flood, earthquake, storms) and human-caused threats (vandalism, sabotage, civil unrest).

Purpose: Prevent or reduce consequences of physical and environmental threats.
Effect: Preventive
Protection goals: Confidentiality, Integrity, Availability
Theme: Physical
BSI modules: INF.1.A1, INF.1.A3, INF.1.A4, INF.1.A5, INF.1.A8, INF.1.A9, INF.1.A10, INF.1.A14, INF.1.A15, INF.1.A17, INF.1.A20, INF.1.A24, INF.1.A25, INF.1.A32, INF.2.A2, INF.2.A5, INF.2.A8, INF.2.A9, INF.2.A15, INF.2.A16, INF.2.A21, INF.2.A22, INF.2.A30
KPI: % of facilities with documented physical and environmental threat protection

Responsible	Facility Manager
Accountable	Top Management
Consulted	All Employees, Facility Manager, Head of IT, IT Security Officer, Information Security Officer / (C)ISO, Legal Counsel, Software Development Lead
Informed	All Employees, Facility Manager, Head of IT, IT Administrator

What does the standard require?

The core requirements address four areas:

Threat identification. Conduct regular risk assessments to identify physical and environmental threats relevant to your premises — considering location, building characteristics and the criticality of assets housed.
Protective measures. Implement controls proportional to the identified risks: fire detection and suppression, water-leak sensors, surge protection, lightning protection, climate control and structural reinforcement where necessary.
Site selection. When choosing locations for new premises, consider the local threat landscape: flood zones, seismic activity, industrial hazards, crime rates.
Secure storage. Critical information and media should be stored in fire-resistant safes or off-site to survive a local disaster.

In practice

Conduct an environmental risk assessment. Walk through each facility and identify: water pipes above or near critical equipment, fire hazards (combustible materials near server racks, blocked ventilation), single points of failure in power supply, and exposure to external environmental risks (flood plain, proximity to industrial sites).

Implement layered fire protection. Early detection (aspirating smoke detection systems like VESDA), gas-based suppression in server rooms, portable extinguishers (CO2 for electrical equipment) in all areas, fire-resistant construction for critical rooms, and regular fire drills.

Install water detection. Place leak sensors under raised floors, near water pipes and in cable trays. Connect them to your alarm system so that leaks are detected immediately.

Protect the power supply. Uninterruptible power supplies (UPS) for critical systems, surge protection on all electrical feeds, lightning protection for the building and (for high-availability environments) a backup generator with automatic switchover.

Climate control. Server rooms and network closets need controlled temperature and humidity. Monitor both continuously with alerting thresholds.

Typical audit evidence

Auditors typically expect the following evidence for A.7.5:

Environmental risk assessment — documented analysis of physical and environmental threats (link to Physical Security Policy in the Starter Kit)
Fire-protection documentation — system specifications, inspection certificates, fire-drill records
Water-detection system records — sensor locations, test results, alarm logs
UPS and generator test logs — evidence of regular testing and maintenance
Climate-monitoring records — temperature and humidity logs for server rooms
Insurance documentation — evidence of appropriate property and business-interruption coverage

KPI

% of facilities with documented physical and environmental threat protection

Measured as a percentage: how many of your information-processing facilities have a documented environmental risk assessment and verified protective measures? Target: 100%. Gaps typically exist in secondary locations, co-working spaces and co-location facilities where the organization relies on the landlord’s protection.

Supplementary KPIs:

% of fire-detection and suppression systems tested within schedule
Number of environmental alarms (water, temperature) triggered per quarter
Time to restore operations after an environmental incident
% of critical systems covered by UPS and backup power

BSI IT-Grundschutz

A.7.5 maps to an extensive list of BSI infrastructure requirements:

INF.1 (General building) — covers fire protection (A3, A4, A5), lightning protection (A8), power supply (A10), climate control (A14, A15), water damage prevention (A17, A20) and structural integrity (A24, A25, A32).
INF.2 (Data center) — adds stricter requirements for data centers: redundant infrastructure (A2), environmental monitoring (A5), fire detection and suppression (A8, A9), water protection (A15, A16), structural resilience (A21, A22) and emergency power (A30).

A.7.5 protects the physical environment that other controls rely on:

A.7.3 — Securing offices, rooms and facilities: Room-level security includes environmental protection.
A.7.4 — Physical security monitoring: Environmental monitoring (fire, water) overlaps with security monitoring.
A.7.6 — Working in secure areas: Environmental controls affect working conditions in secure areas.
A.7.7 — Clear desk and clear screen: Environmental incidents (fire, flood) are an additional reason to secure documents.

Additional connections: A.7.11 (Supporting utilities) for power and climate infrastructure, A.5.29 (Information security during disruption) and A.5.30 (ICT readiness for business continuity).

Sources

ISO/IEC 27001:2022 Annex A, Control A.7.5 — Protecting against physical and environmental threats
ISO/IEC 27002:2022 Section 7.5 — Implementation guidance for protecting against physical and environmental threats
BSI IT-Grundschutz, INF.1 — General building

Frequently asked questions

What environmental threats should we consider?

Common threats include fire, water damage (flooding, pipe leaks, roof leaks), extreme temperatures, lightning strikes, power surges, earthquakes, storms and deliberate physical damage (vandalism, sabotage). The relevant threats depend on your location and building characteristics.

Do I need fire suppression in the server room?

The standard does not prescribe specific technologies, but a server room without fire detection and suppression is a significant risk. Gas-based suppression (e.g. inert gas, FM-200) is the standard choice because it does not damage electronics. At minimum, you need early-detection systems (smoke sensors, VESDA) and fire extinguishers rated for electrical equipment.

How often should environmental protection be tested?

Fire detection and suppression systems should be tested at least annually by a qualified service provider. Water sensors, temperature alarms and UPS systems should be tested quarterly. Manufacturer maintenance schedules take precedence where they specify shorter intervals.