A.7.6 — Working in Secure Areas

A contractor is granted temporary access to the server room to replace a failed disk. They enter alone, take a photo of the rack layout “for documentation,” plug in a personal USB drive to run a firmware update and leave the door propped open while they fetch a tool from the van. In twenty minutes, they have violated four secure-area rules — and nobody noticed. A.7.6 ensures that working rules for secure areas are defined, communicated and enforced.

The control requires organizations to establish security procedures for personnel working in secure areas. These procedures must protect the information and assets within those areas from damage and unauthorized interference — including by authorized personnel.

What does the standard require?

The core requirements center on five areas:

Need-to-know about the area. Only personnel who need to know about the existence and location of a secure area should be informed. Internal directories should not reveal the function of the area.
Supervision. Work in high-security areas should be supervised. Unsupervised work should be avoided or, where necessary, compensated with monitoring controls.
Vacant-area checks. Secure areas should be inspected when vacated to ensure that no unauthorized materials, devices or people remain.
Recording devices. Personal devices with cameras, microphones or recording capabilities should be controlled or prohibited in secure areas unless explicitly authorized.
Emergency procedures. Emergency instructions — evacuation routes, assembly points, emergency contacts — must be prominently displayed and known to everyone with access.

In practice

Write secure-area rules. A one-page document per secure area (or per zone class): who may enter, what they may bring, whether lone working is permitted, what to do before leaving (lock cabinets, check for forgotten items, close and lock the door). Post a summary at the entrance.

Control recording devices. Enforce a “no personal devices” rule in high-security areas. If smartphones must be carried (for on-call purposes), require them to be stored in a locker at the entrance. For maintenance work requiring photos, define an authorization and supervision process.

Inspect after vacating. When the last person leaves a secure area, they should perform a quick check: all cabinets locked, no foreign objects, no devices left plugged in, door secured. For unmanned areas, schedule periodic inspections.

Log all work. Maintain a log of who worked in the secure area, when and what they did. For external contractors, the log should include the escort’s name and the work performed.

Typical audit evidence

Auditors typically expect the following evidence for A.7.6:

Secure-area working rules — documented procedures per area or zone class (link to Physical Security Policy in the Starter Kit)
Access acknowledgements — signed forms showing personnel understood the rules
Work logs — records of who worked in secure areas and when
Inspection records — evidence that vacant-area checks are performed
Device-control records — documentation of the personal-device policy and any exceptions granted
Emergency procedure displays — photographs showing posted emergency instructions

KPI

% of secure areas with enforced and documented working rules

Measured as a percentage: how many of your defined secure areas have documented working rules that are communicated to all authorized personnel? Target: 100%. Gaps often exist for secondary secure areas (archive rooms, network closets) that receive less management attention.

Supplementary KPIs:

% of personnel with secure-area access who have completed the induction
Number of secure-area rule violations reported per quarter
% of vacant-area inspections completed on schedule

BSI IT-Grundschutz

A.7.6 maps to BSI modules covering secure working environments:

INF.1.A9 (Use of escape and rescue routes) — emergency procedures for all areas, including secure ones.
INF.1.A23 (Formation of security zones) — defines working rules per zone, including escort policies and device restrictions.
INF.2.A1 (General data center requirements) — includes specific working rules for data centers: escort policy, access logging, device control.
SYS.3.3.A15 (Secure use of mobile storage devices) — controls for USB and other portable storage in secure areas.

A.7.6 governs behavior inside the controlled perimeter:

A.7.4 — Physical security monitoring: Monitoring verifies that secure-area rules are followed.
A.7.5 — Protecting against physical and environmental threats: Environmental protection affects working conditions.
A.7.7 — Clear desk and clear screen: Clean-desk rules apply with extra rigor in secure areas.
A.7.8 — Equipment siting and protection: How equipment is placed within secure areas.

Sources

ISO/IEC 27001:2022 Annex A, Control A.7.6 — Working in secure areas
ISO/IEC 27002:2022 Section 7.6 — Implementation guidance for working in secure areas
BSI IT-Grundschutz, INF.1 — General building

Frequently asked questions

Can people work alone in a secure area?

The standard recommends against unsupervised work in high-security areas. For restricted areas, the risk assessment should determine whether lone working is acceptable. If it is allowed, compensating controls (CCTV, buddy-check procedures, dead-man switches) should be in place.

Are personal devices allowed in secure areas?

The standard recommends controlling or prohibiting recording devices (cameras, smartphones) in secure areas. Your policy should define what is permitted, under what conditions and with whose authorization.

How should emergency procedures be displayed?

Emergency exit routes, assembly points and emergency contacts should be clearly posted inside secure areas. Personnel working in these areas must be familiar with the procedures — include them in the induction for anyone granted secure-area access.

Responsible	Facility Manager
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Facility Manager, HR Manager, Head of IT, Legal Counsel
Informed	All Employees, Asset Owner