ISO 27001: How to Protect “Secure Areas”

ISO/IEC 27001:2013 (ISO 27001) is a corporate security standard published by the International Organization for Standardization (ISO) in 2013. The standard sets out best practice for an information security management system (ISMS). This includes defining and protecting so-called “secure areas”. So what is a secure area? And what physical security processes can you put in place to protect them?

ISO 27001 accreditation demonstrates that an organisation operates a coherent, consistent and cost-effective ISMS. Encompassing people, processes and technology, ISO 27001 is a comprehensive corporate solution for information security – and recognises that technology alone can never completely secure your data.

Your information and IT assets aren’t floating around in abstract cyberspace. Just like any other asset, they are housed by walls, a roof, doors and windows. If the building has any weaknesses, your data assets are at risk.

Annex A of ISO 27001 provides a list of essential security controls that can be used to improve the security of information assets. A.11 Physical and Environmental Security controls the defining of secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk, clear screen policy and more.

Since physical security plays an important role in cyber security, the definition of a “secure area” is incredibly important. Secure areas are sites where sensitive information is handled or housed. This means that anywhere IT equipment or personnel are sheltered qualifies as a secure area.

Buildings, rooms and offices. These can all be secure areas. The purpose of physical security processes is to ensure that your information is protected from physical threats. And this includes both physical and digital assets.


To be ISO 27001 compliant, companies need to have:

• A physical security perimeter – such as walls, card controlled entry gates or manned reception security desks

• Physical entry controls – adequate and appropriate entry controls to ensure only authorised personnel are allowed access

• Secure offices, rooms and facilities – physical corporate security solutions designed and applied

• Protection against external and environmental threats – physical protection against fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disasters

• Secure area protection – physical corporate security solutions designed and applied for secure areas

• Physical security for public access, delivery and loading areas – access points where unauthorised persons may enter controlled and, if possible, isolated from information processing facilities to avoid unauthorised access


To ensure compliance, here are some of our ISO 27001 physical security tips:

• The walls, ceilings and floor of any secure area should be of the same strength. If someone can access a secure area via, say, a false ceiling you will be non-compliant.

• The most sensitive assets should be stored in the most secure areas. Using the “onion technique”, each perimeter “layer” should house progressively more sensitive assets.

• Ban mobile phone and camera use in secure areas.

• Prohibit lone working in secure areas.

• Don’t co-store other assets (such as paper, non-IT equipment or anything else) in secure areas.

• Ensure delivery and loading areas don’t give direct access to secure areas.

• Install a welcome desk where at where all visitors are required to report first.

• Have security guards challenge unknown persons.

• Monitor spaces around the perimeter with CCTV or security patrols.


The importance of securing your physical environment should never be underestimated. Whether you’re seeking ISO 27001 accreditation or not, your company should always abide by physical security best practice.

Data breaches are becoming more common. And when they occur, they cause huge problems and cost an awful lot of money to rectify. Make sure your physical security processes are up-to-scratch today.

Churchill Support Services has provided corporate security solutions to businesses since 1996. We can provide reception and concierge security guards, CCTV installation and monitoring, access control, risk assessment, security planning and more. Get in touch to find out how our corporate security officers can help you.

John Melling

Group Chief Executive Officer

John has a proven track record for motivating and leading high performance teams and has helped mentor and develop many people at Churchill who now hold key or senior positions within the business. John is committed to delivering only the finest services, exercising compelling leadership, maintaining good internal morale and striving to resolve any challenges efficiently and effectively.