Let’s be honest - when most people think about information security these days, their minds jump straight to the cyber side of things. Firewalls, MFA, phishing, ransomware etc, - the digital world tends to dominate the conversation.

But here’s the thing, even the best cyber security in the world won’t help if someone can simply walk into your office and plug a USB stick into something or reach over the counter and grab some sensitive paperwork.

ISO 27001 Physical Controls are the often-overlooked pillar

When we talk about ISO 27001 or Information Security in general, people often focus heavily on Annex A controls that deal with technology - access management, encryption, backups, and so on. But the physical side of security is equally critical.

Physical security is about protecting your people, premises, and assets from physical threats. That might sound old-fashioned, but think of it this way: all your data, devices, and systems live somewhere. If someone gains access to those locations, the rest of your controls can quickly unravel.

So, what does “good” physical security look like?

The good news is, it doesn’t have to be complicated or expensive. You’re not expected to turn your office into the Bank of England's vault, complete with lasers (although that would be actually really cool).

What matters is appropriate protection based on your context and risk. Lasers might not count as appropriate unfortunately.. but then again.. it might! It depends on what you're protecting and how much money you've got to spend. (If you do have enough money that you can afford lasers please definitely email me as I want to see these in action.)

Here are a few simple, practical tips that make a big difference during ISO 27001 audits - and in real life too:

1. Control entry and exit points

   Know who can enter your building or server room. This could be through keycards, special coloured lanyard, PIN codes, or a visitor sign-in book. Auditors love to see a clear process for visitor management.

   
   

2. Keep sensitive areas secure

   Server rooms, comms cabinets, or any area with critical equipment should be locked when not in use. If you share office space, make sure your zone is clearly defined and access-controlled.

   
   

3. Use clear desk and clear screen policies

   It might sound trivial, but unattended laptops, passwords on sticky notes, and printed documents left lying around are classic findings in audits. Encourage your team to tidy up and lock screens before leaving their desks.

   
   

4. Be aware of tailgating

   One of the simplest physical threats is someone following an employee into a restricted area. Regular reminders and signage can help maintain awareness. As British people we tend to be polite and not want to confront someone. Be brave though, say to the person "Sorry you can't follow me, you must use your own code/card. We all need to stick to the rules to keep everyone safe, I am sure you understand" and soon the culture will set in, no one will expect doors to be held open etc.

   
   

5. Have a plan for emergencies

   Fire safety, power outages, or environmental risks - looks for evidence that you’ve considered these and have procedures in place to protect people and information. Do you have documentation which includes Fire alarm and suppression maintenance reports? Have you documented the flood risk? You can use websites like https://www.gov.uk/check-long-term-flood-risk

   
   

The physical audit: what they’re really looking for

Here’s a little insider secret - ISO auditors are not there to trip you up. They’re just looking for evidence of control and awareness - so make their life easier and the audit will be completed quicker.

That means they might:

• Ask how access to your office or data centre is controlled.

• Check if visitors are logged and escorted.

• Observe if equipment is left unsecured.

• Review your risk assessment to see how physical risks are managed.

  
  

If you can show that you’ve thought about these things, documented them, and put proportionate controls in place, you’re in great shape.

Why it still matters

Physical and cyber security are two sides of the same coin. A strong physical environment supports your technical measures - and auditors see it as a sign of a mature, well-rounded ISMS.

At the end of the day, ISO 27001 and ISO 27001 Physical Controls isn’t about ticking boxes. It’s about building confidence that your organisation protects information wherever it lives - on a server, in the cloud, or behind a locked door.

Final thought:

If you’re preparing for an ISO 27001 audit, don’t overlook the basics. A quick physical security walkthrough before your assessment can help you catch small issues early - and show auditors that your security culture runs deeper than just passwords and policies.

Also - You don't need to be preparing for ISO 27001 to put these practices in place. If you want general consultation and if you’d like a friendly chat about how to strengthen this side of your ISMS (without the jargon or the panic), we’re always happy to help.

Jeff Pullen, CISSP, CCSP