ISO 27001 and Physical Access Control: An IT Manager's Checklist
ISO 27001 is unambiguous about physical security. Annex A controls A.7.1 through A.7.6 require organizations to define secure perimeters, control physical entry, protect against external threats, and monitor physical access. If you are preparing for certification or maintaining compliance, your physical access control system is not a peripheral concern — it sits at the core of your audit evidence package.
This checklist walks through what auditors actually look for, where most organizations fall short, and how to close the gaps without doubling your administrative workload.
1. Define and Document Your Secure Perimeters
Before any technical control matters, you need a written definition of your physical security zones. ISO 27001 requires you to identify which areas contain information assets, classify them by sensitivity, and document the boundaries.
Checklist items:
- Perimeter map showing server rooms, network closets, executive areas, and general office space
- Classification of each zone (public, restricted, high-security)
- Written policy stating who is authorized in each zone
- Record of the last review date for that policy
Most organizations have informal rules here. Auditors want documented, version-controlled policies — not tribal knowledge.
2. Control and Log Every Entry Point
This is where most compliance gaps live. ISO 27001 requires that access to secure areas be controlled by "appropriate entry controls" and that access events are logged. The standard does not dictate technology, but it does require evidence.
Checklist items:
- Access control hardware on all restricted doors (RFID, NFC, biometric, or mobile credential)
- Tamper-evident audit logs for every door event (entry, exit, denied attempt)
- Logs retained for the period specified in your retention policy (commonly 12 months)
- Process to review logs and investigate anomalies
The practical problem: many organizations run their physical access system and their HR or attendance system as completely separate silos. The result is duplicate administration, inconsistent data, and audit logs that do not tie back to verified employee identities.
A unified approach eliminates this. TimeClock 365 is built on exactly this principle — when an employee badges in using biometrics, RFID, NFC, or a mobile wallet credential like Apple or Google Wallet, the door opens and attendance is recorded in the same event. There is no separate time clock, no second system to reconcile, and no gap between the access log and the HR record. Organizations using this approach report a 90% reduction in unauthorized access events and 99% time tracking accuracy, because the two datasets are structurally identical rather than loosely correlated.
3. Manage the Full Credential Lifecycle
Access control is only as strong as your provisioning and deprovisioning processes. ISO 27001 requires that access rights be granted based on business need and revoked promptly when that need ends.
Checklist items:
- Formal onboarding process that provisions physical access credentials tied to role
- Offboarding SLA — how quickly are credentials deactivated after termination? (Best practice: same business day)
- Periodic access reviews (at minimum annually, quarterly for high-security zones)
- Process for handling lost or stolen credentials
- Visitor management procedure including escort requirements and temporary credential issuance
Pay particular attention to role changes. An employee promoted from analyst to manager may legitimately need new access — but their old access to restricted areas should be reviewed, not silently accumulated.
4. Monitor, Alert, and Respond
Logging access events is necessary but not sufficient. ISO 27001 expects a monitoring process that can detect anomalies and trigger a response.
Checklist items:
- Defined alert thresholds (e.g., three failed badge attempts triggers security notification)
- After-hours access monitoring for high-security zones
- Documented incident response procedure for physical security events
- Integration between physical access logs and your SIEM or security operations process
If your access logs live in a standalone system with no alerting capability and no integration to your broader security monitoring, you have a control gap that an auditor will flag.
5. Align Physical and Logical Access
ISO 27001 auditors increasingly look at whether physical and logical access controls are coherent. If someone's network account is disabled but their door badge still works, that is a finding.
Checklist items:
- Process to synchronize physical access deactivation with Active Directory or IdP offboarding
- Evidence that physical access reviews align with logical access reviews
- Single source of truth for employee status (typically HR system) that drives both
6. Prepare Your Evidence Package
Certification requires evidence, not assertions. For physical access controls, auditors typically request:
- Current access control policy (signed, dated)
- Access logs for a sample period
- Evidence of periodic access reviews with sign-off
- Deprovisioning records showing timely revocation
- Incident log for any physical security events
If your access and attendance data live in the same system, producing this evidence is straightforward. TimeClock 365 stores every badge event with timestamp, credential type, employee ID, and door location — exactly the structured log format that satisfies ISO 27001 evidence requirements without manual extraction or data cleanup.
The Compounding Benefit
Physical access compliance tends to be treated as a box-ticking exercise. The organizations that get the most value from it recognize that a well-implemented access control system does more than satisfy auditors — it eliminates ghost employees, reduces shrinkage, and, as a side effect, automates attendance data that would otherwise require manual timesheets. That last point alone accounts for the 70% faster expense approval cycles that come from having verified, timestamped attendance records feeding directly into payroll and project cost systems.
If you are running separate systems for door access and time tracking, consolidating them is the single highest-leverage change you can make for both your ISO 27001 posture and your operational efficiency.
Start with a free trial and see the unified access-attendance log in action: https://live.timeclock365.com/en/reg
Top comments (0)