People think of ISO 27001 as a cyber standard, and most of it is: policies, access management, cryptography, logging. But Annex A of ISO 27001:2022 also carries a set of physical and environmental controls, and those you cannot audit from a desk. You audit them by walking the building with a competent assessor and gathering evidence. This guide covers that walk-through half honestly, and where a WhatsApp workflow fits it.
Guide · IT
ISO 27001 physical security audit.
The physical and environmental controls in ISO 27001:2022 Annex A, the ones you audit by walking the building. Secure areas, physical entry, equipment siting, cabling security. Honest about the walk-through part, not the whole standard.
14-day free trial. No card required.
The point
Half of Annex A you audit on your feet.
ISO 27001 is largely about logical and management controls. But a real block of Annex A is physical: are the secure areas actually secure, does the door log work, is the kit sited away from the flood risk, is the cabling protected. That part is a building walk-through, and it needs evidence, not assertions.
The physical controls
The Annex A clauses you walk.
Perimeters and entry
Physical security perimeters and secure entry to controlled spaces. Check the barriers, the access control, the visitor logs and the sign-in that Annex A expects.
EquipmentSiting and protection
Equipment sited and protected against environmental threats, power failure and unauthorised access. Walk the racks, the UPS, the cooling and the fire cover.
Cabling and mediaPhysical protection
Power and data cabling protected from interception and damage, and secure disposal or reuse of equipment and media. All observable on the floor.
Evidence, not assertion
An auditor wants to see it, photographed.
Annex A physical controls are audited by walking the building and gathering evidence: a photo of the locked comms room, the door-access report, the temperature log, the clear-desk state. Capture each as you go, tied to the control it covers, so the evidence pack writes itself instead of being assembled from memory after the visit.
Gather physical evidence on WhatsApp
No app install. No training.
The assessor uses the phone they already carry round the site. Setup to first live workflow usually takes under a week.
The short version
- ISO 27001:2022 Annex A includes physical controls under the theme of physical and environmental security.
- Those controls cover secure areas, physical entry, equipment siting and protection, and cabling security.
- You audit them by walking the building and gathering photographic and documentary evidence.
- Quickler suits the physical evidence-gathering walk, not the logical or management-system clauses.
- The certification decision rests with a qualified auditor and a UKAS-accredited body, never a tool.
- Physical evidence tied to each control makes the auditor's job faster and the gap clearer.
Context
Where physical controls sit in ISO 27001:2022
The 2022 revision reorganised Annex A into four themes: organisational, people, physical, and technological. The physical theme groups the controls you can literally see and touch on a site walk. They include physical security perimeters, physical entry, securing offices and rooms, protecting against physical and environmental threats, equipment siting and protection, security of supporting utilities, cabling security, equipment maintenance, and secure disposal or reuse of equipment.
These are not paperwork controls. An auditor confirms them by looking: is the perimeter real, does the door reader actually restrict entry, is the server room protected from flood and fire, is the cabling secured. That is why this half of the audit is a building walk-through with evidence, not a document review.
Secure areas
Perimeters, entry and secure rooms
Start at the boundary. Annex A expects defined physical security perimeters and controlled physical entry to secure areas. On the walk you check the barriers, the access control on doors to sensitive spaces, the visitor sign-in and escort arrangements, and whether the access list matches who can actually get in. A comms room whose door does not lock, or whose access list is a year out of date, is a finding.
Photograph the door and reader, pull the access-control report, and record the visitor-log arrangement. Each of those is evidence against a specific control, and each is far more convincing than a line in a spreadsheet saying the control is in place.
Equipment and cabling
Siting, utilities and cabling security
Equipment must be sited and protected to reduce risks from environmental threats and unauthorised access. On the walk that means checking the server and comms rooms: is the kit away from windows and water risk, is there resilient power and appropriate cooling, is fire detection and suppression present and in service. Supporting utilities, the power and cooling the equipment depends on, are a control in their own right.
Cabling security asks that power and data cabling is protected from interception, interference and damage. You look for cabling that is contained, labelled and not exposed to casual access. Secure disposal covers equipment and media leaving the estate: is there evidence that drives are wiped or destroyed. All of this is observable, and all of it photographs cleanly.
Honest fit
The walk-through half, not the whole standard
Be plain about the boundary. Quickler helps with the physical evidence-gathering walk: capturing photos, access reports, readings and findings against each physical control, and producing a tidy evidence pack with a timestamp on every item. That is genuinely useful preparation for an internal audit or a certification visit.
It does not cover the logical and management-system clauses: the ISMS scope, risk assessment, statement of applicability, access management, cryptography, or the management review. Those are the larger part of ISO 27001 and they need a qualified assessor and the right tooling. Quickler handles the part you do on your feet.
Honest note: certification comes from a competent auditor and a UKAS-accredited certification body, working to the standard, not from any tool. Quickler makes the physical evidence easy to gather and hard to lose. It does not certify anything. Ask us if the boundary matters for your scope.
Questions, answered
What physical controls does ISO 27001 Annex A cover?
ISO 27001:2022 Annex A physical and environmental controls cover physical security perimeters, physical entry, securing offices and rooms, protection against physical and environmental threats, equipment siting and protection, security of supporting utilities, cabling security, equipment maintenance, and secure disposal or reuse of equipment. They are audited by walking the site and gathering evidence.
Can Quickler certify us to ISO 27001?
No. No tool can. ISO 27001 certification is granted by a qualified auditor working through a UKAS-accredited certification body against the full standard. Quickler helps you gather the physical evidence for the Annex A physical controls before that audit. It is preparation, not certification.
How do you audit ISO 27001 physical security?
You audit ISO 27001 physical security by walking the building with a competent assessor and gathering evidence against each physical control: photographing secure areas and door controls, pulling access-control and visitor logs, checking equipment siting and cabling, and confirming utilities, fire cover and secure disposal. The evidence is tied to the specific Annex A control it supports.
Does the 2022 version change the physical controls?
ISO 27001:2022 reorganised Annex A into four themes, including a physical theme, and merged some previous controls. The substance of the physical requirements, secure areas, equipment protection and cabling security, remains, but the numbering and grouping changed from the 2013 version. Check your statement of applicability against the 2022 control set.