Physical Security Perimeter (ISO 27001)

Overview

Define and document physical security perimeters and physical entry controls for ISO 27001:2022 Annex A 7.1 and 7.2. The skill structures the “Defense in Depth” narrative for offices, data centers, and secure areas: boundaries and access points (7.1), entry controls, visitor management, anti-tailgating, delivery/loading zones, and entry/exit logging (7.2). A built-in validation tool checks that the procedure explicitly covers anti-passback and visual badge identification so the document is auditor-ready.

Example

You: We need a Physical Security Perimeter Procedure for our HQ and the server room. We use badge readers at the building and at the server room door, and we have a visitor log at reception. Our auditor asked for evidence on tailgating prevention.

Agent: I’ll draft the procedure with a Defense in Depth narrative (building perimeter → lobby → badge-only floors → server room) and align each layer to 7.1 and 7.2. (Drafts the procedure, then runs the validation tool.) The tailgating prevention check reported two required elements: I’ve added a clear anti-passback clause (one person per badge; turnstiles at main entry) and a visual badge identification requirement (badge must be visible; staff must challenge persons without a visible badge). I’ve also referenced your visitor management and entry logging so the procedure links to existing evidence. Re-running the check: no errors.

Excerpt of a generated procedure

Below is a condensed example of the Physical Entry (Control 7.2) section from a generated procedure:

## 4. Physical entry (Annex A 7.2)

### 4.1 Entry controls

- Access to the building and to secure areas (server room, [Restricted Zone Name]) shall be by badge only. One person per credential; no tailgating.
- Turnstiles at the main lobby enforce anti-passback. Revolving doors and mantrap at [Server Room] ensure only one person enters per badge read.
- Badges must be visible at all times within the building. Staff must challenge any person without a visible badge and escort them to reception.

### 4.2 Visitor management

- Visitors must register at reception, present ID, and be issued a temporary badge. They must be escorted by an authorized employee for the duration of the visit. Visitor log is retained for [Retention Period].

### 4.3 Entry and exit logging

- Access system records entry/exit events. Logs are reviewed [e.g. monthly] for anomalies. Delivery and loading areas are separate from the server room; access is restricted and logged.

Validation tool

The skill includes one extension tool that automates Control 7.2–focused checks:

• Tailgating prevention check — Validates the procedure document against ISO 27001:2022 Control 7.2. Required (reported as errors if missing): (1) Anti-passback — the procedure must mention anti-passback or an equivalent (e.g. one person per credential, turnstile, mantrap, or preventing unauthorized following of authorized personnel); (2) Visual badge identification — the procedure must require visual badge identification or equivalent (e.g. badge visible, challenge unknown persons, verify badge). Recommended (warnings): visitor management, entry/exit logging, and delivery/loading zones. The tool also flags unfilled placeholders (e.g. [ ... ]) so the document can be completed before use. Run after drafting or revising the procedure; fix errors and re-run until the report shows no critical findings.

Getting Started

Add your source materials (e.g. site layout, current access controls, visitor process) to the project workspace, then activate the Physical Security Perimeter (ISO 27001) skill. The agent will guide you through scoping perimeters, drafting the procedure with a Defense in Depth narrative, and validating it with the tailgating prevention check.