Free Assessment
physical Preventive Protect

A.7.1 Physical Security Perimeters

M365 Admin Path: Microsoft Entra admin center (entra.microsoft.com) > Protection > Conditional Access > Named locations

Evidence Source: Microsoft Graph - Conditional Access, Named Locations

What is this control?

ISO 27001:2022 Annex A 7.1 requires organisations to define and maintain security perimeters to protect areas containing information and information processing facilities. For cloud-native Managed Service Providers, this extends beyond traditional physical walls to include ‘virtual perimeters’ established through Microsoft Entra Named Locations and enforced via Conditional Access policies. The control addresses three security zones: Cloud Facilities (delegated to Microsoft with attestation verification), Core Facilities (on-premises server rooms with physical access controls), and Virtual Perimeter (location-aware access controls creating logical boundaries for remote workforce access).

This control focuses on perimeter DEFINITION; entry authentication is addressed in A.7.2.

How to implement in Microsoft 365

Implementing ISO 27001:2022 A.7.1 involves establishing a three-zone security model. For Cloud Facilities, rely on Microsoft’s SOC 2 Type II and ISO 27001 certifications, reviewing attestations annually via the Service Trust Portal. For Core Facilities, ensure server rooms and network equipment are housed in lockable spaces with access restricted to authorised personnel via keys, cards, or PINs.

For the Virtual Perimeter, define Named Locations in Microsoft Entra representing corporate IP ranges (not just country-based definitions) and configure Conditional Access policies that reference these locations to enforce differentiated access decisions based on trust level. Implement compensatory controls including endpoint encryption (A.8.24) and Global Secure Access (A.8.20) to protect data regardless of physical location. Document perimeter definitions, maintain access registers, and conduct quarterly reviews.

What an auditor looks for

Auditors will verify that Named Locations are defined in Microsoft Entra representing corporate network boundaries with IP-based precision, not just country-level definitions. They will check that Conditional Access policies actively reference these locations in their conditions, enforcing differentiated access decisions based on location trust status. Auditors will review physical security controls for on-premises Secure Zones including lockable server rooms, restricted access registers, and visitor escort procedures.

They will request evidence of annual Microsoft attestation reviews (SOC 2 Type II, ISO 27001) from the Service Trust Portal with management sign-off. Auditors will confirm that equipment is not visible from outside Secure Zones and that perimeter definitions align with the documented ISMS policy. They will verify cross-referenced compensatory controls (A.8.24 encryption, A.8.20 GSA) are operational.

  • [A.7.2 (Physical Entry)](/controls/a-7-2 (physical entry)/)
  • [A.7.3 (Securing offices)](/controls/a-7-3 (securing offices)/)
  • [A.7.4 (Physical security monitoring)](/controls/a-7-4 (physical security monitoring)/)
  • [A.8.20 (Networks security - GSA)](/controls/a-8-20 (networks security - gsa)/)
  • [A.8.24 (Use of cryptography - endpoint encryption)](/controls/a-8-24 (use of cryptography - endpoint encryption)/)

M365 capabilities that implement this control

Microsoft Physical Access Controls Foundation

Microsoft-managed physical access controls for datacentres including monitoring, intrusion detection, and access logging