Free Assessment
physical Preventive Protect

A.7.2 Physical Entry

M365 Admin Path: Microsoft Entra admin center (entra.microsoft.com) > Protection > Conditional Access > Policies

Evidence Source: Microsoft Graph - Conditional Access (MFA policies), Manual verification logs

What is this control?

ISO 27001:2022 Annex A 7.2 requires organisations to implement entry controls that restrict access to secure areas, allowing only authorised personnel. For hybrid organisations operating cloud infrastructure alongside physical premises, ‘Physical Entry’ spans two distinct layers: cloud data centres (entry delegated to Microsoft with biometric scanners, two-factor authentication, and 24/7 security guards) and organisational premises (controlled via electronic access cards, reception protocols, visitor logging, and Secure Zone restrictions). Digital entry is enforced through Multifactor Authentication as the ‘digital badge’, aligning with CIS Microsoft 365 benchmarks.

The control extends to console protection for network equipment per CIS FortiGate benchmarks, ensuring logical resistance to tampering even if physical access is gained.

How to implement in Microsoft 365

Implementing ISO 27001:2022 A.7.2 involves establishing layered entry controls across physical and digital domains. For digital entry, configure Conditional Access policies requiring MFA for all users, treating this as the ‘digital badge’ equivalent of physical access credentials. For Head Office entry, implement perimeter access via electronic cards/fobs, maintain manned reception during business hours, require visitor sign-in with date/time/name/organisation/host, issue temporary visitor badges, and mandate escort for visitors within private offices.

For Secure Zones (server rooms, comms cabinets), restrict key/card access to CTO, Senior Engineers, and designated IT staff, review access lists quarterly, and revoke access immediately upon employment termination per the JML process. For delivery areas, isolate from information processing facilities, inspect inbound IT hardware for tampering before network connection, and secure deliveries promptly. Apply CIS FortiGate 7.4.x Section 2 recommendations for console password protection and USB firmware disablement.

Review Microsoft SOC 2/ISO 27001 attestations annually for cloud data centre entry controls.

What an auditor looks for

Auditors will verify MFA enforcement via enabled Conditional Access policies requiring multifactor authentication for user access. They will review visitor access logs for completeness (date, time, name, organisation, host) and evidence of badge issuance and escort procedures. Auditors will request Secure Zone key/card registers showing quarterly reviews and verify JML process compliance for access revocation upon termination.

They will check Microsoft SOC 2 Type II and ISO 27001 attestation review records from the Service Trust Portal with management sign-off. Auditors will inspect delivery area isolation, hardware receipt logs with tamper inspection records, and secure storage procedures. They will review FortiGate configuration backups confirming console password protection and USB firmware installation disabled per CIS benchmarks.

Cross-reference with A.7.1 perimeter controls and A.8.1 device compliance will be verified.

  • [A.7.1 (Physical security perimeters)](/controls/a-7-1 (physical security perimeters)/)
  • [A.7.3 (Securing offices](/controls/a-7-3 (securing offices/)
  • [rooms and facilities)](/controls/rooms and facilities)/)
  • [A.7.4 (Physical security monitoring)](/controls/a-7-4 (physical security monitoring)/)
  • [A.8.1 (User endpoint devices)](/controls/a-8-1 (user endpoint devices)/)
  • [A.8.5 (Secure authentication)](/controls/a-8-5 (secure authentication)/)

M365 capabilities that implement this control

Microsoft Physical Access Controls Foundation

Microsoft-managed physical access controls for datacentres including monitoring, intrusion detection, and access logging