A.7.3 Securing Offices, Rooms and Facilities

What is this control?

ISO 27001:2022 Annex A 7.3 requires organisations to design and secure physical facilities to prevent unauthorised access, damage, or interference to information and assets. For cloud-native organisations with hybrid workforces, this control extends beyond traditional office security to encompass shared meeting facilities (“Hybrid Hubs”), remote working environments, and technical compensatory controls. The control addresses three facility types: Core Facilities (Head Office and secure server rooms with alarm systems and secure storage), Shared Facilities (meeting rooms requiring physical and digital clearance procedures), and Remote Facilities (home offices with screen positioning and voice privacy requirements).

Technical controls including device auto-lock and MFA provide safety nets when physical security lapses occur.

How to implement in Microsoft 365

Implementing ISO 27001:2022 A.7.3 involves securing facilities across three domains. For Core Facilities, implement intruder alarm systems with codes treated as high-sensitivity credentials (rotated on staff departure per JML process), establish master key management with keys held in secure safes, store spare IT assets in locked cabinets, and apply siting anonymity (neutral signage on server rooms, window obscuration on ground floors). For Shared Facilities, enforce physical clearance (remove assets, wipe whiteboards) and digital clearance (end Teams sessions, disconnect casting) procedures, lock rooms overnight for multi-day sensitive projects.

For Remote Facilities, require designated work areas with screens not visible from windows or to household members, and voice privacy for confidential calls. Configure Intune device lock policies (≤15 minutes inactivity timeout) as a technical safety net, and enforce MFA to prevent digital access even if physical access is gained.

What an auditor looks for

Auditors will verify Intune configuration profiles enforce device auto-lock within 15 minutes of inactivity per CIS benchmarks. They will review physical site inspection logs confirming alarm code rotation, window obscuration functionality, and neutral signage on server rooms. Auditors will check secure storage arrangements (keys in safes, IT assets in locked cabinets) and master key registers.

For shared facilities, they will verify documented clearance procedures and evidence of overnight locking for sensitive projects. For remote working, auditors may request policy acknowledgement records and spot-check compliance during site visits. Teams Rooms sign-in logs (where applicable) will be reviewed for anomalous activity outside business hours or from unauthorised locations.

Cross-reference with A.7.1 perimeter controls and A.7.2 entry controls will be verified.

Related controls

• [A.7.1 (Physical security perimeters)](/controls/a-7-1 (physical security perimeters)/)
• [A.7.2 (Physical entry)](/controls/a-7-2 (physical entry)/)
• [A.7.4 (Physical security monitoring)](/controls/a-7-4 (physical security monitoring)/)
• [A.8.1 (User endpoint devices)](/controls/a-8-1 (user endpoint devices)/)
• [A.7.7 (Clear desk and clear screen)](/controls/a-7-7 (clear desk and clear screen)/)