A.7.3 Securing Offices, Rooms and Facilities

What is A.7.3 Securing Offices, Rooms and Facilities?

ISO 27001:2022 Annex A 7.3 requires organisations to design and secure physical facilities to prevent unauthorised access, damage, or interference to information and assets. For cloud-native organisations with hybrid workforces, this control extends beyond traditional office security to encompass shared meeting facilities (“Hybrid Hubs”), remote working environments, and technical compensatory controls. The control addresses three facility types: Core Facilities (Head Office and secure server rooms with alarm systems and secure storage), Shared Facilities (meeting rooms requiring physical and digital clearance procedures), and Remote Facilities (home offices with screen positioning and voice privacy requirements).

Technical controls including device auto-lock and MFA provide safety nets when physical security lapses occur.

How to implement A.7.3 in Microsoft 365

Implementing ISO 27001:2022 A.7.3 involves securing facilities across

Implementing ISO 27001:2022 A.7.3 involves securing facilities across three domains. For Core Facilities, implement intruder alarm systems with codes treated as high-sensitivity credentials (rotated on staff departure per JML process), establish master key management with keys held in secure safes, store spare IT assets in locked cabinets, and apply siting anonymity (neutral signage on server rooms, window obscuration on ground floors). For Shared Facilities, enforce physical clearance (remove assets, wipe whiteboards) and digital clearance (end Teams sessions, disconnect casting) procedures, lock rooms overnight for multi-day sensitive projects. For Remote Facilities, require designated work areas with screens not visible from windows or to household members, and voice privacy for confidential calls.

Configure Intune device lock policies

Configure Intune device lock policies (≤15 minutes inactivity timeout) as a technical safety net, and enforce MFA to prevent digital access even if physical access is gained.

What an auditor checks for A.7.3

• Auditors will verify Intune configuration profiles enforce device auto-lock within 15 minutes of inactivity per CIS benchmarks.
• They will review physical site inspection logs confirming alarm code rotation, window obscuration functionality, and neutral signage on server rooms.
• Auditors will check secure storage arrangements (keys in safes, IT assets in locked cabinets) and master key registers.
• For shared facilities, they will verify documented clearance procedures and evidence of overnight locking for sensitive projects.
• For remote working, auditors may request policy acknowledgement records and spot-check compliance during site visits.
• Teams Rooms sign-in logs (where applicable) will be reviewed for anomalous activity outside business hours or from unauthorised locations.
• Cross-reference with A.7.1 perimeter controls and A.7.2 entry controls will be verified.

What your auditor expects for A.7.3

• Control: A.7.3 (Securing offices
• rooms and facilities) - ISMS Sections 3
• 6 Related Controls: A.7.1 (Physical security perimeters)
• A.7.2 (Physical entry)
• A.8.1 (User endpoint devices) Shows: Intune device lock policies enforcing auto-lock timeout
• Teams Rooms sign-in activity (where applicable)
• manual verification checklists for physical site inspections
• secure storage audits
• meeting room clearance procedures Audit: Validates facility security through technical device lock enforcement and manual verification of physical controls including siting anonymity
• alarm systems
• secure storage

Related controls

• [A.7.1 (Physical security perimeters)](/controls/a-7-1 (physical security perimeters)/)
• [A.7.2 (Physical entry)](/controls/a-7-2 (physical entry)/)
• [A.7.4 (Physical security monitoring)](/controls/a-7-4 (physical security monitoring)/)
• [A.8.1 (User endpoint devices)](/controls/a-8-1 (user endpoint devices)/)
• [A.7.7 (Clear desk and clear screen)](/controls/a-7-7 (clear desk and clear screen)/)