ISO/IEC 27001 was originally conceived as a standard for information security management. Over two decades, it has evolved into a global benchmark for cybersecurity and data protection, aligning with regulatory frameworks such as the EU GDPR, NIST Cybersecurity Framework, and ISO/IEC 27701 (Privacy Information Management).

The 2022 revision of ISO/IEC 27001 emphasizes digital risk management, privacy, and resilience. While it retains a small set of physical and environmental controls (Annex A.7), these are narrowly scoped intended only to support the protection of information assets and IT infrastructure.

This evolution leaves a significant gap: the absence of a comprehensive, certifiable standard for physical security management that can align with but remain independent of cybersecurity and privacy frameworks.

Including physical security controls within ISO/IEC 27001 creates conceptual confusion, since contemporary Information Security Management Systems (ISMS) are designed to manage cybersecurity and data protection risks. Physical security, while important, is now a distinct discipline that requires its own management framework rather than being treated as a subsidiary element of the ISMS.

‍

Companion statements

While ISO/IEC 27001:2022 does include some limited privacy-related references (mainly where personal data is part of the organization’s information assets), privacy management is not a core focus of 27001 itself. Instead, the ISO community created a companion standard, ISO/IEC 27701, to extend 27001 into privacy governance.

ISO 27001:2022 only partially addresses physical security. It treats it as a subset of information security (Annex A.7 “Physical and Environmental Security”), not as a fully realized discipline. Many organizations have argued that a dedicated physical security standard, structured like 27001 but modular enough to plug into other management systems, would fill a major gap. ISO 27001 has 93 controls, but only 11, or 12% of the total controls, are specific to physical security. 

‍

The need for physical security standards

Here’s how a conceptual framework for how a Physical Security standard (companion/extension) concept could look.

ISO 27X3 — Physical Security Management Systems (PSMS)

Purpose

To establish requirements and guidance for a Physical Security Management System 

(PSMS) that can:

1. Integrate seamlessly with ISO 27001 (ISMS), ISO 22301 (BCMS), and ISO 28000 (SCMS)
2. Be certifiable, similar to ISO 27001, with its own Annex A-equivalent control library- based on Annex L.
3. Address both built environment and operational physical security holistically

Core Clauses

Mirroring the ISO management system format (Clauses 4–10) – Annex L.

1. Context of the Organization – Identify facility-related threats, assets, stakeholders and regulatory requirements.
2. Leadership – Assign senior physical security roles; define policy and objectives.
3. Planning – Conduct threat, vulnerability, and environmental risk assessments.
4. Support – Define competence, training, resources, and communication protocols.
5. Operation – Implement security zoning, access control, surveillance, and patrol programs.
6. Performance Evaluation – Monitor incident rates, perimeter integrity, and maintenance KPIs.
7. Improvement – Continuous enhancement based on incident analysis and post-event reviews.

Annex A (Proposed Control Categories)

‍

Interoperability with other standards 

• ISO 27001 → merges through Annex A.7 linkage (facility & equipment protection).
• ISO 22301 → shares continuity and recovery measures.
• ISO 31000 → provides the risk assessment framework.
• ISO 28000 → aligns with logistics and supply chain protection.

‍

Benefits

• Enables modular certification (e.g., “ISO 27001 + ISO 27XXX” for unified cyber-physical resilience)
• Creates a common language for physical risk assessment across industries

‍

Need help with ISO compliance

Get in touch. We'd love to help.

‍

‍