A.7.5 Protecting Against Physical and Environmental Threats

What is A.7.5 Protecting Against Physical and Environmental Threats?

ISO 27001:2022 Annex A 7.5 requires organisations to design and implement protection against physical and environmental threats such as fire, flood, earthquake, explosion, and power failure. For cloud-native organisations, this control prioritises data availability through geo-redundancy while ensuring local infrastructure remains protected. The strategy spans three domains: Cloud Infrastructure (delegated to Microsoft with SOC 2/ISO 27001 attestation for fire suppression, climate control, and flood mitigation), On-Premises Facilities (UPS protection for critical equipment, facility provider environmental controls, hazard management), and Distributed Workforce (mandatory cloud storage via OneDrive/SharePoint ensuring data survives device destruction).

If the physical environment fails, technical controls ensure the data survives.

How to implement A.7.5 in Microsoft 365

Implementing ISO 27001:2022 A.7.5 involves a three-tier protection

Implementing ISO 27001:2022 A.7.5 involves a three-tier protection strategy. For Cloud Infrastructure, rely on Microsoft’s geo-redundant storage (GRS/ZRS) and verify environmental controls via SOC 2 Type II attestation (cross-reference A.7.1-M4). For On-Premises Facilities, connect critical equipment (firewalls, core switches, ISP modems) to UPS units, verify facility provider’s fire detection/suppression and flood monitoring during supplier onboarding, and prohibit flammable materials in Secure Zones. For Distributed Workforce, enforce OneDrive Known Folder Move via Intune to redirect Desktop/Documents/Pictures to cloud storage, prohibit local-only data storage, and configure data retention policies.

Deploy third-party backup solutions

Deploy third-party backup solutions (AvePoint/Acronis) for additional data protection layer. Test UPS units quarterly and review backup success reports.

What an auditor checks for A.7.5

• Auditors will verify Intune configuration profiles enforce OneDrive Known Folder Move (KFM) redirecting user folders to cloud storage.
• They will check SharePoint/OneDrive retention policies demonstrate data resiliency.
• Auditors will request UPS maintenance logs showing quarterly testing and vendor servicing.
• They will verify facility provider environmental controls during supplier review (fire detection, suppression, flood monitoring).
• Auditors will inspect Secure Zones for prohibited materials (flammables, chemicals, personal heaters).
• They will review backup solution success reports showing recovery capability.
• Cloud attestation for Microsoft environmental controls is cross-referenced from A.7.1-M4 to avoid duplication.

What your auditor expects for A.7.5

• Control: A.7.5 (Protecting against physical and environmental threats) - ISMS Sections 3
• 5 Related Controls: A.7.1 (Physical security perimeters)
• A.8.13 (Information backup)
• A.8.14 (Redundancy) Shows: OneDrive Known Folder Move configuration enforcing cloud storage
• SharePoint/OneDrive data retention policies
• UPS maintenance records
• facility environmental controls verification
• hazard management in Secure Zones Audit: Validates data resilience through cloud storage enforcement and manual verification of power protection and environmental controls

Related controls

• [A.7.1 (Physical security perimeters)](/controls/a-7-1 (physical security perimeters)/)
• [A.7.3 (Securing offices)](/controls/a-7-3 (securing offices)/)
• [A.8.13 (Information backup)](/controls/a-8-13 (information backup)/)
• [A.8.14 (Redundancy of information processing facilities)](/controls/a-8-14 (redundancy of information processing facilities)/)