13.10.2025/

/ Access control

ISO 27001 Access Control & BSI Basic Protection | Astrum IT

Companies that want to demonstrate to the outside world that their data is processed and protected securely rely on a certified information security management system (ISMS). The international standard ISO/IEC 27001 defines the requirements for such a system. The latest version is ISO 27001:2022, published in Germany as DIN EN ISO/IEC 27001:2024-01. In addition, ISO 27002 provides practical recommendations for measures.

A key topic of ISO 27001 is the physical security of information—in particular through effective access controls. These are designed to prevent unauthorized persons from gaining access to sensitive data or IT systems.

ISO 27001 requirements for access controls

The relevant regulations can be found in Annex A.11.1 of ISO 27001.

  • Section A.11.1.2 deals with physical access controls. Companies must ensure that only authorized persons have access to buildings or areas where confidential information is processed.
  • Section A.11.1.6 deals with the security of delivery and loading zones. Here too, clear control mechanisms must be implemented to prevent unauthorized access.

Our visitor management software VISIT supports companies in systematically implementing these requirements—from issuing and approving visitor badges to safety instructions for external companies to complete documentation of all accesses. This enables companies not only to meet ISO 27001 requirements, but also to precisely track who was in the building and when in the event of a security incident.

Security for sensitive areas – data centers, server rooms, and external companies

Special attention must be paid to areas with increased security requirements, such as data centers, server rooms, or production areas with confidential data. Access controls must be even more precisely regulated in these areas. VISIT, as a yard management system, makes it possible to set up individual security zones to which only specially authorized persons have access. External companies that are commissioned for maintenance or repair work, for example, can also be temporarily and controlled integrated – including documentation of all activities.

Two-factor authentication: Multi-step identity verification for maximum security

An essential component of modern access controls within the meaning of ISO 27001 is two-factor authentication (2FA).

In addition to the classic visitor badge or access code, a second, independent factor may be required—for example, by scanning an ID card or passport. This biometrically verifiable identification provides an additional level of security and helps to effectively prevent identity fraud.

Two-factor authentication is becoming increasingly important, particularly in connection with the implementation of the NIS2 Directive and the requirements of the KRITIS umbrella law. Both sets of regulations stipulate a higher level of protection for operators of critical infrastructures and digital services. VISIT supports companies in meeting these requirements in a practical and audit-proof manner.

Connection to NIS2 and KRITIS – thinking about information security holistically

While ISO 27001 as an international standard forms the basis for an information security management system, NIS2 (EU Directive on Network and Information Security) and the KRITIS umbrella law go one step further. They require affected companies to implement specific technical and organizational measures to ensure cyber and physical security.

Certification according to ISO 27001 is not mandatory, but it does make it much easier to meet the NIS2 requirements. This is because many measures – including access control – are identical in both sets of regulations. VISIT contributes to harmonization here: Companies that already operate in compliance with ISO 27001 can use VISIT to expand their processes in such a way that NIS2 and KRITIS requirements are also met.

Conclusion: On the safe side with VISIT – ISO 27001, NIS2 & KRITIS compliant

A well-designed access control system is a key component of any security strategy. With VISIT from ASTRUM IT, companies get a software solution that not only meets the requirements of ISO 27001, but also paves the way for NIS2 compliance and KRITIS conformity – from visitor registration and two-factor authentication to digital documentation.

Good to know:

ASTRUM IT is itself certified according to ISO 27001. You can find the current certificate here. Of course, we also provide support in complying with other standards—for example, with ISO 9001-compliant software development or in setting up a security concept that complies with BSI basic protection.

Do you want to digitize your visitor management software and make your visitor management more efficient?

Contact us for advice and to receive a non-binding quote.

Would you like us to call you back? Please enter your telephone number and the desired time period.
Indicates required field