ISO 27001
Annex A.11- Physical and Environmental Security
Get compliant with ISO 27001 – Annex A.11 and simplify compliance for your organisation.

Get compliant with ISO 27001 – Annex A.11 and simplify compliance for your organisation.
Annex 11 focuses on the physical and environmental security of the organisation. In some cases, organisations may be under the impression that data breaches, losses and cyber threats could only occur via technology. This ISO 27001 control highlights the physical landscape of the organisation that otherwise may be overlooked.
The purpose of this section is to prevent unauthorised physical access, damage and interference to the organisation’s property and information.
Security perimeters such as walls or card controlled entry gates should be used to protect areas that contain information and information processing equipment.
Physical protection can be reached by creating one or more physical barriers around the organisation’s property and information processing facilities. The use of multiple barriers gives additional protection.
A secure area could be a lockable office, or several rooms surrounded by a continuous internal physical security barrier.
Special consideration on physical access should be given to buildings where different organisations operate.
One physical security parameter is in place, installing entry controls to manage who may access security areas of the property is required.
Physical security for offices, rooms, and facilities should be designed and applied.
Guidelines should be in place to secure offices, rooms, and facilities:
Protection against any natural or man-made disaster should be designed and applied.
This could be addressed by identifying the risk around the business areas. Understanding our surroundings and analysing any possible threats. Threats management to follow are;
This clause deals with the safety of the organisation and its people. It defines how to establish the procedures for working in secure areas shall be designed and applied.
Any access facilities where an unauthorised person could possibly enter such as delivery or loading areas should be controlled and, as far as possible from information processing facilities to avoid any breach of security.
We should consider the following:
The objective of this annex is to prevent loss, damage, theft or any compromising activity that could potentially affect the organisation’s job.
Equipment should be sited and protected to reduce the risk from environmental threats and danger, and for unapproved entrance.
For the protection of the equipment we should consider the following;
Equipment should be protected against any power failure and any threats relating to utility failure.
Supporting utilities, such as electricity, water supply, sewage, heating, ventilation and air conditioning guidelines should considered the following
Cabling carrying data and supporting information facilities should be protected from damage or interception.
Cabling security should consider;
In some circumstances, spot checks should be performed to detect unauthorised removal of assets, unauthorised recording devices or even weapons. Legislation and regulations should be followed to carry out those checks.
Security should be in place to off-site equipment having in count the risk associated with working outside the primary business.
Control should be in place to determinate security risk associated with the transport of assets between locations .
Any equipment containing sensitive information should be properly checked and be certain of any data and licensed software being removed before disposal.
Devices with sensitive information should be destroyed either physically or making the information non-retrievable.
Risk assessment should be in place to determine if a damage device should be destroyed, repaired or replaced.
All unattended equipment should be locked or encrypted to prevent risks.
Every user should be aware of their responsibilities to prevent any data breach caused by unattended equipment.
Is the organisation responsible to ensure the users received the required training and be aware of the policies regarding unattended user equipment.
Clear desk policy should be in place to ensure all files and electronic records containing person identifiable information, or any confidential information, is properly secured when not in use and is not left visible on an unattended desk.
Working areas, such as desks or tables, should be cleared out when not in use or unattended for extended periods of time.
Want to learn more? Read our blog about maintaining physical security
©Copyright Inverifi 2023, All rights reserved. Registered in England, No: 06959535, , +44 20 4574 9908