ISO 27001

Annex A.11- Physical and Environmental Security

Get compliant with ISO 27001 – Annex A.11 and simplify compliance for your organisation.

Annex 11 focuses on the physical and environmental security of the organisation. In some cases, organisations may be under the impression that data breaches, losses and cyber threats could only occur via technology. This ISO 27001 control highlights the physical landscape of the organisation that otherwise may be overlooked.

A.11.1 – Secure areas

The purpose of this section is to prevent unauthorised physical access, damage and interference to the organisation’s property and information.

A.11.1.1 Physical security perimeter

Security perimeters such as walls or card controlled entry gates should be used to protect areas that contain information and information processing equipment.

Physical protection can be reached by creating one or more physical barriers around the organisation’s property and information processing facilities. The use of multiple barriers gives additional protection.

A secure area could be a lockable office, or several rooms surrounded by a continuous internal physical security barrier.

Special consideration on physical access should be given to buildings where different organisations operate.

A.11.1.2 Physical entry controls

One physical security parameter is in place, installing entry controls to manage who may access security areas of the property is required.

The building or facility perimeters should be physically secure. There should be no space where the break-in could take place.
The property exterior and interior, walls, and floors should be securely built. All external doors should be properly secured and must-have key entries.
Multi-floor buildings need extra surveillance and protection, the main entry should be managed by a receptionist.
Doors and windows should always be closed at all times.

A.11.1.3 Securing offices, rooms and facilities

Physical security for offices, rooms, and facilities should be designed and applied.

Guidelines should be in place to secure offices, rooms, and facilities:

Procedures should be in accordance with health and safety regulations and standards.
Key facilities should be located to keep away from the public.
When necessary, buildings should be unobtrusive and give minimum indication of their purpose, with no visible signs of information processing activities.
Any books or files with sensitive information should not be easily accessible by the public.

A.11.1.4 Protecting against external and environmental threats

Protection against any natural or man-made disaster should be designed and applied.

This could be addressed by identifying the risk around the business areas. Understanding our surroundings and analysing any possible threats. Threats management to follow are;

Hazardous or combustible materials should be stored at a safe distance from a secure area.
Fallback equipment and back-up media should be sited at a safe distance to avoid damage.
Appropriate fire fighting equipment should be provided and suitable places.

A.11.1.5 Working in secure areas

This clause deals with the safety of the organisation and its people. It defines how to establish the procedures for working in secure areas shall be designed and applied.

Workers should only be aware of the existence of activities within a secure area on a need to know basis.
Unsupervised working in secure areas should be avoided both for safety reasons and to prevent opportunities for malicious activities.
Vacant secure areas should be physically locked and periodically checked.
Pictures, video, audio or other recording equipment, should not be allowed, unless authorised.

A.11.1.6 Public access, delivery, and loading areas

Any access facilities where an unauthorised person could possibly enter such as delivery or loading areas should be controlled and, as far as possible from information processing facilities to avoid any breach of security.

We should consider the following:

Areas outside of the building with access to delivery and loading facilities should be restricted.
Loading and delivery areas should guarantee a secure process where the delivery employees have no need to access other parts of the building.
External doors of a delivery area should be closed and secured when the internal doors are opened.
Any delivered item or material should be inspected for potential threats before it is moved from the delivery area.
Management procedures should be followed when registering materials received.
Any incoming or outgoing shipments should be physically controlled if possible.

A.11.2 – Equipment Security

The objective of this annex is to prevent loss, damage, theft or any compromising activity that could potentially affect the organisation’s job.

A.11.2.1 Equipment siting and protection

Equipment should be sited and protected to reduce the risk from environmental threats and danger, and for unapproved entrance.

For the protection of the equipment we should consider the following;

Equipment should be sited to reduce the access in the work area.
Information processing facilities with classified information should be placed on a restricted view angle to minimise the possibility of being viewed by unauthorised persons during their use.
Methods should be in place to reduce the risk of potential physical threats, eg; fire, smoke, electrical interference.
Procedures of food and drinks being handled close to information processing facilities.
Any equipment such as a laptop, should be locked and safely stored after use to minimise the risk of information being leaked.

A.11.2.2 Supporting utilities

Equipment should be protected against any power failure and any threats relating to utility failure.

Supporting utilities, such as electricity, water supply, sewage, heating, ventilation and air conditioning guidelines should considered the following

Be adequate for the systems supported.
Regularly inspected and tested.
Power contingency plans should be in place.
Emergency lighting should be provided in case of main power failure.
Water supply should be solid and sufficient to supply air conditioning, humidification equipment and fire suppression system, if one is in use.
Telecommunication equipment should be connected to at least two different routes to prevent failure in one connection path restrinting voice service.
Voice service should meet local legal requirements for emergency communications.

A.11.2.3 Cabling security

Cabling carrying data and supporting information facilities should be protected from damage or interception.

Cabling security should consider;

Power and telecommunications lines should be underground or another acceptable alternative protection.
Network cabling should be protected from interception or damage.
Power cables should be isolated from communications cables.
Marking in cables should be used to reduce errors.
Documented list marking should be accessible to reduce possible errors.
Installation of locked rooms or boxes at inspection and termination points.
Access to be controlled to cable rooms and marking panels.

A.11.2.4 Equipment maintenance

Equipment should be correctly maintained in line with the supplier’s suggested service and specification.
Only authorised personnel should carry out repairs and maintenance.
Recording of faults and preventive and corrective action.
Process should be in place when equipment is scheduled for maintenance; sensitive information should be removed from the equipment when carried out by an external.
Insurance policies requirements followed by the users.

A.11.2.5 Removal of assets

Any equipment, information or software should not be taken out of premises without authorisation.
Personnel with authorization of removing assets from the primary business should be clearly identified.
There should be a time limit record where the asset removal and return will be recorded and checked for compliance.

In some circumstances, spot checks should be performed to detect unauthorised removal of assets, unauthorised recording devices or even weapons. Legislation and regulations should be followed to carry out those checks.

A.11.2.6 Security of equipment and assets off-premises

Security should be in place to off-site equipment having in count the risk associated with working outside the primary business.

Equipment should not be left unattended in public areas.
Remote working guidelines should be in place by a risk assessment.
Suitable insurance cover should be used for the protection of the equipment taken off-site.

Control should be in place to determinate security risk associated with the transport of assets between locations .

A.11.2.7 Secure disposal or re-use of equipment

Any equipment containing sensitive information should be properly checked and be certain of any data and licensed software being removed before disposal.

Devices with sensitive information should be destroyed either physically or making the information non-retrievable.

Risk assessment should be in place to determine if a damage device should be destroyed, repaired or replaced.

A.11.2.8 Unattended user equipment

All unattended equipment should be locked or encrypted to prevent risks.

Every user should be aware of their responsibilities to prevent any data breach caused by unattended equipment.

Is the organisation responsible to ensure the users received the required training and be aware of the policies regarding unattended user equipment.

A.11.2.9 Clear desk and screen policy

Clear desk policy should be in place to ensure all files and electronic records containing person identifiable information, or any confidential information, is properly secured when not in use and is not left visible on an unattended desk.

Working areas, such as desks or tables, should be cleared out when not in use or unattended for extended periods of time.

Want to learn more? Read our blog about maintaining physical security