Guide to ISO 27001 Physical and Environmental Security

Information security is often considered in terms of cyber threats, such as criminal hacking and fraud, but it’s just as much about physical and environmental risks.

This includes things such as the improper disposal of physical records, unauthorised personnel in the premises and property damage.

ISO 27001, the international standard for information security, contains a framework for addressing these risks.

The guidance can be found in Annex 11. In this blog we break down each of its six sections and help you understand the steps you must take to secure your organisation.

A.11.1.1 Physical Security Perimeter

Annex A.11 begins with organisations’ physical security perimeter requirements. It states that organisations must establish secure areas of the premises that prevent unauthorised people from accessing sensitive information and information assets.

The Standard defines a physical security perimeter in broad terms, referring to it as “any transition boundary between two areas of differing security protection requirements”.

In practice, this could be the border between the inside and outside of a building, between a corridor and an office or between the inside and outside of a storage cabinet.

The border could also be entirely external, separating the outer premises from the surrounding land.

Additionally, organisations must physical security perimeters for remote workers and other employees or third parties who access sensitive information outside the company’s premises.

A.11.1.2 Physical Entry Controls

Once you have identified physical security perimeters, you must implement entry controls to govern who can move between secure areas of the premises.

The most common example of this will be keycodes issues to employees so that they can enter the office, but physical entry controls can take many forms.

Organisations should select controls based on the nature and location of the area being protected.

As a rule, the strength of the control should reflect the sensitivity of the data being stored. For example, physical records related to day-to-day activities might be protected by a lock and key.

By contrast, highly classified data might require multiple security controls or ones that are less likely to be compromised, such as biometric and scanning solutions.

Additionally, organisations might have multiple levels of security within their premises. For example, they might build a barrier at the entrance of the premises to check the credentials of anyone entering the site, followed by separate entrances to the building that require individuals to present a key card.

A.11.1.3 Securing Offices, Rooms and Facilities

Information security is typically focused on data and assets, but as this section reminds us, it’s equally important to look at physical spaces too. This includes offices, meeting rooms, receptions and other spaces where people work.

Although those spaces may not contain sensitive information, they offer unauthorised personnel the ability to exploit weaknesses.

For example, a malicious actor might linger in the lobby, posing as an employee to conduct a social engineering attack. Alternatively, they might damage the company’s infrastructure or leave an infected USB device lying around in the hope that someone will plug it into a computer.

Annex 11.1.3 requires organisations to review who has access to these spaces and consider how someone might circumvent security controls.

A.11.1.4 Protecting Against External & Environmental Threats

This control relates primarily to natural disasters and infrastructural damage. Threats include weather events, such as floods, fires and heavy snowfall, as well as man-made incidents, including property damage and sabotage.

The external and environmental threats that an organisation is most likely to face will depend on its location – on a macro and micro level.

For example, an organisation based in a cold-weather city is more likely to consider the risk of rain and snow. Meanwhile, an organisation based in an older building might face greater risks related to infrastructural damage, such as leaky pipes.

The key to compliance is to identify the likelihood and probability of external and environmental risks occurring, and to treat them appropriately.

Some risks will be unavoidable or prohibitively expensive to eradicate, so organisations should focus on ways to mitigate the risk. Other times, there will be potentially devastating risks that can be addressed with simple fixes.

A.11.1.5 Working in Secure Areas

Annex A.11.1.5 instructs organisations to complement physical security controls with procedural measures related to risks that might occur inside the secure area.

This might include the need to limit who is aware of the location and function of a secure area, and restrictions on the use of recording equipment within that space.

Likewise, organisations might install monitoring devices within the secure area or prohibit unsupervised working within that space.

A.11.1.6 Delivery & Loading Areas

The final section of Annex A.11 focuses on delivery and loading areas. These parts of the premises play a pivotal role in your organisation’s physical security, as they are the most likely points at which at an unauthorised person could enter the premises undetected.

For some organisations, this may not be an issue or could be beyond their control. For example, Cloud-only or digital workplaces won’t need such a policy and can note its exclusion in their Statement of Applicability.

Meanwhile, organisations based in shared offices won’t have control over their delivery and loading areas and therefore cannot implement policies to govern their security.

But where organisations do have discrete delivery and loading areas, they must identify and implement appropriate controls. This includes employing guards to monitor the area, installing CCTV and requiring separate authentication to access internal and external parts of the premises.

How to address physical and environmental security risks

At the heart of physical and environmental security is the risk assessment. This is the process where organisations identify specific challenges and determine appropriate solutions.

This evaluation can be labour-intensive, but you can simplify the task with our risk assessment tool vsRisk.

With vsRisk, you’ll receive simple tools that are specifically designed to tackle each part of the risk assessment.

This software package is:

  • Easy to use. The process is as simple as selecting some options and clicking a few buttons.
  • Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
  • Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
  • Streamlined and accurate. Drastically reduces the chance of human error.

We’re currently offering a free 30-day trial of vsRisk. Simply add the number of licenses you require to your basket and proceed to the checkout.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.