The Noggin Blog

Understanding the ISO 27001 Information Security Standard

Posted by The Brain on Jul 19, 2019 2:19:29 AM

Focus on physical security controls in ISO 27001

Serious about securing your valuable assets, digital as well as physical? Well, international standards prescribe baselines for securing those assets. The ISO 27001 information security management systems standard, in particular, focuses on securing information assets.

27001 flood@2x

So, where does physical security come in? Information assets exist in physical space, leaving them vulnerable despite the most robust cyber security measures.

And that’s exactly why ISO 27001 dedicates discussion to physical and environment security control objectives and controls. Indeed, the practices outlined in the physical and environmental security clauses even follow the same logic and framework as those that deal with digital information, e.g. the higher the value and risk, the higher the level of protection.

More specifically, ISO 27001 requirements in this section fall into two broad categories: secure areas and equipment security. Secure areas provisions – secure areas being sites where organizations handle sensitive information or shelter valuable IT equipment and personnel to achieve important business objectives – deal with protecting the physical environment in which assets are housed, in other words: building, offices, etc.

Here, the standard instructs complying organizations to look at risks relating to physical access to those assets. Organizations must then put in controls, where appropriate, to manage (limit or simply control) physical access to those assets.

The ISO 27001 protocols for equipment security are similar. Essentially, they instruct organizations to consider where equipment is housed and whether it’s housed appropriately. That puts the onus on security managers to ask the following:

  • Is important IT equipment vulnerable to water damage?
  • Where are cables running?
  • Who’s responsible for maintaining equipment? Are they qualified?
  • What provisions are in place for equipment that leaves the premises?

Specific ISO 27001 physical security controls included here:


Finally, the controls detailed above are means to prevent unauthorized access, damage, and interference to an organization’s premises and information, as well as to prevent any loss, damage, theft, and compromise to an organization’s assets that would imperil the continuity of critical activities.

To be most effective, though, controls should be implemented in the context of an integrated safety and security program. That’s not all. Integrated safety and security technology needs to be powering that program, as well. For tips on what integrated security features you should consider, download our Buyer’s Guide to Physical Security Management.

Download Now


For more security management content, follow @teamnoggin on Twitter 

Topics: Security Management

Meet Noggin: all-hazards enterprise resilience software.

Thanks for stopping by!

The Noggin software suite provides flexible information management solutions capable of managing all hazards across a wide range of industries, from the smallest complaint to a multi-national emergency. We help organizations handle all hazards, all media, all devices, all processes - in one suite of software products. Organizations across the world rely on Noggin to help them manage disruptive events more effectively and protect the bottom line for their communities and businesses.

Want to learn more? Get in touch:


Subscribe to Email Updates

Recent Posts