Focus on physical security controls in ISO 27001
Serious about securing your valuable assets, digital as well as physical? Well, international standards prescribe baselines for securing those assets. The ISO 27001 information security management systems standard, in particular, focuses on securing information assets.
So, where does physical security come in? Information assets exist in physical space, leaving them vulnerable despite the most robust cyber security measures.
And that’s exactly why ISO 27001 dedicates discussion to physical and environment security control objectives and controls. Indeed, the practices outlined in the physical and environmental security clauses even follow the same logic and framework as those that deal with digital information, e.g. the higher the value and risk, the higher the level of protection.
More specifically, ISO 27001 requirements in this section fall into two broad categories: secure areas and equipment security. Secure areas provisions – secure areas being sites where organizations handle sensitive information or shelter valuable IT equipment and personnel to achieve important business objectives – deal with protecting the physical environment in which assets are housed, in other words: building, offices, etc.
Here, the standard instructs complying organizations to look at risks relating to physical access to those assets. Organizations must then put in controls, where appropriate, to manage (limit or simply control) physical access to those assets.
The ISO 27001 protocols for equipment security are similar. Essentially, they instruct organizations to consider where equipment is housed and whether it’s housed appropriately. That puts the onus on security managers to ask the following:
- Is important IT equipment vulnerable to water damage?
- Where are cables running?
- Who’s responsible for maintaining equipment? Are they qualified?
- What provisions are in place for equipment that leaves the premises?
Specific ISO 27001 physical security controls included here:
Finally, the controls detailed above are means to prevent unauthorized access, damage, and interference to an organization’s premises and information, as well as to prevent any loss, damage, theft, and compromise to an organization’s assets that would imperil the continuity of critical activities.
To be most effective, though, controls should be implemented in the context of an integrated safety and security program. That’s not all. Integrated safety and security technology needs to be powering that program, as well. For tips on what integrated security features you should consider, download our Buyer’s Guide to Physical Security Management.
For more security management content, follow @teamnoggin on Twitter