Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001 Annex A.11: Physical and Environmental Security

Controls in this section aimed to restrict unauthorised access to physical boundaries and to protect equipment from the effects of human and environmental or natural occurrences.

A.11.1 Secure areas

The first control intends to protect all company data and equipment from unauthorised user access and resulting damage. This is about identifying secure areas that need to be protected and ensuring that the controls are adequately applied in these areas (includes data centres, offices and remote locations)

A.11.1.1: Physical security perimeter

Consider the perimeter by reviewing the plan of your building and review the security controls in place, identify gaps and implement improvements where necessary. Boundaries encompass physical boundaries and also equipment, computers, fax machines, etc. These areas may include data centres and help desks and office headquarters.

It will also have any data accessed by teleworkers, those who work from home, or a travel site will also be defined within the scope of your physical security perimeter.

A.11.1.2: Physical entry controls

Entry controls must be organised to guarantee that only authorised personnel have access to offices and sensitive business information within.

Any entry control can be as simple as the key for a locked door or digital passcode, but it must only be for designated employees who themselves have no right to pass on secure data.

High-risk organisations may implement more technical and strict entry codes like digital scanning or biometric controls. And will differ on a case-by-case basis, for example, low-risk access points will have less daunting security checks than those for facilities, housing critical data.

Your policy needs to highlight the criteria and procedures for gaining different levels of entry controls within the organisation. Anyone granted permission must have their access logged to manage the system. Visitors should be restricted in all areas containing essential company files, but particular emphasis must be placed on high-risk facilities. The auditor will be looking for all these details.

A.11.1.3: Securing offices, rooms and facilities

Your security team must maintain a constant watch on persons who have access to specific company files through keeping access logs.

Certain staff only need data for a restricted period and this needs to be enforced. This doesn’t refer solely to employees with direct data access as other people (i.e. strangers, maintenance staff) can slip through the system in a fast-paced environment. Users should be trained to keep an eye out to spot strangers and watch out for people listening in or reading material, including whiteboards, documents, and screens.

A.11.1.4: Protecting against external and environmental threats

Some threats are beyond the cyber realm with man-made and natural disasters are real issues faced by thousands of companies each year. Protests, poor plumbing, hurricanes, and tornadoes can all strike havoc on your organisation.

Your company can prepare for certain incidents, and it is a good idea to have an emergency weather plan to secure paper-based documentation and safeguard your equipment.

Natural acts like floods and earthquakes are more challenging to avoid some of the solutions should have been taken long before, like, during the construction of your physical building, e.g., foundations near low lying riverbanks are more susceptible to getting drowned out by floodwaters. But we don’t always get to choose where to build.

During your internal audit, the assessor will ask to see your risk evaluation records. You should seek expert advice on methods to mitigate certain manmade and natural threats with specialist solutions that might identify the risks effectively.

A.11.1.5: Working in secure areas

Now that you’ve designated the secure areas within your facility, it’s time to define the standards to regulate the activities permitted within these boundaries. Consider Including signs to indicate designated security areas, restricting the use of media devices like cameras and video recorders and prohibiting workers from using secure areas while unsupervised.

A.11.1.6: Delivery and loading areas

Physical delivery and loading areas are key points for unauthorised persons to enter your organisation unnoticed. These access points must be controlled at all times by access controls, guards, cameras or other security measures.

If you work for a digital workplace, then these areas may not exist for your company. This should be noted and excluded from your statement of applicability.

A.11.2 Equipment

This control area is based on protecting company equipment and preventing lasting damage, corruption, or company assets theft.

A.11.2.1: Equipment siting and protection

All equipment must be sited and secured against the risk of unauthorised tampering and environmental threats.

Machinery siting depends on its size, nature, use and environmental requirements with equipment being susceptible to damage and should be kept elevated in the event of a flood. Others could be radioactive to have electromagnetic issues and require isolation from other more frequently used apparatus.

Risk assessments must be done for all equipment with different risk levels.

  1. Data output equipment like desktop computers should always be positioned to restrict unauthorised onlookers from viewing sensitive data.
  2. Storage facilities should be secured with locks and managed by authorised key holders.
  3. Food and beverages should be restricted from facilities containing ICT equipment.
  4. Shared devices like wireless routers and printers should be set to reduce the need for users to leave their workspace unattended to tend to accessibility issues.
  5. Laptops should be properly sited, encrypted and stored after each use.
  6. Telecommuters should follow similar guidelines to protect their data from unauthorised users (i.e., friends, family or guests).

A.11.2.2: Supporting utilities

Your equipment needs to be safeguarded against threats relating to utility failures including power outages from fallen lines or blown transformers or loss of wireless connectivity.

These include power outages from fallen lines and blown transformers or loss of wireless connectivity. Most of these incidents will affect the temporary availability of your information systems. Although some threats are genuinely unforeseeable. Consider having a backup plan that involves a generator or dual routing access and power supplies.

A.11.2.3: Cabling security

Cabling security needs to be considered to reduce risks related to eavesdropping and data theft which is increased if your company uses a cable supplier. Attackers can tap into the cables, interfere with operations or steal data

Controls such as hiding the cables, protecting them in covers, monitoring for interference or using multiple lines for specific high-risk departments.

A.11.2.4: Equipment maintenance

Your new equipment might be great, but you should not neglect maintenance and the frequency of your servicing and updates depends solely on the nature and use of each piece of equipment., Heavily used and high-Risk equipment requires frequent maintenance to avoid unexpected problems in the system.

A well recorded maintenance schedule (including date of servicing, contacts of maintenance personnel, asset owner authorisation) is vital to present during the audit as evidence of effective upkeep.

A.11.2.5: Removal of assets

Any assets removed from the primary business site will remain under the responsibility of the employee using them and should be protected against theft or damage. These assets still require regular monitoring, maintenance and updating.

Your company should have teleworking regulations limiting how assets can be removed, how long they can stay off site with certain high-risk assets being prohibited from leaving the site.

A log also needs to be kept of all equipment and other items taken away from their offices or data centres Both departure and return dates must be documented and authorised where applicable.

A.11.2.6: Security of equipment and assets off-premises

Controls need to be implemented to secure data from assets held offsite from the company, perhaps by telecommuters with policies regarding access point controls, password management and data encryption applying.

These factors must be included in your risk assessment and treatment plan.

A.11.2.7: Secure Disposal or Re-use of Equipment.

This controls aims to prevent data being lost and potentially being seen by unauthorised parties through securely disposing of the device or in the case of reuse securely removing the data and software on the device.

All unwanted media devices and equipment containing company information must be adequately wiped before disposal or reuse within the organisation. Highlight the methods you intend to use to dispose of information (i.e., Secure wipe, destruction, shredding, etc.), and also how you plan on verifying the destruction of your data.

A.11.2.8: Unattended user equipment

All unattended user equipment needs to be secured with access controls, hard drive encryption and screens locked to protect breaches Devices could be stolen or accessed by authorised id this is not applied with data lost or tampered with.

Education and training extend to all company employees regardless of their roles related to these controls This is even more crucial for high-risk security information.

A.11.2.9 Clear desk and screen policy

Clear desk and clear screen policies should be implemented for any devices, especially those used by administrative staff or top management because both internal and external parties can use exposed data to their advantage.

Guidelines will vary based on the nature of the department and, of course, the data risk level. `The auditor will observe which risks you identified for clear desk and screen policy procedures and testing and request evidence on how you did this.