Physical and environmental security

Objective • Unauthorized physical access, loss, damage or interference to the organization's premises and infrastructure, or interruptions to its critical operations, should be prevented using physical and environmental controls appropriate to the identified risks and the value of the assets protected.

Physical security perimeter • Security perimeters should be used to protect sensitive areas that contain information and information processing facilities.  Physical security for other offices, rooms and facilities should also be designed and implemented, commensurate to the identified risks and the value of the assets at risk in each setting.  This could include:

  • clearly defined and marked perimeters, except in situations where hidden or disguised perimeters would enhance security; 
  • restrictions on information about facilities, including directory and location information, where this would enhance security;
  • use of perimeter walls, windows and doors, protected with bars, locks, alarms and other supplemental measures as appropriate;
  • controlled entry doors/gates, with manned reception desks or automated lock/ID systems, to control passage into the restricted area;
  • use of additional physical barriers, where appropriate to prevent unauthorized access or physical contamination;
  • provision of appropriate protection against fire, water or other reasonably anticipated environmental threats;
  • use of appropriate intrusion detection systems, such as motion and perimeter alarms, audio and video surveillance; and
  • measures designed with sufficient redundancy such that a single point of failure does not compromise security.

Physical entry control • Sensitive areas of information processing facilities should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.  Appropriate entry controls for other offices, rooms and facilities should also be designed and implemented, commensurate to the identified risks and the value of the assets at risk in each setting.  This could include:

  • password, “token” or biometric authentication mechanisms for entry points (e.g., keycard and/or PIN);
  • supplementing automated authentication methods with security personnel on site, where appropriate for highly sensitive assets;
  • recording of date/time of entry and exit, and/or video recording of activities in the entry/exit area, as appropriate;
  • requirement for authorized personnel to wear visible identification, and to report persons without such identification;
  • appropriate authorization and monitoring procedures for third-party personnel who must be given access to the restricted area; and
  • regular review and, when indicated, revocation of access rights to secure areas (see also Human resources security);
  • use of highly visible controls, where appropriate as a deterrent;
  • use of unobtrusive or hidden controls/facilities, where appropriate for highly sensitive assets.

Protection against external and environmental threats • Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of natural and man-made risk should be designed and implemented.  This could include:

  • consideration of probabilities of various categories of risks and value of assets to be protected against those risks;
  • consideration of security threats posed by neighboring facilities and structures;
  • appropriate equipment (e.g., fire-fighting devices) and other counter-measures provided and suitably located on site; and
  • appropriate off-site/remote location for backup facilities and data copies.

Working in sensitive areas • Protective measures and guidelines for working in sensitive areas should be designed and implemented.  This could include:

  • limiting personnel's awareness of, and activities within, a sensitive location on a need-to-know/need-to-do basis;
  • limiting or prohibiting unsupervised/unmonitored work in sensitive areas, both for safety reasons and to avoid opportunities for mis- or malfeasance;
  • keeping vacant sensitive areas locked, subject to periodic inspection, and/or monitored remotely as appropriate by video or other technologies; and
  • limiting video, audio or other recording equipment, including cameras in portable devices, in sensitive areas.

Public access, delivery and loading access • Access points such as delivery and loading areas, and other points where unauthorized persons may enter the premises, should be controlled.  This could include:

  • limits on access to the delivery and loading areas, and to other public access areas, to the degree consistent with required operations;
  • inspection of incoming and outgoing materials, and separation of incoming and outgoing shipments, where possible; and
  • isolation of these areas from information processing facilities and areas where information is stored, where possible.

Equipment siting and protection • Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and to reduce the opportunities for unauthorized access by human threats.  This could include siting:

  • to minimize unnecessary risks to the equipment, and to reduce the need for unauthorized access to sensitive areas;
  • to isolate items requiring special protection, to minimize the general level of protection required;
  • with particularized controls as appropriate to minimize physical threats -- e.g., theft or damage from vandalism, fire, water, dust, smoke, vibration, electrical supply variance, or electromagnetic radiation; and
  • guidelines for eating, drinking, smoking or other activities in the vicinity of equipment.

Supporting utilities • Equipment should be protected from power failures, telecommunications failures, and other disruptions caused by failures in supporting utilities such as HVAC, water supply and sewage.  This could include:

  • assuring that the supporting utilities are adequate to support the equipment under normal operating conditions; and
  • making reasonable provision for redundant equipment and backups (e.g., a UPS) in the event of supporting utility failure.

Cabling security • Power and telecommunications cabling carrying sensitive data or supporting information services should be protected from interception or damage.  This could include:

  • physical measures to prevent unauthorized interception or damage, including additional protections for sensitive or critical systems;
  • alternate/backup routings or transmission media where appropriate, particularly for critical systems;
  • clearly identified cable and equipment markings, except where security is enhanced by removing/hiding such markings; and
  • documentation of patches and other maintenance activities.

Equipment maintenance • Equipment should be correctly maintained to ensure its continued availability and integrity.  This could include:
appropriate preventive maintenance, as specified by the manufacturer or regulatory-certificatory authorities;

  • documentation of all maintenance activities, including scheduled preventive maintenance;
  • documentation of all suspected or actual faults, and associated remediation, in accordance with an incident management policy;
  • maintenance only by authorized, certified employees or contracted third parties; and
  • appropriate security measures, such as clearing of information or supervision of maintenance processes, appropriate to the sensitivity of the information on or accessible by the devices being maintained.

Removal of property to off-premises locations • Equipment, information or software should not be take off-premises without prior authorization and subject to appropriate restrictions. This could include:

  • limitations on types or amounts of information, or types of equipment, that may be taken off-site;
  • recording of off-site authorizations and inventory of equipment and information taken off-site; and
  • for persons authorized to take equipment or information off-site, appropriate awareness of security risks associated with off-premises environments and training in appropriate controls and counter-measures.

Security of property off-premises • Appropriate security measures should be applied to off-site equipment, taking into account the different risks of working outside the organization’s premises.  This could include:

  • authorization of any off-site processing of organizational information, regardless of the ownership of the processing device(s);
  • security controls for equipment in transit and in off-site premises, appropriate to the setting and the sensitivity of the information on or accessible by the device;
  • adequate insurance coverage, where third-party insurance is cost-effective; and
  • employee and contractor awareness of their responsibilities for protecting information and the devices themselves, and of the particular risks of off-premises environments. 

Secure disposal or re-use of property • All equipment containing storage media, and independent storage media devices, should be checked to ensure that sensitive data and licensed software has been removed or securely overwritten prior to disposal.  This could include:

  • use of generally accepted methods for secure information removal, appropriate to the sensitivity of the information known or believed to be on the media; and
  • secure information removal by appropriately trained personnel, or verification of secure information removal by appropriately trained personnel.

SOURCES: ISO-27001/27002:2005 sects. 9.1 – 9.2.