Control 9.1.3 of annex A requires organizations to secure perimeter to protect offices and facilities to protect information n and physical assets which have been classified as critical or within the scope of ISO 27001.
It is not just protection of computer room or telecomm room HR might need secured cabinet area and senior management may need their offices to be secured.
Physical security domain also provides guidance for protecting against external and environmental threats. Take this threat into consideration, when designing secure rooms from fire, flood, explosion and other form of human created and natural disasters. In external threats, all risks posed by neighboring premises should be considered such as but not limited to leakage of water and gases to secure areas. High security document storage area should have a comprehensive BCP and disaster recovery plan.
Following are some of the controls which ISO 27002 recommends in Physical domain:
o Key storage areas and keyed entrance areas should be sited to avoid access by unauthorized personnel’s.
o Data Processing center should give as little indication as possible of their presence.
o Faxes and photocopiers should have a separate secure zone and should be sited.
o Doors and windows should be locked when building are unattended.
o Information processing facility should be a separate zone, if managed by third party should be a separate cage or some other form of physical separation.
o Hazardous or combustible materials, particularly office stationary should not be bulk stored within the secure area
o Back-up equipment and media should not be stored with the equipment that they will back up
- Staff awareness training – an essential component of ISO27001 (deurainfosec.com)
- HR controls during employment and ISO 27001 (deurainfosec.com)
- Build resilience into your management system (deurainfosec.com)