Skip to content

Instantly share code, notes, and snippets.

@opexxx
Created September 11, 2024 20:29
Physical Security Policy
Document Type Policy - Mandatory
Document ID
Audience All employees
Confidentiality For internal use
Language English
Applies to
Version
Owner
Author
1st Reviewer / Review Date
2nd Reviewer / Review Date
Approver (CEO) / Approval Date
Release Date
Next Review

Executive Summary

Purpose of this document

This document defines the organization's policy regarding the controls used to ensure the physical security of its buildings, offices etc.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

  • A.5 Organizational controls
    • A.5.1 Policies for information security
  • A.7 Physical controls
    • A.7.1 Physical security perimeters
    • A.7.2 Physical entry
    • A. 7.3 Securing offices, rooms and facilities
    • A. 7.4 Physical security monitoring
    • A. 7.5 Protecting against physical and environmental threats
    • A.7.6 Working in secure areas
    • A.7.8 Equipment siting and protection
    • A.7.9 Security of assets off-premises
    • A. 7.10 Storage media
    • A. 7.11 Supporting utilities
    • A. 7.12 Cabling security
    • A.7.13 Equipment maintenance
    • A. 7.14 Secure disposal or re-use of equipment
  • A.8 Technological controls
    • A.8.1 User endpoint devices

1. Introduction

The protection of the physical environment is one of the most obvious yet most important tasks within the area of information security. A lack of physical access control can undo the most careful technical precautions and potentially put lives at risk.

Company Name is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. This policy sets out the main precautions that must be taken and, together with the supporting documented listed, forms a significant part of our Information Security Management System (ISMS).

This control applies to all systems, people and processes that constitute the information systems, including board members, directors, employees, suppliers and other third parties who have access to the information systems.

2. Secure areas

In order to ensure the proper handling of sensitive information, it is imperative that all data be securely stored in accordance with its designated classification. To achieve this, a comprehensive risk assessment must be conducted to determine the appropriate level of protection required for each data set.

The implementation of a sound physical security strategy is paramount, and should commence with a thorough evaluation of the building itself. A rigorous assessment of perimeter vulnerability must be carried out to identify any potential threats, and appropriate control mechanisms must be put in place to safeguard both the information and equipment housed within.

These may include, but are not restricted to, the following:

  • Alarms fitted and activated outside working hours
  • Window and door locks
  • Window bars on lower floor levels
  • Access control mechanisms fitted to all accessible doors (where codes are utilized they should be regularly changed and known only to those people authorized to access the area/building)
  • CCTV cameras
  • Staffed reception area
  • Protection against damage - e.g., fire, flood, vandalism

Staff working in secure areas must challenge anyone not wearing a badge.

Means of identification and entry, such as passes, keys, entry codes, and the like, must only be possessed by individuals authorized to access the corresponding locations, and must not be loaned or provided to any other person.

Individuals visiting secure areas must register their entry and exit times, and display identification badges throughout their stay.

A staff member of the organization must be present at all times to supervise visitors accessing secure areas.

Keys to all IT equipment-containing secure areas and lockable IT cabinets are held by the appointed personnel, as appropriate.

Where breaches do occur, or an employee leaves outside normal termination circumstances, all identification and access tools/passes (for example badges, keys etc.) must be recovered from the employee and any door/access codes should be changed immediately.

3. Paper and equipment Security

Paper based (or similar non-electronic) information must be assigned an owner and a classification. Appropriate information security controls must be put in place to protect it according to the provisions in the Asset Handling Procedure.

Paper in an open office must be protected by the controls for the building and via appropriate measures that could include, but are not restricted to, the following:

  • Filing cabinets that are locked with the keys stored away from the cabinet
  • Locked safes
  • Stored in a secure area protected by access controls

All general computer equipment must be located in suitable physical locations that:

  • Limit the risks from environmental hazards — for example heat, fire, smoke, water, dust and vibration
  • Limit the risk of theft — e.g., if necessary, items such as laptops should be physically attached to the desk
  • Allow workstations handling sensitive data to be positioned so as to eliminate the risk of the data being seen by unauthorized people

Data must be stored on network file servers or approved cloud locations where available. This ensures that information lost, stolen or damaged via unauthorized access can be restored and its integrity maintained.

All servers located outside of the Company Name premises must be sited in a physically secure environment.

Business critical systems must be protected by an Un-interruptible Power Supply (UPS) to reduce the operating system and data corruption risk from power failures.

For infrastructure located outside of the Company Name premises, all items of equipment must be recorded in the Service Provider inventory. Proceduresmust be in place to ensure the inventory is updated as soon as assets are received or disposed of.

All equipment must bear a security label and be assigned a distinct asset number, which should be documented in the Service Provider inventory.

Cables that transmit data or sustain essential information services should be shielded from eavesdropping or impairment.

Power cords should be separated from network cables to forestall interference. Network cables should be shielded by conduit and, if feasible, avoid traversing public areas.

4. Equipment lifecycle management

For infrastructure located outside of the Company Name premises, the Service Provider and third-party suppliers must ensure that all of Company Name IT equipment is maintained in accordance with the manufacturer's instructions and any documented internal procedures to ensure it remains in effective working order.

Staff involved with maintenance must:

  • Retain all copies of manufacturer's instructions
  • Identify recommended service intervals and specifications
  • Enable a call-out process in event of failure
  • Ensure only authorized technicians complete any work on the equipment
  • Record details of all remedial work carried out
  • Identify any insurance requirements
  • Record details of faults incurred and actions required

A service history record of equipment must be maintained so that decisions can be made regarding the appropriate time for it to be replaced.

Manufacturer's maintenance instructions must be documented and available for support staff to use when arranging repairs.

The use of equipment off-site must be formally approved by the user's line manager.

It is imperative that all equipment slated for reuse or disposal undergo a thorough data and software erasure/destruction process. In the event that the equipment is to be transferred to another organization - such as in the case of a leasing agreement - approved, highly secure software tools must be employed to ensure data removal.

Furthermore, equipment deliveries must be received and signed for by an authorized individual, utilizing a formal, auditable process that confirms the precise correspondence of delivered items to those listed on the delivery note. All actual assets received must be duly recorded for future reference.

In order to prevent unauthorized access, loading areas and holding facilities must be fortified with adequate security measures, and all access must be subject to meticulous auditing to ensure compliance.

Subsequent removal of equipment must be via a formal, auditable process.

Information security arrangements must be subject to regular independent audit and security improvements recommended where necessary.

Table of Contents


Briefing Sheet

Target Audience This Policy is intended to be understood and applied by all employees.
Implementation Timing / Impact Describe when the policy enters into force.
Assumptions / Prerequisites Describe if any.
Exception Management Describe if needed.

History of Revisions

Version Date Description Revised by
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment