This blog post will continue through the Physical Controls of ISO 27001:2022, covering controls A.7.6 through to A.7.9. These controls continue the protection the physical premises where your data is stored and used, with a focus on the working areas, and controls around securing the work being done.
A.7.6 Working in secure areas
This control aims to protect information and associated assets in secure areas from damage and interference by personnel working in these areas.
Secure areas can include server rooms, or normal working areas which you may wish to segregate should you need to work on a project which has elevated security requirements.
This is usually achieved by ensuring that your staff and contractors are aware that secure areas exist, for both safety and reduce the chance of them accidentally accessing these areas. In addition to having access controls to these areas, any devices such as cameras, recording devices should not be allowed to be taken into the areas. If they are required to be taken into the areas, user computers or other devices such as phones should be appropriately controlled.
A.7.7 Clear desk and clear screen
This control aims to reduce risks of loss, damage and unauthorised access to information on desks, screens and other accessible locations.
This can be achieved by educating your staff on a clean desk policy and ensuring that any papers, documents or other stationary or equipment is left unattended on their desk. The clear screen policy can be enforced by setting the lock screen timeout as a policy. Additionally, educating your staff to lock their computers when they leave their desks will assist with this.
We often see this included in induction training, and periodic security training, as well as through reminder posters and signage around offices to remind staff of this.
A.7.8 Equipment siting and protection
This clause aims to reduce the risks from physical and environmental threats, and from unauthorized access and damage.
When deciding where to position your equipment, you should consider what the equipment is being used for. Equipment handling sensitive information processing should be put in somewhere to reduce the risk of the information being viewed by unauthorised people, as well as the risk of any threat to the equipment due to either physical or environmental threats.
Placing any equipment such as servers handling secure information, such as email servers, file servers into a secure server room which can only be accessed by authorised staff is a good way to achieve this.
A.7.9 Security of assets off-premises
Similar to the other equipment and device controls, this control aims to prevent loss, damage, theft or compromise of any devices which are off-site which may interrupt your operations.
This covers both devices used by staff outside of the office, including mobile devices which may be used to access work emails, or other devices such as BYOD which are used for work purposes or potentially store company information, which should be authorised by management.
Protections for these devices should include
- Ensuring it is not left unattended whilst in unsecured places
- Maintaining a chain of custody when off-premises equipment is transferred between different stakeholders
- Implementing tracking and remote wiping ability of devices.
- Protecting against viewing of information on a device and risks associated with people reading information over the user’s shoulder.
Also worth considering is when there is a need to take any equipment usually housed in secure areas or on-premises off-premises, such as for repair. This can be managed by requiring authorisation, and keeping records of removals to maintain an audit trail of the equipment’s movements and who has custody of it. Your implementation of control A.5.14 – Information transfer can be used as a basis for this.
The other consideration is if you have equipment which is permanently installed outside of your premises, such as radio equipment, ATMs , video equipment. This can be subject to a much greater risk of damage, theft or eavesdropping. The risks associated with this type of equipment can vary greatly based on the location and use of the equipment. When determining appropriate measures to secure the equipment, you should consider physical security monitoring as outlined in A.7.4, protecting against physical and environmental threats as outlined in A.7.5 and tamper proof controls. Controls A.7.4 and A.7.5 were covered in our previous post here.
Takeaways
Ensuring that data is secured while work is being performed can be enhanced by these controls by:
- Ensuring that work done on information with enhanced security classified is done in secure areas where appropriate controls are in place.
- Implement a clear desk and clear screen policy and remind staff of it.
- Considering environmental and other threats including unauthorised access when deciding where to store equipment and devices.
- Have appropriate protections in place for any assets and devices, including laptops, mobile devices and other equipment which may be located or taken off-site.
Other Posts
- Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
- View the previous post in the series: Locking Down Your Security: Best Practices for Physical ISMS Protection in Controls A.7.1 - A.7.5
- View the next post in the series: Securing the Backbone: Tips for Protecting Media, Cabling, and Equipment in Controls A.7.10 – A.7.14
DQS Newsletter
Brad Fabiny
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.