In this post, we will cover the remaining Physical Controls of the ISO 27001 standard. This will include any equipment and storage media which may be kept at your physical premises and its disposal or re-use as well as  security of cabling to prevent this from being used to intercept information, or disrupt your digital services.

A.7.10 Storage media

This sub-clause has the objective to prevent any unauthorised disclosure, modification, removal or destruction of information stored on media.  
With the portability of information becoming easier and easier, the risk of losing data becomes higher and higher.  You need to have procedures in place for a whole range of devices:

  • Hard drives
  • USB drives
  • Mobile phones
  • Tablets
  • Laptops
  • SaaS products

If you haven’t considered each type of media, it can soon become a nightmare for you.  This is why it is vitally important in the discovery stage to identify all your assets which was completed when implementing control A.5.9.  The list you create needs to an exhaustive one.  You need to search high and low for all media in your business.  This is not a small task.  Don’t underestimate the time it will take you to do this.  But being thorough will ensure that you reduce your future risk.

If you are small, it might only take a couple of weeks to get your media list together. You will, without doubt, find software you didn’t know you had.

Now that you know what media you have, this requires you to develop and implement procedures for how to manage them.  For example, we might ban portable hard drives and USB drives from being used.

Don’t forget to create procedures for the secure disposal of media that is no longer required, plus you’ll need procedures for transporting media too.

Assets are important to the growth of your business, and their mismanagement can pose a sizable risk to your businesses well-being.  Use Asset Registers to maximise your growth and minimise your risk.

A.7.11 Supporting utilities

The aim of this control is to prevent loss, damage or compromise of information and other associated assets, or interruption to the organization’s operations due to failure and disruption of supporting utilities.

Your business depends on utilities including power, telecommunications, water, gas, air conditioning to support your information processing facilities. To best protect these vital utilities, you should ensure all equipment supporting the utilities is configured, maintained and used according to the manufacturer’s specifications and recommendations. Utilities and supporting equipment should be assessed and appraised regularly to ensure they have the capacity to meet business needs.

If possible, build some redundancy into the system by adding multiple feeds, or diverse routing, and connected to a separate network from the information processing facilities if connected to a network.

A.7.12 Cabling security

This control aims to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations related to power and communications cabling.

Cabling within your premises should be secured to prevent any unauthorised access to them to potentially access your networks and data. Any network, power and other cables which are run within your premises should be protected from accidental cuts. Labelling and identifying any long running cables or where there are a large bundle of cables should be considered to both make identification easier, and to ensure each cable can be inspected properly.

Things to consider include controlling access to patch panels and cable rooms, using fibre optic cables, and periodically technically sweeping and inspections to detect any unauthorised devices being attached to them.

A.7.13 Equipment maintenance

Like the other equipment controls, this control aims to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations. The focus here is a lack of maintenance.

Implementation of this control is pretty straightforward. Ensure that your equipment is maintained according to supplier recommendations regarding frequency and specifications. This can be done via a maintenance program, by using the physical asset register from control A.5.9, noting any maintenance requirements and implementing a schedule for ensuring any required maintenance is carried out. Documentation of any maintenance or repairs carried out on equipment should be kept and maintained, including any faults or suspected faults.

The other part to equipment maintenance and repair is ensuring that it is carried out by authorised and qualified people. If these people are from outside your business, ensure that the controls around access controls discussed in control A.5.15 are considered, such as supervising them while they are on-site. If remote access is required, ensure this is correctly supervised, with appropriate authorisation and access given. Don’t forget that they will need enough access to be able to do their job, you don’t want to give them too little access, and waste everyone’s time and increase the downtime of the equipment by having to give extra access when they are midway through their task.

A.7.14 Secure disposal or re-use of equipment

This, the last of the equipment controls aims to prevent leakage of information from equipment to be disposed or re-used.

Information can be compromised through careless disposal or re-use of equipment. When decommissioning any equipment, you should ensure that any data is stored on it prior to disposing of it, or re-purposing it.

Put basically, any storage media containing confidential or copyrighted information should be physically destroyed, or the information should be removed in a way that makes the original information unretrievable. Clause 7.10 above has more information on handling of storage media, and 8.10 has information on information deletion.

When decommissioning equipment, anything identifying your business or any aspect of it should be removed before it is disposed of, donated or re-sold.
Also worth noting is that if equipment is damaged, you may require a risk assessment to determine the best cause of action, be it physically destroying the equipment, repairing it or discarding it. Risks of information disclosure are reduced if the disk is fully encrypted.
 

Author
Brad Fabiny

DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.

Loading...

Relevant articles and events

You may also be interested in this
Blog
cisis12-certification-dqs-man taps on laptop on which abstract 3d data protection images can be seen
Loading...

Access Management Simplified: Privileged Rights and Authentication Controls A.8.02 – A.8.05

Blog
Portrait of a blonde woman with glasses working on her laptop in the computer centre, server cabinet
Loading...

From Secure Areas to Off-Site Assets: Strengthening Physical Security with Controls A.7.6 - A.7.9

Blog
iso27702-aenderungen-ueberwachungskamera-dqs-ueberwachungskamera fokussiert auf einen geschuetzten zugangsbereich
Loading...

Locking Down Your Security: Best Practices for Physical ISMS Protection in Controls A.7.1 - A.7.5 of ISO 27001