Locking Down Your Security: Best Practices for Physical ISMS Protection in Controls A.7.1 - A.7.5 of ISO 27001

A.7.1 Physical security perimeters

The objective here is to prevent any unauthorized physical access, damage and interference to your organisation’s information and information processing facilities.

So, you need to review all the security measures you have on your facilities, any outsourced facilities and for your remote workers. Physical protection can be achieved by creating one or more physical barriers around your premises and information processing facilities.

A secure area can be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access can be necessary between areas with different security requirements inside the security perimeter. You should consider having physical security measures that can be strengthened during increased threat situations.

It is important to consider any staff who are working remotely, and what measures are they have in place.

A.7.2 Physical entry

Now that the physical security perimeters have been defined as part of control A.7.1, this control aims to ensure that access to these areas is permitted for only authorised people.

Access points, including doors, delivery and loading areas where people can access the premises should be controlled.

This is commonly implemented by electronic access systems requiring staff to scan in and out of the premises, with visitors being managed at a reception area where they can be registered, met and escorted by authorised personnel.
Loading and delivery areas are often designed so that they delivery personnel do not have access to secured parts of the building, and delivered goods are inspected before they are moved from the delivery areas.  The controls you put in place should be checked regularly.
 

A.7.3 Securing offices, rooms and facilities

Within offices and workplaces, there will be information and assets which require additional controls as outlined in control A.5.12 – Classification of Information covered previously. This information will need to be secured within your premises from unauthorised access from even your employees and contractors. 

These areas often include directors’ offices and server rooms among others, which are often either secured by adding additional zones to electronic access systems. For example, only Sys Admin team can access server rooms, or only software development team members can access the development area. Alternatively, some directors’ offices may be secured by an old-fashioned key, which only they have.

A.7.4 Physical security monitoring

The aim of this control is to deter unauthorised access to your premises.

This control can be met by having your physical premises monitored by a surveillance system. This can include alarms, video monitoring systems and can be either managed internally or by an external monitoring provider.

A.7.5 Protecting against physical and environmental threats

This clause aims to protect your information and assets against any physical and environmental threats.
Your risk assessment should include any physical or environmental threats including fire, flood, earthquake, electrical surges and issues, criminal activity or terrorist attacks. 
Things which can be considered include storing physical data in safes or other secure storage facilities which can protect against fire, earthquake and floods. If relevant, crime prevention controls can include using bollards, or nicer alternatives such as statues or water features as physical barriers. 

Takeaways

The main takeaways from are:

1. Identify and secure the external perimeter of areas where your data is stored and utilised, taking into consideration the classification of data being used.
2. Once the perimeter areas are identified and secured, create entry and exit access controls to limit and monitor entry to these areas
3. Limit access to areas where assets and sensitive data is accessed or stored within your office. This can include server rooms, management offices among other things
4. Monitor access to your premises through surveillance.

Other Posts

• Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
• View the previous post in the series: People Controls: Implementing Key Information Security Practices from Hiring to Offboarding
• View the next post in the series: From Secure Areas to Off-Site Assets: Strengthening Physical Security with Controls A.7.6 - A.7.9