According to ISO 27001, the international standard for ISMS, physical security should be implemented in accordance with Annex A.11, which covers the following controls:
- A.11.1 Secure areas: This control requires the organization to define and establish security perimeters and boundaries for areas that contain sensitive or critical information and information processing facilities. The organization should also control access to these areas using appropriate measures such as locks, alarms, guards, or CCTV cameras.
- A.11.2 Equipment: This control requires the organization to protect equipment from environmental threats and hazards, such as dust, water, heat, or power fluctuations. The organization should also prevent unauthorized access to equipment by securing cables, ports, and removable media. Additionally, the organization should ensure proper maintenance and disposal of equipment and media.
- A.11.3 Working in secure areas: This control requires the organization to establish rules and procedures for working in secure areas, such as restricting unauthorized visitors, prohibiting unattended equipment or media, and ensuring clear desk and clear screen policies.
Physical security is not only applicable to the organization’s premises but also to any other locations where information and information processing facilities are used or stored, such as home offices, mobile devices, or cloud services. Therefore, the organization should also consider the physical security aspects of its suppliers, partners, and employees who work remotely or travel frequently.
If you want to learn more about physical security in accordance with ISMS, you can check out these web search results: