ISO 27001:2013 A.11 Physical and environmental security

by Pretesh Biswas,

The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical and environmental safeguards are often overlooked but are very important in protecting information. Physical security over past decades has become increasingly more difficult for organizations. Technology and computer environments now allow more compromises to occur due to increased vulnerabilities. USB hard drives, laptops, tablets, and smartphones allow for information to be lost or stolen because of portability and mobile access. In the early days of computers, they were large mainframe computers only used by a few people and were secured in locked rooms. Today, desks are filled with desktop computers and mobile laptops that have access to company data from across the enterprise. Protecting data, networks, and systems has become difficult to implement with mobile users able to take their computers out of the facilities. Fraud, vandalism, sabotage, accidents, and theft are increasing costs for organizations since the environments are becoming more “complex and dynamic”. Physical security becomes tougher to manage as technology increases with complexity, and more vulnerabilities are enabled. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, and portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extra. Physical and environmental security programs define the various measures or controls that protect organizations from loss of connectivity and availability of computer processing caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure, and power failures. Physical security measures should be sufficient to deal with foreseeable threats and should be tested periodically for their effectiveness and functionality.

1. Determine which managers are responsible for planning, funding, and operations of the physical security of the Data Center.
2. Review best practices and standards that can assist with evaluating physical security controls, such as ISO/IEC 27002:2013.
3. Establish a baseline by conducting a physical security controls gap assessment that will include the following as they relate to your campus Data Center:
• Environmental Controls
• Natural Disaster Controls
• Supporting Utility Controls
• Physical Protection and Access Controls
• System Reliability
• Physical Security Awareness and Training
• Contingency Plans
4. Determine whether an appropriate investment in physical security equipment (alarms, locks or other physical access controls, identification badges for high-security areas, etc.) has been made and if these controls have been tested and function correctly.
5. Provide responsible managers guidance in handling risks. For example, if the current investment in physical security controls is inadequate, this may allow unauthorized access to servers and network equipment. Inadequate funding for key positions with responsibility for IT physical security may result in poor monitoring, poor compliance with policies and standards, and overall poor physical security.
6. Maintain a secure repository of physical and environmental security controls and policies and establish timelines for their evaluation, update, and modification.
7. Create a team of physical and environmental security auditors, outside of the management staff, to periodically assess the effectiveness of the measures taken and provide feedback on their usefulness and functionality.

The environment now more than ever need to be concerned with “physical theft of devices and equipment”. Mobile devices including cell phones, laptops, and hard drives are easily portable, thus making them more susceptible to theft. Theft of mobile devices is not the only way that attackers can get the data they want. An attacker could download sensitive data if he or she were to connect an external hard drive or flash drive to an unsecured computer. Leaving a USB flash drive on the ground outside of a building is another way that an attacker could steal data without ever gaining physical access. The malicious payload on the device infects an individual computer and possibly the entire network once an employee picks up the USB stick and inserts it into his or her computer. The physical element of security is often overlooked. The theft of hardware or vandalism could occur while working with administrative and technical controls. Organizations often focus on technical and administrative controls and as a result, breaches may not be discovered right away. Information and have different weaknesses, risks, and countermeasures than physical security. When people look at information security, they conspire how a person may penetrate the network using unauthorized means through wireless, software exploits or open ports. Security professionals with physical security in mind are concerned about the physical entrance of a building or environment and what damages that person may cause.
Examples of threats that physical security protects against are unauthorized access into areas and theft of mobile devices. Attackers can gain entry into secured areas through tailgating, hacking into access control smart cards, or breaking in through doors. Defenses for these threats include physical intrusion detection systems, alarm systems, and mantraps. Mobile devices such as laptops, USB drives, and tablets are easy targets because of portability. Control examples that could help stop theft are the use of RFID systems and cable locks. Physical security protects people, data, equipment, systems, facilities, and company assets. Methods that physical security protects these assets is site design and layout, environmental components, emergency response readiness, training, access control, intrusion detection, and power and fire protection. Business continuity or disaster recovery plans are required to reduce business interruption in times of natural disaster, explosion or sabotage.
One security professional cannot cover the entire spectrum of physical security. Professionals that work in this space do not always have a holistic understanding of physical security because of specialized variables and components that are needed to secure an organization. Individuals often specialize in specific fields, such as secure facility construction, risk assessment, and analysis, secure data center implementation, fire protection, intrusion detection systems (IDSs), closed-circuit television (CCTV) implementation, personal emergency response, training, legal, and regulatory aspects of physical security, and so on. Since physical security is usually further down the list of priorities, physical environments and facilities are not typically designed with security in mind. Aesthetics and functionality often take precedence over security concerns. If organizations focused on security in a holistic, organized, and mature way, risks or causalities could be minimized Organizations can be held monetarily and criminally liable for not practicing due diligence. Examples of lawsuits that organizations can be held accountable for include an unsecured laptop left by an employee containing PII was stolen and a company did not follow fire codes and death resulted because people could not escape through a locked exit door. Physical security teams must implement a security program that balances security measures and safety concerns. Physical security should always use what is called a “defense in depth” approach to reinforce security through different controls. Multiple security controls in places make it tougher for attackers to get to valuable company resources. Security needs to increase productivity in the environment by protecting assets. Good security practices in place allowing employees to feel safe so they can focus on their tasks, and force attackers to pray on easier targets. We should think about how physical security can affect our organization using the CIA triad – confidentiality, integrity, and availability. We look at the areas of security that can affect the confidentiality of data, the integrity of assets and the availability of company resources. Physical security must plan how to protect employee’s lives and facilities. The first priority of physical security is to ensure that all personnel is safe. The second is to secure company assets and restore IT operations if a natural disaster happens. In the event of an explosion or fire, the right suppression methods must be utilized to contain the event. Using the wrong suppression agent can not only make the situation worse but also hurt people. There multiple types of suppressions that can be used to contain fires. Water, gases, and powders are used in different scenarios to extinguish one of the four fire elements: heat, oxygen, fuel, chemical reaction.

Planning For a Physical Security Program

Adequate controls are not present to control the physical environment without a plan in place. The company must create a team that is responsible for designing a physical security program when planning for security. The physical security team should continually improve the program using the defense-in-depth method. Defense in depth is a concept used to secure assets and protect life through multiple layers of security. If an attacker compromises one layer, he will still have to penetrate the additional layers to obtain an asset. To give an example of this concept, let us say that you have a computer that an attacker wants to access. The computer is located inside a locked room within a building. The building has an access control system in place, and there is a fence with a guard outside. If the adversary only needed to climb the fence to get to the data, only one level of security is in place to stop an intruder. If we added security guards, access control systems, locked doors, this would make the task more difficult for the person trying to acquire a resource. In addition, logging into the computers and servers should require a smart card or token in addition to a pin or password in order to access proprietary data. These security measures working together provide multiple levels of security. To ensure that the security controls are working effectively, metrics should be used. The team needs to identify key performance indicators (KPIs) to enhance the security program  KPIs should be monitored by period, quarter, current year, and over years. Metrics depend on the industry and organization. KPIs vary between corporations because of requirements and focus the organization has Organizations need to use a “performance-based approach” when measuring the physical security program. These metrics gauge how well the program is operating towards achieving the organization’s objectives. Data can be used to make informed decisions to lower risk in the most cost-effective method. Without these metrics, the security program will not be able to effectively manage security controls. The following are key performance indicators to measure the effectiveness of the security program:

  • Number of Unsuccessful Crimes
  • Number of successful crimes
  • Number of unsuccessful disruptions
  • Number of successful disruptions
  • The time between detection, assessment and recovery steps
  • The business impact of disruptions
  • Number of false-positive detection alerts
  • Time to restore the operational environment
  • The financial loss of a successful crime
  • The financial loss of a successful disruption

Once key performance indicators are tracked, they can confirm the right objectives are being met. Metrics identify acceptable levels of risk for the organization through the use of input and output process measures. As an example, input process measures could include asset inventory and resource requirements. Outputs could include security assessments completed versus planned, and countermeasures deployed. These inputs and outputs when combined in this example, illustrates the facility asset inventory is secured. Organizations are required to abide by federal laws and regulations.

The organization can verify if resources are allocated correctly through consistent monitoring of metrics. For example, six security guards work during off-hours. Four guards work from 4 P.M. until 1 A.M. The other two work from 1 A.M. until 9 A.M. and at all times at least one guard is required to be at the front gate. A report containing intrusion detection data, such as when and where alarm faults occurred, break-ins and theft at the warehouse occurred from 1:34 until 4:13 A.M was discovered. The countermeasure of placing a guard from the afternoon shift at the warehouse during the early morning shift was initiated. Two months later, a report concluded that the break-ins at the warehouse went down 95%. As a result, the organization had a lower amount of break-ins and theft when resources were properly allocated. Utilizing metrics can be impactful to the company because it can show if the organization is making the right decisions. The organization’s threat profile depends on the nature of the business. It decides what types and levels of risks it should accept, transfer, avoid or mitigate. A threat profile includes targets, threats, threat agents, threat scenarios, and vulnerabilities. The organization must have a clear understanding of how all the threat components work together to create a threat profile. After risks are assessed, the team can go after priority items. The relationships of risks, baselines, and countermeasures that an organization can apply to define acceptable risk levels used in the threat modeling process can be seen in this example:

Criminals should have to go through multiple layers of security to gain access to an asset. Businesses need to try to minimize incidents from occurring, and if they do, steps need to be in place to deal with them. Incidents must be detected. It is impossible to prevent every intrusion, but all must be detected to minimize the impact on the organization. Metrics from incidents including the cost of replacement, business impact, where, what time and what frequency did breaches occur, should be used to analyze what types of disruptions are impacting business operations. Baselines are minimum security requirements that utilize metrics for program monitoring. When countermeasures are meeting the established baseline, the physical security program is successful and implemented effectively. Physical security baselines examples include: commercial or industrial locks are required in private areas, bollards (concrete pillars that block vehicles from driving into buildings) must be used in front of all public entrances, and door delay controls are mandatory on server room doors. Physical security threats can be internal or external. Employees are considered internal threats and can utilize their knowledge of building layouts and where assets are located to steal or vandalize assets. Employees have the ability to gain access to areas unobserved because of their job duties. Predicting attacks from insiders it difficult to detect because of their access permissions. Fire, water, and environmental failures are also internal threats. An example of an insider threat could be a security guard working off-hours with access to all areas decides to commit crimes without alarming other employees. Employees should have background checks conducted when hired to protect company assets. Government agencies and organizations that work with them have access to classified data. Jobs in this space may require polygraph tests in addition to background clearance. Collusion is a type of insider threat that involves two or more employees. What is difficult about this risk is it can bypass procedural processes. Because of the nature of the specific job roles, employment screenings, rotation, and separation of duties require more than one employee. Natural disasters are considered external threats. External threats also possibly have a human factor such as protests, riots or bank robbers. These threats are primarily any outside force or person that does not have company ties. The following tasks must be completed before a physical security program can be implemented:

  • Conduct risk assessments to identify threats and weaknesses. Next, conduct a business impact analysis of all threats.
  • Work with the legal department to ensure that the organization is meeting and maintaining law requirements.
  • To have management set an acceptable risk level for the security program.
  • Calculate baselines after the risk levels have been established.
  • Use performance metrics to track countermeasures.
  • Outline performance requirements and levels of protection from analysis results from:
    1. Deterrence
    2. Delaying
    3. Detection
    4. Assessment
    5. Response
  • Implement and identify these countermeasures for all program categories.
  • Countermeasures must be evaluated regularly against baselines assuring that acceptable risk levels are not being surpassed.

Physical Security Controls

Physical security manages and protects resources in the form of administrative, technical, and physical controls. Access control systems, intrusion detection systems, and auditing systems are examples of technical controls. Some examples of administrative controls are site location, facility design, building construction, emergency response, and employee controls. Physical control examples include types of building materials, perimeter security including fencing and locks, and guards.
Deterrence, Denial, detection then delays are the controls used for securing the environment. Attempts to obtain physical resources should be deterred through the use of fences, gates, and guards around the perimeter. Locked doors and vaults protecting physical assets through denial. Physical Intrusion detection systems (IDS) and alarms are the next lines of defense and notify first responders if a breach is detected. If attackers reach their target, security measures such as a cable lock on a computer must delay the suspect from acquiring assets until guards or police arrive.

Administrative Controls

  1. The site and Facility Considerations
    All sites should have automated controls in place to protect the physical environment. The first line of defence must be administrative, technical and physical controls. The last line of defence should always be employees. Limiting human interaction with attackers reduces the risk of injury. These controls must be at the center when applying and sustaining physical security to protect people, IT infrastructure and operations. Controls must be utilized so that attackers have an opposition to stop or delay them.
  2. Facility Plan
    The facility plan uses critical path analysis which is a systematic approach that identifies relationships between processes, operations, and applications. An example could be a company web server that needs access to the internet, power, climate control, computer hardware, storage location. In this example, resources that require securing are identified. Additionally, dependencies and interactions that support the business functions are reduced to only the mandatory ones because the processes, operations, and applications were identified. Critical path analysis is the first stage in securing the IT infrastructure. IT infrastructure includes computers, servers, networking equipment, water, electricity, climate control, and buildings. Using current and future technologies, such as operating systems or mobile devices simultaneously is important. Current solutions improve, and new ones emerge as technologies involved. It is necessary to strategize how the older legacy systems and the new systems will merge together. The integration of old and new systems is called technology convergence. An organization could potentially have multiple systems doing the same function as technologies change, creating inefficiencies and risk to the company as it can be difficult to differentiate which system performs a particular task. In some cases, such as an e-commerce website, multiple servers are required to run in parallel, so there is not a single point of failure. Another example could be the intrusion alarm system, fax, and phone line utilizing a single phone line cable. One phone line that different systems connect to is a single point of failure and if an attacker compromised the line at one location, none of these systems would work. Having separate phone lines ran to each system would lower the risk of all three losing their connection at the same time. Parties including management, employees, and especially safety and security personnel, should contribute to the site plan. Management should be in the planning process so they can make sure funds are available for the project. Employee safety concerns should be addressed during the creation of the facility plan. Security staff can point out important aspects of physical security. Security goals for the business and the facility are supported further when their knowledge is used to help make the site plan.
  3. Site location
    Geographical location, price, and size are factors that involve thought when purchasing a site location. Security requirements should always be the primary concern when determining a location. Buying an existing facility or building a new one also needs to be considered. Site physical security involves deliberation of situational awareness. It is important to take into account that looting, riots, vandalism, and break-ins can occur. Other things to consider before determining a site is visibility, including the terrain around the building, facility markings, signs, neighbors, and area population. Accessibility to the site is important. Road access, traffic, and distance to train stations, freeways, and airports are important aspects. Building facilities susceptible to these accounts should be avoided. Geographical areas prevalent in natural disasters are not ideal site locations. These threats cannot be avoided because natural disasters are not predictable. The IT staff, emergency personnel, management, and disaster recovery team must be prepared and equipped to handle natural disasters. Disaster recovery plans contained within the business continuity plan is the overarching plan that lists the details necessary to recover from a tragedy
  4. Securing Data
    Data centers and server rooms that house IT or communications equipment must be off-limits to unauthorized individuals. These rooms have to be locked down to prevent attacks. These rooms should be protected and have limited access to those employees that require access to job duties. The more human-incompatible these rooms are, the less likely attacks are executed. Oxygen displacement, extremely dim lighting, cold temperatures and hard to maneuver due to little space are methods used in creating a human inhospitable environment. These data center rooms store mission-critical equipment and should be located in the middle of the facility and not in the basement, ground or top floors.

Physical Controls

Facilities need physical access controls in place that control, monitor and manage access. Categorizing building sections should be restricted, private or public. Different access control levels are needed to restrict zones that each employee may enter depending on their role. Many mechanisms exist that enable control and isolation access privileges at facilities. These mechanisms are intended to discourage and detect access from unauthorized individuals.

  1. Perimeter Security
    Mantraps, gates, fences, and turnstiles are used outside of the facility to create an additional layer of security before accessing the building. Fences distinguish clear boundaries between protected and public areas. Materials used to create fences vary in types and strengths. Protected assets dictate the necessary security levels of the fences. Types of fences include electrically charged, barbed wire, heat, motion or laser detection, concrete, and painted stripes on the ground. Gates are entry and exit points through a fence. To be an effective deterrent, gates must offer the same level of protection equal to the fence; otherwise, malicious people have the opportunity to circumvent the fence and use the gate as the point of intrusion. Construction of gates should consist of hardened hinges, locking mechanisms, and closing devices. Gates should be limited in number to consolidate resources needed to secure them. Dogs or surveillance cameras should monitor gates when guards are not present. Turnstiles are a type of gate that allows only one person to enter. They must provide the same protection level as the fence they are connected. Turnstiles operate by rotating in one direction like a revolving door and allow one individual to leave or enter the premises at a time. Mantraps are small rooms that prevent individuals from tailgating. The design of mantraps only allows one person may enter at a time. The idea is to trap the person trying to gain access by locking them inside until proof of identity is confirmed. If the individual has permission to enter, the inside door opens allowing entry. This is a security control measure that delays unauthorized people from entering the facility until security or police officers arrive.
  2. Badges
    Proof of identity is necessary for verifying if a person is an employee or visitor. These cards come in the forms of name tags, badges, and identification (ID) cards. Badges can also be smart cards that integrate with access control systems. Pictures, RFID tags, magnetic strips, computer chips, and employee information are frequently included to help security validate the employee.
  3. Motion Detectors
    Motion detectors offer different technology options depending on necessity. They are used as intrusion detection devices and work in combination with alarm systems. Infrared motion detectors observe changes in infrared light patterns. Heat-based motion detectors sense changes in heat levels. Wave pattern motion detectors use ultrasonic or microwave frequencies that monitor changes in reflected patterns. Capacitance motion detectors monitor for changes in electrical or magnetic fields. Photoelectric motion detectors look for changes in light and are used in rooms that have little to no light. Passive audio motion detectors listen for unusual sounds.
  4. Intrusion Alarms
    Alarms monitor various sensors and detectors. These devices are door and window contacts, glass break detectors, motion detectors, water sensors, and so on. Status changes in the devices trigger the alarm. In hardwired systems, alarms notice the changes in status by the device by creating wiring short. Types of alarms are deterrent, repellant, and notification. Deterrent alarms attempt to make it more difficult for attackers to get to major resources by closing doors and activating locks. Repellant alarms utilize loud sirens and bright lights in the attempt to force attackers off the site. Notification alarms send alarm signals through dial-up modems, internet access or GSM (cellular) means. The siren output may be silenced or audible depending on if the organization is trying to catch criminals in the act.

Technical Controls

The main focus of technical controls is access control because it is one of the most compromised areas of security. Smart cards are a technical control that can allow physical access into a building or secured room and securely log in to company networks and computers. Multiple layers of defence are needed for overlap to protect from attackers gaining direct access to company resources. Intrusion detection systems are technical controls that are essential because they detect an intrusion. Detection is a must because it notifies the security event. Awareness of the event allows the organization to respond and contain the incident. Audit trails and access logs must be continually monitored. They enable the organization to locate where breaches are occurring and how often. This information helps the security team reduce vulnerabilities.

  1. Smart Cards
    Token cards have microchips and integrated circuits built into the cards that process data. Microchips and integrated circuits enable the smart card to do two-factor authentication. This authentication control helps keeps unauthorized attackers or employees from accessing rooms they are not permitted to enter. Employee information is saved on the chip to help identify and authenticate the person. Two-factor authentication also protects computers, servers and data centers from unauthorized individuals. Assess will not be granted with possession of the card alone. A form of biometrics (something you are) or a PIN or password (something you know) must be entered to unlock the card to authenticate the user. Access token smart cards come in two types, contact and contactless. Contact smart cards have a contact point on the front of the card for data transfer. When the card is inserted, fingers from the device make a connection with chip contact points. The connection to the chip powers it and enables communication with the host device. Contactless smart cards use an antenna that communicates with electromagnetic waves. The electromagnetic signal provides power for the smart card and communicates with the card readers. Access token cards are thought to be impervious to tampering methods; however, these cards are not hacker-proof. Security is provided through the complexity of the smart token. The smart token only allows the card to be read after the correct PIN is entered. Encryption methods keep malicious people from acquiring the data stored in the microchips. Smart cards also have the ability to delete data stored on it the card detects tampering. Cost is a disadvantage of smart card technology. It is expensive to create smart cards and purchase cards, readers. Smart cards are basically small computers and carry the same risks. As technology evolves, storage capacity and the ability to separate “security-critical computations” inside the smart cards. Smart cards can store keys used with encryption systems which helps security. The self-contained circuits and storage, permit the card to use encryption algorithms. The encryption algorithms allow for protected authorization that can be applied enterprise-wide.
  2. Proximity Readers and RFID: Access control systems use proximity readers to scan cards and determines if it has authorized access to enter the facility or area. Access control systems evaluate the permissions stored within the chip sent via radio frequency identification RFID. This technology utilizes the use of transmitters (for sending) and responders (for receiving).In physical access control, the use of proximity readers and access control cards that contain passive tags are used. Passive tags are powered from the proximity of readers through an electromagnetic field generated by the card reader. A signal is sent to the reader when a card is swiped. The door unlocks once the signal is received and verified. Active tags contain batteries to self-power the RFID tag. Active tags have a battery power source built-in that allows them to transmit signals further than passive tags. However, the cost of these are significantly higher, and their life is limited because of battery life. These are typically used to track high-value items. Readers can track movements and locate items when connected to the network and detection systems. If an asset is removed from certain areas, the organization can have the access control system trigger an alarm.
  3. Intrusion Detection, Guards and CCTV
    If the equipment is relocated without approval, intrusion detection systems (IDSs) can monitor and notify of unauthorized entries. IDSs are essential to security because the systems can send a warning if a specific event occurs or if access was attempted at an unusual time. Guards are a significant part of an intrusion detection system because they are more adaptable than other security aspects. Security officers may be fixed at one location or make rounds patrolling the campus. While making rounds, guards can verify the doors and windows are locked, and vaults are protected. Guards may be accountable for watching IDSs and CCTVs and can react to suspicious activity. They can call for backup or local police to help capture a suspect if necessary. Closed-circuit television or surveillance systems utilize cameras and recording equipment to provide visual protection. In areas that cameras monitor, having enough light in the right areas is essential. It might be too dim for the camera to capture decent video quality necessary to prosecute or identify persons of interest without enough light. Cameras can be a fixed lens (not movable) or a zoom lens (adjustable). In monitoring something that is stationary, you would want to use the right type of fixed lens depending on the distance and width you are monitoring. Fixed lenses are available in wide, narrow or wide-angle. The zoom lens is recommended when viewing a target that might need an enlarged view. Another type of camera is a pan, tilt, zoom camera. These are dome style cameras that have the ability to move in all directions as well as zoom in. PTZ cameras are best for tracking suspects because the camera automatically detects and follows a suspect. PTZ cameras can auto-track moving objects through mechanical or application methods. Cameras that use software applications have the ability to change targets and can filter out images that are stationary, saving bandwidth and storage.
  4.  Auditing Physical Access
    Auditing physical access control systems require the use of logs and audit trails to surmise where and when a person gained false entry into the facility or attempted to break-in. The software and auditing tools are detectives, not preventive. Consistent monitoring of audit trails and access logs are needed to act swiftly. The system has no value if the organization does not respond or response time is limited. Management needs to know when there are incidents so they can make security decisions. Adding additional resources to particular areas or at certain times might be necessary to protect the environment. Access logs and audit trails must include the date and time that the incident occurred. These logs should capture all failed access attempts, the person’s employee information, and the location where the attacker tried to gain entry.

A. 11.1 Secure areas


To prevent unauthorized physical access, damage and interference to the organization’s information and Information processing facilities.

A. 11.1.1 Physical security perimeter


Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

Implementation Guidelines

The following guidelines should be considered and implemented where appropriate for physical security perimeters:

  1. security perimeters should be defined and the siting and strength of each of the perimeters should depend on the security requirements of the assets within the perimeter and the results of a risk assessment;
  2. perimeters of a building or site containing information processing facilities should be physically sound [i.e. there should be no gaps in the perimeter or areas where a break-in could easily occur]; the exterior roof, walls and flooring of the site should be of solid construction and all external doors should be suitably protected against unauthorized access with control mechanisms,‘ (e.g. bars, alarms, locks); doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level;
  3. a manned reception area or other means to control physical access to the site or building should be in place; access to sites and buildings should be restricted to authorized personnel only;
  4. physical barriers should where applicable,.be built to prevent unauthorized physical access and environmental contamination;
  5. all fire doors on a security perimeter should be alarmed, monitored and tested in conjunction with the walls to establish the required level of resistance in accordance with suitable regional, national and  international standards; they should operate in accordance with the local fire code in a failsafe manner;
  6. suitable intruder detection systems should be installed to national, regional or international standards and regularly tested to cover all external doors and accessible windows; unoccupied areas should be alarmed at all times; the cover should also be provided for other areas,’e.g. computer room or communications rooms; ‘
  7. information processing facilities managed by the organization should be physically separated from those managed by external parties.

Other Information:

Physical protection can be achieved by creating one or more physical barriers around the organization’s premises and information processing facilities. The use of multiple barriers gives additional protection, where the failure of a single barrier does not mean that security is immediately compromised. A secure area may be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access may be needed between areas with different security requirements inside the security perimeter. Special attention to physical access security should be given in the case of buildings holding assets for multiple organizations. The application of physical controls, especially for the secure areas, should be adapted to the technical and economic circumstances of the organization, as set forth in the risk assessment.

A.11.1.2 Physical entry controls


Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

Implementation Guidelines

The following guidelines should be considered:

  1. the date and time of entry and departure of visitors should be recorded, and all visitors should be supervised unless their access has been previously approved; they should only be granted access for specific, authorized purposes and should be issued with instructions on the security requirements of the area and on emergency procedures. The identity of visitors should be authenticated by an appropriate means;
  2. access to areas where confidential information is processed or stored should be restricted to authorized individuals only by implementing appropriate access controls, e.g. by implementing a two-factor authentication mechanism such as an access card and secret PIN;
  3. a physical logbook or electronic audit trail of all access should be securely maintained and monitored;
  4. all employees, contractors and external parties should be required to wear some form of visible identification and should immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification;
  5. external party support service personnel should be granted restricted access to secure areas or confidential information processing facilities only when required: this access should be authorized and monitored;
  6. access rights to secure areas should be regularly reviewed and updated and revoked when necessary

A. 11.1.3 Securing offices, rooms, and facilities


Physical security for offices, rooms, and facilities should be designed and applied. The following guidelines should be considered to secure offices, rooms, and facilities:

  1. key facilities should be sited to avoid access by the public;
  2. where applicable, buildings should be unobtrusive and give a minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities;
  3. facilities should be configured to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate;
  4. directories and internal telephone books identifying locations of confidential information processing facilities should not be readily accessible to anyone unauthorized.

A. 11.1.4 Protecting against external and environmental threats.


Physical protection against natural disasters, malicious attack or accidents should be designed and applied.

Implementation Guidelines

Specialist advice should be obtained on how to avoid damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disasters.

A.11.1.5 Working in secure areas

Procedures for working in secure areas should be designed and applied.

Implementation Guidelines

The following guidelines should be considered:

  1. personnel should only be aware of the existence of, or activities within, a secure area on a need-to-know basis;
  2. unsupervised working in secure areas should be avoided both for safety reasons and to prevent
    opportunities for malicious activities;
  3. vacant secure areas should be physically locked and periodically reviewed;
  4. photographic, video, audio or other recording equipment, such as cameras in mobile devices, should not be allowed unless authorized.

The arrangements for working in secure areas include controls for the employees and external party users working in the secure area and they cover all activities taking place in the secure area.

A. 11.1.6 Delivery and loading areas


Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

Implementation Guidelines

The following guidelines should be considered:

  1. access to a delivery and loading area from outside of the building should be restricted to identified and authorized personnel;
  2. the delivery and loading area should be designed so that supplies can be loaded and unloaded without delivery personnel gaining access to other parts of the building;
  3. the external doors of a delivery and loading area should be secured when the internal doors are opened;
  4. The incoming material should be inspected and examined for explosives, chemicals or other hazardous materials before it is moved from a delivery and loading area;
  5. The incoming material should be registered in accordance with asset management procedures  on entry to the site;
  6.  incoming and outgoing shipments should be physically segregated, where possible;
  7. The incoming material should be inspected for evidence of tampering en route. If such tampering‘ is discovered it should be immediately reported to security personnel.

Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft, etc., both on- and off-site. Power supplies and cabling should be secured. The physical facility is usually the building(s) housing the system and network components. The physical characteristics of these structures determine the level of such physical threats as fire, roof leaks, or unauthorized access. Security perimeters should be used to protect areas that contain information and information processing facilities — using walls, controlled entry doors/gates, manned reception desks, and similar measures. The general geographic location determines the characteristics of natural threats, which include earthquakes and flooding; man-made threats such as burglary, civil disorders, or interception of transmissions; and damaging nearby activities, including toxic chemical spills, explosions, and fires. Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of natural and man-made risk should be designed and implemented.

Ensuring complete physical security may be impossible, especially in an organization with a large area and multiple entry points and a very large number of employees customers and vendors interacting together. While many organizations that have extensive security safeguards in place because of the nature of the services and information contained therein, organizations allow unfettered access to members of the public. General security safeguards should be in harmony with the overall atmosphere of the building while factoring in threats to the information contained within. The security of facilities housing information resources can be protected by a number of means (e.g., locked doors with limited key distribution, locked machine cabinets, glass break sensors on windows, motion detectors, door alarms, fire suppression, appropriate heating, cooling and backup power). As with all security issues, the cost of implementing such protection measures has to be weighed against the risks. In some circumstances, the simple act of ensuring that all doors and windows in the room remained closed and locked while unoccupied might suffice. In another case, the sensitivity or criticality of the information contained on and the service provided by the building, room, or piece of equipment might be such that more stringent actions are taken.

Appropriate physical safeguards must be placed on equipment that stores or processes organizational data. In addition to physically securing this equipment, consideration must be given to other environmental-related aspects that could, if not managed correctly, cause an interruption of service or availability and thus disrupt the organization’s mission. Careful thought must be given to ensure proper power (e.g., Uninterruptable Power Supplies, generator power backup, redundant power feeds), adequate fire protection, proper heating and cooling, and so on. These environmental safeguards must be commensurate with the sensitivity of the data contained in or processed by the equipment. Equipment removed from the premises is particularly vulnerable to being lost or theft. Therefore, the equipment must be protected when off-site, at home, or while in transit from one location to another.

A.11.2 Equipment


To prevent loss, damage, theft or compromise f assets and interruption to the organization’s operations.

A.11.2.1 Equipment siting and protection


Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Implementation Guidelines

The following guidelines should be considered to protect equipment:

  1. equipment should be sited to minimize unnecessary access into work areas;
  2. information processing facilities handling sensitive data should be positioned carefully to reduce the risk of information being viewed by unauthorized persons during their use;
  3. storage facilities should be secured to avoid unauthorized access;
  4. items requiring special protection should be safeguarded to reduce the general level of protection required;.
  5. controls should be adopted to minimize the risk of potential physical and environmental threats. e.g. theft, fire. explosives, smoke, water (or water supply failure), dust, vibration. chemical effects. electrical supply interference, communications interference, electromagnetic radiation, and vandalism;
  6. guidelines for eating, drinking and smoking in proximity to information processing facilities should be established;
  7. environmental conditions, such as temperature and humidity should be monitored for conditions which could adversely affect the operation of information processing facilities;
  8. lightning protection should be applied to all buildings and lightning protection filters should be fitted to all incoming power and communications lines;
  9. the use of special protection methods, such as keyboard membranes, should be considered for equipment in industrial environments;
  10. equipment processing confidential information should be protected to minimize the risk of information leakage due to electromagnetic emanation.

A.11.2.2 Supporting utilities


Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.

Implementation Guidelines

Supporting utilities (e.g. electricity, telecommunications, water supply, gas, sewage, ventilation, and air conditioning) should:

  1. conform to equipment manufacturer’s specifications and local legal requirements:
  2. be appraised regularly for their capacity to meet business growth and interactions with other supporting utilities;
  3. be inspected and tested regularly to ensure their proper functioning;
  4. if necessary, be alarmed to detect malfunctions;
  5. if necessary, have multiple feeds with diverse physical routing.

Emergency lighting and communications should be provided. Emergency switches and valves to cut off the power, water, gas or other utilities should be located near emergency exits or equipment rooms.

Other Information

Additional redundancy for network connectivity can be obtained by means of multiple routes from more than one utility provider.

A.11.2.3 Cabling security


Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage.

Implementation Guidelines

The following guidelines for cabling security should be considered:

  1. power and telecommunications lines into information processing facilities should be underground, where possible, or subject to adequate alternative protection;
  2. power cables should be segregated from communications cables to prevent interference:
  3. for sensitive or critical systems further controls to consider include:
    1. installation of armoured conduit and locked rooms or boxes at inspection and termination points;
    2. use of electromagnetic shielding to protect the cables;
    3. initiation of technical sweeps and physical inspections for unauthorized devices being attached to the cables;
    4. controlled access to patch panels and cable rooms.

A.11.2.4 Equipment maintenance.


Equipment should be correctly maintained to ensure its continued availability and integrity.

Implementation Guidelines

The following guidelines for equipment maintenance should be considered:

  1. equipment should be maintained in accordance with the supplier’s recommended service intervals. and specifications:
  2. only authorized maintenance personnel should carry out repairs and service equipment;
  3. records should be kept of all suspected or actual faults and of all preventive and corrective maintenance;
  4. appropriate controls should be implemented when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on-site or external to the
    organization; where necessary, confidential information should be cleared from the equipment or the maintenance personnel should be sufficiently cleared;
  5. all maintenance requirements imposed by insurance policies should be complied with;
  6. before putting equipment back into operation after its maintenance, it should be inspected to ensure that the equipment has not been tampered with and does not a malfunction.

A.11.2.5 Removal of assets


Equipment, information or software should not be taken off-site without prior authorization.

Implementation Guidelines
The following guidelines should be considered:

  1. employees and external party users who have authority to permit off-site removal of assets should be identified;
  2. time limits for asset removal should be set and returns verified for compliance;
  3. where necessary and appropriate, assets should be recorded as being removed off-site and recorded when returned;
  4. the identity, role, and affiliation of anyone who handles or uses assets should be documented and this documentation returned with the equipment, information or software.

Other Information

Spot checks, undertaken to detect unauthorized removal of assets, can also be performed to detect unauthorized recording devices, weapons, etc., and to prevent their entry into and exit from, the site. Such spot checks should be carried out in accordance with relevant legislation and regulations. Individuals should be made aware that spot checks are carried out, and the verifications should only be performed with authorization appropriate for the legal and regulatory requirements.

A.11.2.6 Security of equipment and assets off-premises


Security should be applied‘ to off-site assets taking into account the different risks of working outside the organization’s premises.

Implementation Guidelines

The use of any information storing and processing equipment outside the organization’s premises should be authorized by management. This applies to equipment owned by the organization and that equipment owned privately and used on behalf of the organization. The following guidelines should be considered for the protection of off-site equipment:

  1. equipment and media taken off-premises should not be left unattended in public places;
  2. manufacturers’ instructions for protecting equipment should be observed at all times, e.g. protection against exposure to strong electromagnetic fields;
  3. controls for off-premises locations, such as home-working, teleworking and temporary sites should be determined by a risk assessment and suitable controls applied as appropriate, e.g. lockable filing cabinets, clear desk policy, access controls for computers and secure communication with the office
  4. when off-premises equipment is transferred among different individuals or external parties, a log should be maintained that defines the chain of custody for the equipment including at least names and organizations of those who are responsible for the equipment.

Risks, e.g. of damage, theft or eavesdropping, may vary considerably between locations and should be taken into account in determining the most appropriate controls.

Other Information

Information storing and processing equipment include all forms of personal computers, organizers, mobile phones, smart cards, paper or other forms, which is held for home working or being transported away from the normal work location. It may be appropriate to avoid the risk by discouraging certain employees from working off-site or by restricting their use of portable IT equipment;

A. 11.2.7 Secure disposal or re-use of equipment


All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or re-use.

Implementation Guidelines

Equipment should be verified to ensure whether or not storage media is contained prior to disposal or re-use. Storage media containing confidential or copyrighted information should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.

Other Information

Damaged equipment containing storage media may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded. Information can be compromised through careless disposal or re-use of equipment. In addition, to secure disk erasure, whole-disk encryption reduces the risk of disclosure of- confidential information when equipment is disposed of or redeployed, provided that:

  1. the encryption process is sufficiently strong and covers the entire disk including slack space, swap files, etc.;
  2. the encryption keys are long ‘enough to resist brute force attacks; .
  3. the encryption keys are themselves kept confidential (e.g. never stored on the same disk).

Techniques for securely overwriting storage media differ according to storage media technology. Overwriting tools should be reviewed to make sure that they are applicable to the technology of the storage media.

11.2.8 Unattended user equipment


Users should ensure that unattended equipment has appropriate protection. All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection. Users should be advised to:

  1. terminate active sessions when finished. unless they can be secured by an appropriate locking ‘ mechanism, e.g. a password-protected screen saver;
  2. log-off from applications or network services when no longer needed;
  3. secure computers or mobile devices from unauthorized use by a key lock or an equivalent control, e.g. password access, when not in use.

11.2.9 Clear desk and clear screen policy


A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. The clear desk and clear screen policy should take into account the information classifications, legal and contractual requirements, and the corresponding risks and cultural aspects of the organization. The following guidelines should be considered:

  1. sensitive or critical business information, e.g. on paper or on electronic storage media, should be locked away (ideally in a safe or cabinet or other forms of security furniture) when not required especially when the office is vacated.
  2. computers and terminals should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism when unattended and should be protected by key locks, passwords or other controls when not in use;
  3. unauthorized use of photocopiers and other reproduction technology (e.g. scanners, digital cameras) should be prevented;
  4. media containing sensitive or classified information should be removed from printers immediately.

Other Information

A clear desk/clear screen policy reduces the risks of unauthorized access, loss of and damage to information during and outside normal working hours. Safes or other forms of secure storage facilities might also protect information stored therein against disasters such as a fire. earthquake, flood or explosion. Consider the use of printers with PIN code function, so the originators are the only ones who can get their print-outs and only when standing next to the printer.

IT equipment should be maintained properly and disposed of securely. Information stored in equipment being disposed of, redistributed, or sold must be securely removed to prevent the disclosure of the information to unauthorized parties.
The system’s operation usually depends on supporting facilities such as electric power, heating, and air conditioning, and telecommunications. The failure or substandard performance of these facilities may interrupt the operation of systems and may cause physical damage to system hardware or stored data. Equipment should be protected from disruptions caused by failures in supporting utilities such as HVAC, water supply and sewage. Power and telecommunications cabling carrying sensitive data should be protected from interception or damage. Maintenance contracts should be in place to make certain equipment will be correctly maintained to ensure its continued availability and integrity. Equipment, information or software should not be taken off-premises without prior authorization. Appropriate security measures should be applied to off-site equipment, taking into account the different risks of working outside the organization’s premises.
There are many types of equipment involved in the creation, collection, storage, manipulation, and/or transmission of information. Filing cabinets are used to store student transcripts. Computer systems are used to process and maintain intellectual property. Data networking equipment and cables are used to transmit voice and video communications. While the value of the equipment cannot be disregarded, the information stored in the device is arguably more valuable than the device itself. Physical and logical security safeguards should be based on the type of data being processed by the equipment. A sound asset management strategy is important to ensure all important equipment is tracked and secured appropriately.
All equipment containing storage media should be checked to ensure that sensitive data and licensed software have been removed or securely overwritten prior to secure disposal. In the event that equipment is lost or stolen there are a number of steps that must be taken. Immediately inform the Information security office (or those responsible for information security in the organization) of the loss. Providing as much information as possible about the contents (social security numbers, credit card numbers, protected health information, personally identifiable information, etc.), use (are their passwords on the device that could be used to access secure organization resources) and lifecycle (has the device been shared with others, has it been scrubbed recently of data within, etc.) of the stolen property is essential to determine the risk involved and the required actions involved in its recovery or remote wiping of data housed. Identification of IP addresses, hostnames, computer names registered, or other associations with the stolen property provides additional information leading to its return or calculating the impacted loss. Evidence that the device is registered as a device management system (mobile management system, online location service, etc.) may enable the risk to be mitigated without the device’s recovery. Confirmation that the device is encrypted or backed up also affords data relative to its risk of loss to the organization. Finally, have campus police been informed of the theft or loss in order to file appropriate reports for insurance purposes or data loss prevention activities?
Physical security begins with low visibility for secure locations. Unnecessary signage announcing high-impact data facilities and network closets should be avoided. Mechanical locks with different keying options, some of which allow multiple key codes for added security are turning to electronic access solutions with entry audit capabilities. Complete access solutions consisting of electronic access control devices and remote monitoring capabilities are becoming more prevalent where access is granted to multitudes of people throughout the day. Fully networked RFID and biometric readers provide additional security where ID cards can be shared, lost or stolen.
Electronic access solutions eliminate managing multiple keys and provide real-time remote access monitoring and audit trail reporting meeting compliance requirements where required. Electronic access reporting can provide simple open/close information as well as additional data involving which credential was used, the time and duration of the event; and the type of access activated. In the event a security breach does occur, the audit trail can be used to forensically reconstruct a series of events leading up to the suspicious activity. Networking security access keeps equipment and spaces secure, connecting building security and equipment access through standardized security credential protocols. Electronic locks can communicate with IP security cameras or other security devices, expanding the scope and capabilities of a security network.
Naturally minimizing access to secure spaces is the best method of controlling the security of those facilities. Only those who absolutely need access should be among those granted that permission. Most technology can be managed remotely without actual physical access to the equipment. Where physical access is determined necessary, that access should be monitored, recorded and audited absolutely.
Fire, humidity, smoke and temperature control systems are all available which can provide monitoring capabilities and automated activity including alarms, fire suppression, and alerts. These should all be deployed to keep systems operating with appropriate training (use of gas masks, fire extinguishers, emergency power shutdown management systems, etc.) provided for those responsible for their maintenance and safety. All of these systems and processes can be implemented over time but should be part of a physical security system for technology. Relatively inexpensive in cost, the assurance that equipment housing essential organization data is safe and secure is well worth the cost.


Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion is also welcome.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s