ISO 27001:2022 A 7.1 Physical security perimeters

Physical perimeter security can be defined as systems and technologies that protect people and assets within a facility and its grounds by blocking unauthorized physical intrusions across the perimeter. Achieving effective perimeter security requires the creation of layers to defend and deter potential attackers.The term physical security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical security perimeters are used to identify the physical boundaries of a building or area and control access to it. Physical security perimeters may include fences, walls, gates and other barriers that prevent unauthorized access by people or vehicles. In addition to physical barriers, electronic surveillance equipment such as closed circuit television cameras can be used to monitor activity outside the facility. Physical security perimeters provide a first line of defense against intruders who might try to enter your computer system through the network cable or wireless connection in an organisation. They are often used in conjunction with other types of information security controls such as identity management, access control and intrusion detection systems. The organisation must establish secure areas that protect the valuable information and information assets only authorized people can access. This is also related to the risk assessment and risk appetite for an organisation

The best, most viable physical security strategies make use of both technology and specialized hardware to achieve its safety goals. You will need to protect your assets from intruders, internal threats, cyber attacks, accidents and natural disasters, which in turn requires a mix of technology and in-person monitoring that requires careful planning and placement of security staff and other tactics. For your preventive measures and countermeasures to be effective, you also need to introduce a security perimeter, the size and scope of which may vary depending on your specific needs and possible threats to your facility. Physical security bundles many needs together, so make sure you consider your space as a whole, not as separate parts.

Control

Security perimeters should be defined and used to protect areas that contain information and other associated assets.

Purpose

To prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets.

ISO 27002 Implementation Guidance

The following guidelines should be considered and implemented where appropriate for physical security perimeters:

  1. defining security perimeters and the siting and strength of each of the perimeters in accordance with the information security requirements related to the assets within the perimeter;
  2. having physically sound perimeters for a building or site containing information processing facilities (i.e. there should be no gaps in the perimeter or areas where a break-in can easily occur). The exterior roofs, walls, ceilings and flooring of the site should be of solid construction and all external doors should be suitably protected against unauthorized access with control mechanisms (e.g. bars, alarms, locks). Doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level; ventilation points should also be considered;
  3. alarming, monitoring and testing all fire doors on a security perimeter in conjunction with the walls to establish the required level of resistance in accordance with suitable standards. They should operate in a fail safe manner.

Other information

Physical protection can be achieved by creating one or more physical barriers around the organization’s premises and information processing facilities. A secure area can be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access can be necessary between areas with different security requirements inside the security perimeter. The organization should consider having physical security measures that can be strengthened during increased threat situations.

Physical security manages and protects resources in the form of administrative, technical, and physical controls. Access control systems, intrusion detection systems, and auditing systems are examples of technical controls. Some examples of administrative controls are site location, facility design, building construction, emergency response, and employee controls. Physical control examples include types of building materials, perimeter security including fencing and locks, and guards. Deterrence, Denial, detection then delays are the controls used for securing the environment. Attempts to obtain physical resources should be deterred through the use of fences, gates, and guards around the perimeter. Locked doors and vaults protecting physical assets through denial. Physical Intrusion detection systems (IDS) and alarms are the next lines of defense and notify first respondents if a breach is detected. If attackers reach their target, security measures such as a cable lock on a computer must delay the suspect from acquiring assets until guards or police arrival.

An organisation must demonstrate that it has adequate physical security perimeters in place to prevent unauthorized physical access to information and other associated assets. This includes preventing:

  • Unauthorized entry to buildings, rooms or areas containing information assets;
  • Unauthorized removal of assets from premises;
  • Unauthorized use of assets on premises (e.g., computers and computer related devices); and
  • Unauthorized access to electronic communications equipment such as telephones, fax machines and computer terminals (e.g., unauthorized tampering).

Physical security perimeters can be implemented through the following two categories:

  • Physical access control: Provides controls over the entry into facilities and buildings, as well as the movement within them. These controls include locking doors, using alarms on doors, using fences or barriers around facilities, etc.
  • Hardware security: Provides controls over physical equipment (e.g., computers) used by an organisation to process data such as printers and scanners that may contain sensitive information.

Implementing this control may also cover the unauthorized use of facility space, equipment and supplies in order to protect information and other associated assets, such as confidential documents, records and equipment.The following guidelines should be considered and implemented where appropriate for physical security perimeters:

  • Defining security perimeters and the siting and strength of each of the perimeters in accordance with the information security requirements related to the assets within the perimeter.
  • Having physically sound perimeters for a building or site containing information processing facilities (i.e. there should be no gaps in the perimeter or areas where a break-in can easily occur).
  • The exterior roofs, walls, ceilings and flooring of the site should be of solid construction and all external doors should be suitably protected against unauthorized access with control mechanisms (e.g. bars, alarms, locks).
  • Doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level; ventilation points should also be considered.

Physical and environmental safeguards are often overlooked but are very important in protecting information. Physical security over past decades has become increasingly more difficult for organizations. Technology and computer environments now allow more compromises to occur due to increased vulnerabilities. USB hard drives, laptops, tablets, and smartphones allow for information to be lost or stolen because of portability and mobile access. In the early days of computers, they were large mainframe computers only used by a few people and were secured in locked rooms. Today, desks are filled with desktop computers and mobile laptops that have access to company data from across the enterprise. Protecting data, networks, and systems has become difficult to implement with mobile users able to take their computers out of the facilities. Fraud, vandalism, sabotage, accidents, and theft are increasing costs for organizations since the environments are becoming more “complex and dynamic”. Physical security becomes tougher to manage as technology increases with complexity, and more vulnerabilities are enabled. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, and portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extra. Physical and environmental security programs define the various measures or controls that protect organizations from loss of connectivity and availability of computer processing caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure, and power failures. Physical security measures should be sufficient to deal with foreseeable threats and should be tested periodically for their effectiveness and functionality.

  1. Determine which managers are responsible for planning, funding, and operations of the physical security of the Data Center.
  2. Review best practices and standards that can assist with evaluating physical security controls.
  3. Establish a baseline by conducting a physical security controls gap assessment that will include the following as they relate to your campus Data Center:
    • Environmental Controls
    • Natural Disaster Controls
    • Supporting Utility Controls
    • Physical Protection and Access Controls
    • System Reliability
    • Physical Security Awareness and Training
    • Contingency Plans
  4. Determine whether an appropriate investment in physical security equipment (alarms, locks or other physical access controls, identification badges for high-security areas, etc.) has been made and if these controls have been tested and function correctly.
  5. Provide responsible managers guidance in handling risks. For example, if the current investment in physical security controls is inadequate, this may allow unauthorized access to servers and network equipment. Inadequate funding for key positions with responsibility for IT physical security may result in poor monitoring, poor compliance with policies and standards, and overall poor physical security.
  6. Maintain a secure repository of physical and environmental security controls and policies and establish timelines for their evaluation, update, and modification.
  7. Create a team of physical security auditors, outside of the management staff, to periodically assess the effectiveness of the measures taken and provide feedback on their usefulness and functionality.

Leave a Reply