ISO 27001:2022 A 7.2 Physical entry

Audio version of this article

Entry controls and access points are a crucial part of any building’s security system. They’re what makes it possible for you to get in and out of your building without compromising its safety, and they can also prevent unauthorized or unwanted people from entering. Entry controls are the devices that allow you access into a building through doors or gates, such as keypads, card readers, biometric scanners and fobs. They can also include other features such as locking mechanisms for doors and gates, as well as turnstiles or revolving doors.An access point is an electronic device that provides security in large commercial buildings. It uses radio frequency identification (RFID) technology to track all movement in and out of the facility. The access point transmits data back to headquarters so that security personnel can monitor when someone enters or leaves the facility and which areas they are accessing while they are there. Secure areas need to be protected by the appropriate entry controls to ensure only authorised personnel are allowed access. As a really basic example, only those employees who have been given the alarm access code and received a key can access the office. More risk averse organisations and or those with more sensitive information at threat might go much deeper with policies that include biometrics and scanning solutions too. Entry controls will need to be selected and implemented based on the nature and location of the area being protected, and the ability to implement such controls if for example, the location is not owned by the organisation. The processes for granting access through the entry controls need to be robust, tested and monitored and may also need to be logged and audited. The control of visitors will also be especially important and the processes related to such should be considered. Extra consideration should be given to access being granted to areas in which sensitive or classified information is being processed or stored. Whilst areas containing key IT infrastructure equipment in particular need to be protected to a greater extent and access limited to only those that really need to be there. The auditor will expect to see that appropriate controls are in place as well as regularly tested and monitored.

Once you have identified physical security perimeters, you must implement entry controls to govern who can move between secure areas of the premises. The most common example of this will be keycodes issues to employees so that they can enter the office, but physical entry controls can take many forms. Organisations should select controls based on the nature and location of the area being protected. As a rule, the strength of the control should reflect the sensitivity of the data being stored. For example, physical records related to day-to-day activities might be protected by a lock and key. By contrast, highly classified data might require multiple security controls or ones that are less likely to be compromised, such as biometric and scanning solutions. Additionally, organisations might have multiple levels of security within their premises. For example, they might build a barrier at the entrance of the premises to check the credentials of anyone entering the site, followed by separate entrances to the building that require individuals to present a key card.

Control

Secure areas should be protected by appropriate entry controls and access points.

Purpose

To ensure only authorized physical access to the organization’s information and other associated assets occurs.

ISO 27001 Implementation Guidance

General

Access points such as delivery and loading areas and other points where unauthorized persons can enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. The following guidelines should be considered:

1. restricting access to sites and buildings to authorized personnel only. The process for the management of access rights to physical areas should include the provision, periodical review, update and revocation of authorizations
2. securely maintaining and monitoring a physical logbook or electronic audit trail of all access and protecting all logs and sensitive authentication information;
3. establishing and implementing a process and technical mechanisms for the management of access to areas where information is processed or stored. Authentication mechanisms include the use of access cards, biometrics or two-factor authentication such as an access card and secret PIN. Double security doors should be considered for access to sensitive areas;
4. setting up a reception area monitored by personnel, or other means to control physical access to the site or building;
5. inspecting and examining personal belongings of personnel and interested parties upon entry and exit. NOTE Local legislation and regulations can exist regarding the possibility of inspecting personal belongings.
6. requiring all personnel and interested parties to wear some form of visible identification and to immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification. Easily distinguishable badges should be considered to better identify permanent employees, suppliers and visitors;
7. granting supplier personnel restricted access to secure areas or information processing facilities only when required. This access should be authorized and monitored;
8. giving special attention to physical access security in the case of buildings holding assets for multiple organizations;
9. designing physical security measures so that they can be strengthened when the likelihood of physical incidents increases;
10. securing other entry points such as emergency exits from unauthorized access;
11. setting up a key management process to ensure the management of the physical keys or authentication information (e.g. lock codes, combination locks to offices, rooms and facilities such as key cabinets) and to ensure a log book or annual key audit and that access to physical keys or authentication information is controlled

Visitors

The following guidelines should be considered:
a) authenticating the identity of visitors by an appropriate means;
b) recording the date and time of entry and departure of visitors;
c) only granting access for visitors for specific, authorized purposes and with instructions on the security requirements of the area and on emergency procedures;
d) supervising all visitors, unless an explicit exception is granted.

Delivery and loading areas and incoming material

The following guidelines should be considered:

1. restricting access to delivery and loading areas from outside of the building to identified and authorized personnel
2. designing the delivery and loading areas so that deliveries can be loaded and unloaded without delivery personnel gaining unauthorized access to other parts of the building;
3. securing the external doors of delivery and loading areas when doors to restricted areas are opened;
4. inspecting and examining incoming deliveries for explosives, chemicals or other hazardous materials before they are moved from delivery and loading areas;
5. registering incoming deliveries in accordance with asset management procedures on entry to the site;
6. physically segregating incoming and outgoing shipments, where possible;
7. inspecting incoming deliveries for evidence of tampering on the way. If tampering is discovered, it should be immediately reported to security personnel.

The organization must ensure that only authorized physical access to the organisation’s information and other associated assets occurs. Physical security is of primary importance when protecting the confidentiality, integrity, and availability of information assets. This Control is primarily concerned with protecting information and other associated assets from unauthorized access, theft or loss. To this end, appropriate entry controls and access points must be in place to ensure that only authorized individuals can access secure areas. These controls should be designed so that they provide a reasonable assurance that physical access is restricted to authorized persons and that these persons are in fact who they claim to be. This includes the use of locks and keys (both manual and electronic), security guards, monitoring systems and other barriers around entrances and access points. Access control systems such as passwords, card keys or bio metric devices may also be used to control access to sensitive areas in the facility should also be deployed. Upon entry and departure, visitors should be registered and supervised, without prior authorization; Only approved purposes should be granted access, and guidelines should be provided regarding the region’s safety and emergency procedures. A suitable method should be used to verify visitors’ identities. Suitable access controls should be introduced to areas where information is handled or stored, such as a two-factor authentication system that uses an access card and a PIN. Maintaining and monitoring an audit trail of all access records in a physical logbook or electronically. Employees, contractors, and external parties should all wear some kind of visible identification and tell security personnel immediately if they meet persons who are not escorted or who do not have identification. Employees outside of the company who require external support should only have limited access to secure areas or confidential information processing facilities; access authority should be provided and monitoring should be carried out. It is necessary to review, update, and revoke access privileges to protected areas periodically. Whenever necessary.

Administrative Controls

1) The site and Facility Considerations
All sites should have automated controls in place to protect the physical environment. The first line of defense must be administrative, technical and physical controls. The last line of defense should always be employees. Limiting human interaction with attackers reduces the risk of injury. These controls must be at the center when applying and sustaining physical security to protect people, IT infrastructure and operations. Controls must be utilized so that attackers have an opposition to stop or delay them.

2) Facility Plan
The facility plan uses critical path analysis which is a systematic approach that identifies relationships between processes, operations, and applications. An example could be a company web server that needs access to the internet, power, climate control, computer hardware, storage location. In this example, resources that require securing are identified. Additionally, dependencies and interactions that support the business functions are reduced to only the mandatory ones because the processes, operations, and applications were identified. Critical path analysis is the first stage in securing the IT infrastructure. IT infrastructure includes computers, servers, networking equipment, water, electricity, climate control, and buildings. Using current and future technologies, such as operating systems or mobile devices simultaneously is important. Current solutions improve, and new ones emerge as technologies involved. It is necessary to strategize how the older legacy systems and the new systems will merge together. The integration of old and new systems is called technology convergence. An organization could potentially have multiple systems doing the same function as technologies change, creating inefficiencies and risk to the company as it can be difficult to differentiate which system performs a particular task. In some cases, such as an e-commerce website, multiple servers are required to run in parallel, so there is not a single point of failure. Another example could be the intrusion alarm system, fax, and phone line utilizing a single phone line cable. One phone line that different systems connect to is a single point of failure and if an attacker compromised the line at one location, none of these systems would work. Having separate phone lines ran to each system would lower the risk of all three losing their connection at the same time. Parties including management, employees, and especially safety and security personnel, should contribute to the site plan. Management should be in the planning process so they can make sure funds are available for the project. Employee safety concerns should be addressed during the creation of the facility plan. Security staff can point out important aspects of physical security. Security goals for the business and the facility are supported further when their knowledge is used to help make the site plan.

3) Site location
Geographical location, price, and size are factors that involve thought when purchasing a site location. Security requirements should always be the primary concern when determining a location. Buying an existing facility or building a new one also needs to be considered. Site physical security involves deliberation of situational awareness. It is important to take into account that looting, riots, vandalism, and break-ins can occur. Other things to consider before determining a site is visibility, including the terrain around the building, facility markings, signs, neighbors, and area population. Accessibility to the site is important. Road access, traffic, and distance to train stations, freeways, and airports are important aspects. Building facilities susceptible to these accounts should be avoided. Geographical areas prevalent in natural disasters are not ideal site locations. These threats cannot be avoided because natural disasters are not predictable. The IT staff, emergency personnel, management, and disaster recovery team must be prepared and equipped to handle natural disasters. Disaster recovery plans contained within the business continuity plan is the overarching plan that lists the details necessary to recover from a tragedy

4) Securing Data
Data centers and server rooms that house IT or communications equipment must be off-limits to unauthorized individuals. These rooms have to be locked down to prevent attacks. These rooms should be protected and have limited access to those employees that require access to job duties. The more human-incompatible these rooms are, the less likely attacks are executed. Oxygen displacement, extremely dim lighting, cold temperatures and hard to maneuver due to little space are methods used in creating a human inhospitable environment. These data center rooms store mission-critical equipment and should be located in the middle of the facility and not in the basement, ground or top floors.

Physical Controls

Facilities need physical access controls in place that control, monitor and manage access. Categorizing building sections should be restricted, private or public. Different access control levels are needed to restrict zones that each employee may enter depending on their role. Many mechanisms exist that enable control and isolation access privileges at facilities. These mechanisms are intended to discourage and detect access from unauthorized individuals.

1)Perimeter Security
Man traps, gates, fences, and turnstiles are used outside of the facility to create an additional layer of security before accessing the building. Fences distinguish clear boundaries between protected and public areas. Materials used to create fences vary in types and strengths. Protected assets dictate the necessary security levels of the fences. Types of fences include electrically charged, barbed wire, heat, motion or laser detection, concrete, and painted stripes on the ground. Gates are entry and exit points through a fence. To be an effective deterrent, gates must offer the same level of protection equal to the fence; otherwise, malicious people have the opportunity to circumvent the fence and use the gate as the point of intrusion. Construction of gates should consist of hardened hinges, locking mechanisms, and closing devices. Gates should be limited in number to consolidate resources needed to secure them. Dogs or surveillance cameras should monitor gates when guards are not present. Turnstiles are a type of gate that allows only one person to enter. They must provide the same protection level as the fence they are connected. Turnstiles operate by rotating in one direction like a revolving door and allow one individual to leave or enter the premises at a time. Man traps are small rooms that prevent individuals from tailgating. The design of man traps only allows one person may enter at a time. The idea is to trap the person trying to gain access by locking them inside until proof of identity is confirmed. If the individual has permission to enter, the inside door opens allowing entry. This is a security control measure that delays unauthorized people from entering the facility until security or police officers arrive.

2)Badges
Proof of identity is necessary for verifying if a person is an employee or visitor. These cards come in the forms of name tags, badges, and identification (ID) cards. Badges can also be smart cards that integrate with access control systems. Pictures, RFID tags, magnetic strips, computer chips, and employee information are frequently included to help security validate the employee.

3) Motion Detectors
Motion detectors offer different technology options depending on necessity. They are used as intrusion detection devices and work in combination with alarm systems. Infrared motion detectors observe changes in infrared light patterns. Heat-based motion detectors sense changes in heat levels. Wave pattern motion detectors use ultrasonic or microwave frequencies that monitor changes in reflected patterns. Capacitance motion detectors monitor for changes in electrical or magnetic fields. Photoelectric motion detectors look for changes in light and are used in rooms that have little to no light. Passive audio motion detectors listen for unusual sounds.

4) Intrusion Alarms
Alarms monitor various sensors and detectors. These devices are door and window contacts, glass break detectors, motion detectors, water sensors, and so on. Status changes in the devices trigger the alarm. In hardwired systems, alarms notice the changes in status by the device by creating wiring short. Types of alarms are deterrent, repellant, and notification. Deterrent alarms attempt to make it more difficult for attackers to get to major resources by closing doors and activating locks. Repellant alarms utilize loud sirens and bright lights in the attempt to force attackers off the site. Notification alarms send alarm signals through dial-up modems, internet access or GSM (cellular) means. The siren output may be silenced or audible depending on if the organization is trying to catch criminals in the act.

Technical Controls

The main focus of technical controls is access control because it is one of the most compromised areas of security. Smart cards are a technical control that can allow physical access into a building or secured room and securely log in to company networks and computers. Multiple layers of defense are needed for overlap to protect from attackers gaining direct access to company resources. Intrusion detection systems are technical controls that are essential because they detect an intrusion. Detection is a must because it notifies the security event. Awareness of the event allows the organization to respond and contain the incident. Audit trails and access logs must be continually monitored. They enable the organization to locate where breaches are occurring and how often. This information helps the security team reduce vulnerabilities.

1) Smart Cards
Token cards have microchips and integrated circuits built into the cards that process data. Microchips and integrated circuits enable the smart card to do two-factor authentication. This authentication control helps keeps unauthorized attackers or employees from accessing rooms they are not permitted to enter. Employee information is saved on the chip to help identify and authenticate the person. Two-factor authentication also protects computers, servers and data centers from unauthorized individuals. Assess will not be granted with possession of the card alone. A form of bio metrics (something you are) or a PIN or password (something you know) must be entered to unlock the card to authenticate the user. Access token smart cards come in two types, contact and contactless. Contact smart cards have a contact point on the front of the card for data transfer. When the card is inserted, fingers from the device make a connection with chip contact points. The connection to the chip powers it and enables communication with the host device. Contactless smart cards use an antenna that communicates with electromagnetic waves. The electromagnetic signal provides power for the smart card and communicates with the card readers. Access token cards are thought to be impervious to tampering methods; however, these cards are not hacker-proof. Security is provided through the complexity of the smart token. The smart token only allows the card to be read after the correct PIN is entered. Encryption methods keep malicious people from acquiring the data stored in the microchips. Smart cards also have the ability to delete data stored on it the card detects tampering. Cost is a disadvantage of smart card technology. It is expensive to create smart cards and purchase cards, readers. Smart cards are basically small computers and carry the same risks. As technology evolves, storage capacity and the ability to separate “security-critical computations” inside the smart cards. Smart cards can store keys used with encryption systems which helps security. The self-contained circuits and storage, permit the card to use encryption algorithms. The encryption algorithms allow for protected authorization that can be applied enterprise-wide.

2) Proximity Readers and RFID: Access control systems use proximity readers to scan cards and determines if it has authorized access to enter the facility or area. Access control systems evaluate the permissions stored within the chip sent via radio frequency identification RFID. This technology utilizes the use of transmitters (for sending) and responders (for receiving).In physical access control, the use of proximity readers and access control cards that contain passive tags are used. Passive tags are powered from the proximity of readers through an electromagnetic field generated by the card reader. A signal is sent to the reader when a card is swiped. The door unlocks once the signal is received and verified. Active tags contain batteries to self-power the RFID tag. Active tags have a battery power source built-in that allows them to transmit signals further than passive tags. However, the cost of these are significantly higher, and their life is limited because of battery life. These are typically used to track high-value items. Readers can track movements and locate items when connected to the network and detection systems. If an asset is removed from certain areas, the organization can have the access control system trigger an alarm.

3) Intrusion Detection, Guards and CCTV
If the equipment is relocated without approval, intrusion detection systems (IDSs) can monitor and notify of unauthorized entries. IDSs are essential to security because the systems can send a warning if a specific event occurs or if access was attempted at an unusual time. Guards are a significant part of an intrusion detection system because they are more adaptable than other security aspects. Security officers may be fixed at one location or make rounds patrolling the campus. While making rounds, guards can verify the doors and windows are locked, and vaults are protected. Guards may be accountable for watching IDSs and CCTVs and can react to suspicious activity. They can call for backup or local police to help capture a suspect if necessary. Closed-circuit television or surveillance systems utilize cameras and recording equipment to provide visual protection. In areas that cameras monitor, having enough light in the right areas is essential. It might be too dim for the camera to capture decent video quality necessary to prosecute or identify persons of interest without enough light. Cameras can be a fixed lens (not movable) or a zoom lens (adjustable). In monitoring something that is stationary, you would want to use the right type of fixed lens depending on the distance and width you are monitoring. Fixed lenses are available in wide, narrow or wide-angle. The zoom lens is recommended when viewing a target that might need an enlarged view. Another type of camera is a pan, tilt, zoom camera. These are dome style cameras that have the ability to move in all directions as well as zoom in. PTZ cameras are best for tracking suspects because the camera automatically detects and follows a suspect. PTZ cameras can auto-track moving objects through mechanical or application methods. Cameras that use software applications have the ability to change targets and can filter out images that are stationary, saving bandwidth and storage.

 4) Auditing Physical Access
Auditing physical access control systems require the use of logs and audit trails to surmise where and when a person gained false entry into the facility or attempted to break-in. The software and auditing tools are detectives, not preventive. Consistent monitoring of audit trails and access logs are needed to act swiftly. The system has no value if the organization does not respond or response time is limited. Management needs to know when there are incidents so they can make security decisions. Adding additional resources to particular areas or at certain times might be necessary to protect the environment. Access logs and audit trails must include the date and time that the incident occurred. These logs should capture all failed access attempts, the person’s employee information, and the location where the attacker tried to gain entry.

Access points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access. For some organisations, delivery/loading areas are either not available or not controlled by the organisation (e.g. a shared office accommodation). However, where the organisation can control or influence these areas, it is important that risks are identified and assessed and appropriate controls are therefore implemented. Examples of these controls may include; Location away from the main office building; Extra guarding; CCTV monitoring & recording; And procedures to prevent external and internal access being open at the same time.The auditor will inspect the delivery and loading protection to assure there are appropriate controls relating to the control of incoming materials (e.g. deliveries) and the control of outgoing materials (e.g. for information leakage prevention). Although, the level of assurance around delivery and loading relative to the assessed risk levels that the auditor will be looking for will depend on the availability and ownership of such facilities.There should be complete control of all the access points where necessary. The information stored within the building should be secured and consider as a legal responsibility. Examples of these controls may include;

• Docks away from the main office building;
• Security Guards; CCTV monitoring & recording; and
• procedures to prevent external and internal access.