ISO 27001:2022 A 7.3 Securing offices rooms and facilities

Security of offices, rooms and facilities may seem easy and obvious, but it is worth considering and regularly reviewing who should have access, when and how. Some of the things that often get missed are; Who can see or even hear into the office from outside and what to do about it?; Is access updated when staff leave or transfer so no longer need access to this particular room; Do visitors need to be escorted in this area and is so, are they?; And are staff vigilant about challenging and reporting people they do not recognize? For rooms that are shared with others (eg if a rented office meeting room) policies would also include the protection and or removal of valuable assets when it is not occupied by the organisation – ranging from laptops, through to information posted on whiteboards, flip charts etc. The external auditor will be inspecting the security controls for offices, rooms and facilities and checking to see that there is evidence of adequate, risk-based control implementation, operation and review on a periodic basis

Control

Physical security for offices, rooms and facilities should be designed and implemented.

Purpose

To prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets in offices, rooms and facilities.

ISO 27002 Implementation Guidance

The following guidelines should be considered to secure offices, rooms and facilities:

1. siting critical facilities to avoid access by the public;
2. where applicable, ensuring buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities;
3. configuring facilities to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate;
4. not making directories, internal telephone books and online accessible maps identifying locations of confidential information processing facilities readily available to any unauthorized person.

Physical security is a critical element of information security. The two go hand in hand and must be considered together. Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Physical security refers to protective measures taken to safeguard personnel, facilities, equipment and other assets against natural or man-made hazards by reducing risks related to burglary, sabotage, terrorism and other criminal acts. The first step in physical security for information sensitive locations is determining if you have one. Information sensitive locations are rooms, offices and facilities, where there are computers that contain sensitive data or where there are people who have access to sensitive data. Physical security can include.

Locks and Keys: Locking doors, windows and cupboards; using security seals on laptops and mobile devices; password protection for computers; encryption for sensitive data.

CCTV:Closed circuit television cameras are an excellent way of monitoring activity around premises or in specific areas of a building.

Intruder Alarms: These can be activated by movement, heat or sound and are used to alert you to intruders or people who shouldn’t be in a particular area (for example, an alarm sounding when someone tries to break into the office).

The purpose 3 is to prevent unauthorized physical access, damage and interference to the organisation’s information and other associated assets in offices, rooms and facilities and is to reduce the level of risk of unauthorized physical access to offices, rooms, and facilities, to an acceptable level by:

• Preventing unauthorised physical access to offices, rooms and facilities by persons other than authorised personnel.
• Prevent damage or interference with the organisation’s information and other associated assets inside offices, rooms and facilities.
• Ensuring that any information security sensitive areas are unobtrusive to to make it hard for people to determine their purpose.
• Minimizing the risk of theft or loss of property within offices, rooms and facilities.
• Ensuring that people who have authorized physical access are identified (this can be achieved by using a combination of uniform badges, electronic door entry systems and visitor passes).
• Where possible, CCTV or other monitoring devices should be used to provide security surveillance over key areas such as entrances/exits.

It applies to all buildings used by the organisation for offices or administrative functions. It also applies to rooms where confidential information is stored or processed, including meeting rooms where sensitive discussions take place. It does not apply to reception areas or other public areas of an organisation’s premises unless they are used for administrative purposes (e.g. a reception area that doubles as an office). It specifies that rooms and facilities must be secured. The following security measures can be taken to ensure that rooms and facilities are secure:

• Siting critical facilities to avoid access by the public.
• Where applicable, ensuring buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities.
• Configuring facilities to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate.
• Not making directories, internal telephone books and online accessible maps identifying locations of confidential information processing facilities readily available to any unauthorized person.

 Some step companies can take to secure office rooms and facilities:

• A physical security perimeter – such as walls, card controlled entry gates or manned reception security desks
• Physical entry controls – adequate and appropriate entry controls to ensure only authorized personnel are allowed access
• Secure offices, rooms and facilities – physical corporate security solutions designed and applied
• Protection against external and environmental threats – physical protection against fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disasters
• Secure area protection – physical corporate security solutions designed and applied for secure areas
• Physical security for public access, delivery and loading areas – access points where unauthorized persons may enter controlled and, if possible, isolated from information processing facilities to avoid unauthorized access
• The walls, ceilings and floor of any secure area should be of the same strength. If someone can access a secure area via, say, a false ceiling you will be non-compliant.
• The most sensitive assets should be stored in the most secure areas. Using the “onion technique”, each perimeter “layer” should house progressively more sensitive assets.
• Ban mobile phone and camera use in secure areas.
• Prohibit lone working in secure areas.
• Don’t co-store other assets (such as paper, non-IT equipment or anything else) in secure areas.
• Ensure delivery and loading areas don’t give direct access to secure areas.
• Install a welcome desk where at where all visitors are required to report first.
• Have security guards challenge unknown persons.
• Monitor spaces around the perimeter with CCTV or security patrols.