ISO 27001:2022 A 7.3 Securing offices, rooms and facilities

Uncategorized 5 Minutes

Audio version of the article

Advertisements

Security of offices, rooms and facilities may seem easy and obvious, but it is worth considering and regularly reviewing who should have access, when and how. Some of the things that often get missed are; Who can see or even hear into the office from outside and what to do about it?; Is access updated when staff leave or transfer so no longer need access to this particular room; Do visitors need to be escorted in this area and is so, are they?; And are staff vigilant about challenging and reporting people they do not recognize? For rooms that are shared with others (eg if a rented office meeting room) policies would also include the protection and or removal of valuable assets when it is not occupied by the organisation – ranging from laptops, through to information posted on whiteboards, flip charts etc. The external auditor will be inspecting the security controls for offices, rooms and facilities and checking to see that there is evidence of adequate, risk-based control implementation, operation and review on a periodic basis

Advertisements

Control

Physical security for offices, rooms and facilities should be designed and implemented.

Purpose

To prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets in offices, rooms and facilities.

ISO 27002 Implementation Guidance

The following guidelines should be considered to secure offices, rooms and facilities:

  1. siting critical facilities to avoid access by the public;
  2. where applicable, ensuring buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities;
  3. configuring facilities to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate;
  4. not making directories, internal telephone books and online accessible maps identifying locations of confidential information processing facilities readily available to any unauthorized person.
Advertisements

Physical security is a critical element of information security. The two go hand in hand and must be considered together. Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Physical security refers to protective measures taken to safeguard personnel, facilities, equipment and other assets against natural or man-made hazards by reducing risks related to burglary, sabotage, terrorism and other criminal acts. The first step in physical security for information sensitive locations is determining if you have one. Information sensitive locations are rooms, offices and facilities, where there are computers that contain sensitive data or where there are people who have access to sensitive data. Physical security can include.

Locks and Keys: Locking doors, windows and cupboards; using security seals on laptops and mobile devices; password protection for computers; encryption for sensitive data.

CCTV:Closed circuit television cameras are an excellent way of monitoring activity around premises or in specific areas of a building.

Intruder Alarms: These can be activated by movement, heat or sound and are used to alert you to intruders or people who shouldn’t be in a particular area (for example, an alarm sounding when someone tries to break into the office).

The purpose 3 is to prevent unauthorized physical access, damage and interference to the organisation’s information and other associated assets in offices, rooms and facilities and is to reduce the level of risk of unauthorized physical access to offices, rooms, and facilities, to an acceptable level by:

  • Preventing unauthorised physical access to offices, rooms and facilities by persons other than authorised personnel.
  • Prevent damage or interference with the organisation’s information and other associated assets inside offices, rooms and facilities.
  • Ensuring that any information security sensitive areas are unobtrusive to to make it hard for people to determine their purpose.
  • Minimizing the risk of theft or loss of property within offices, rooms and facilities.
  • Ensuring that people who have authorized physical access are identified (this can be achieved by using a combination of uniform badges, electronic door entry systems and visitor passes).
  • Where possible, CCTV or other monitoring devices should be used to provide security surveillance over key areas such as entrances/exits.

It applies to all buildings used by the organisation for offices or administrative functions. It also applies to rooms where confidential information is stored or processed, including meeting rooms where sensitive discussions take place. It does not apply to reception areas or other public areas of an organisation’s premises unless they are used for administrative purposes (e.g. a reception area that doubles as an office). It specifies that rooms and facilities must be secured. The following security measures can be taken to ensure that rooms and facilities are secure:

  • Siting critical facilities to avoid access by the public.
  • Where applicable, ensuring buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities.
  • Configuring facilities to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate.
  • Not making directories, internal telephone books and online accessible maps identifying locations of confidential information processing facilities readily available to any unauthorized person.

 Some step companies can take to secure office rooms and facilities:

  • A physical security perimeter – such as walls, card controlled entry gates or manned reception security desks
  • Physical entry controls – adequate and appropriate entry controls to ensure only authorized personnel are allowed access
  • Secure offices, rooms and facilities – physical corporate security solutions designed and applied
  • Protection against external and environmental threats – physical protection against fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disasters
  • Secure area protection – physical corporate security solutions designed and applied for secure areas
  • Physical security for public access, delivery and loading areas – access points where unauthorized persons may enter controlled and, if possible, isolated from information processing facilities to avoid unauthorized access
  • The walls, ceilings and floor of any secure area should be of the same strength. If someone can access a secure area via, say, a false ceiling you will be non-compliant.
  • The most sensitive assets should be stored in the most secure areas. Using the “onion technique”, each perimeter “layer” should house progressively more sensitive assets.
  • Ban mobile phone and camera use in secure areas.
  • Prohibit lone working in secure areas.
  • Don’t co-store other assets (such as paper, non-IT equipment or anything else) in secure areas.
  • Ensure delivery and loading areas don’t give direct access to secure areas.
  • Install a welcome desk where at where all visitors are required to report first.
  • Have security guards challenge unknown persons.
  • Monitor spaces around the perimeter with CCTV or security patrols.
Advertisements

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply