ISO 27001:2022 A 7.4 Physical security monitoring

Uncategorized 8 Minutes

This control deals with the implementation of appropriate surveillance systems to prevent unauthorized access by intruders to sensitive physical premises.Physical security monitoring are designed to protect buildings, and safeguard the equipment inside. In short, they keep unwanted people out, and give access to authorized individuals. While network and cyber security are important, preventing physical security breaches and threats is key to keeping your technology and data safe, as well as any staff or faculty that have access to the building. Without physical security plans in place, your office or building is left open to criminal activity, and liable for types of physical security threats including theft, vandalism, fraud, and even accidents. Physical security monitoring requires organisations to detect and prevent external and internal intruders who enter into restricted physical areas without permission by putting in place suitable surveillance tools. These surveillance tools constantly monitor and record access-restricted areas and protect organisation against risks that may arise as a result of unauthorized access, including but not limited to:

  • Theft of sensitive data.
  • Loss of information assets.
  • Financial damage.
  • Theft of removable media assets for malicious use.
  • Infection of IT assets with a malware.
  • Ransomware attacks that may be carried out by an intruder.

From landscaping elements and natural surveillance, to encrypted key cards or mobile credentials, to lock down capabilities and emergency mustering, there are many different components to preventing all different types of physical security threats in the modern workplace

Control

Premises should be continuously monitored for unauthorized physical access.

Purpose

To detect and deter unauthorized physical access.

Guidance

Physical premises should be monitored by surveillance systems, which can include guards, intruder alarms, video monitoring systems such as closed-circuit television and physical security information management software either managed internally or by a monitoring service provider. Access to buildings that house critical systems should be continuously monitored to detect unauthorized access or suspicious behavior by:
a) installing video monitoring systems such as closed-circuit television to view and record access to sensitive areas within and outside an organization’s premises.
b) installing, according to relevant applicable standards, and periodically testing contact, sound or motion detectors to trigger an intruder alarm such as:

  1. installing contact detectors that trigger an alarm when a contact is made or broken in any place where a contact can be made or broken (such as windows and doors and underneath objects) to be used as a panic alarm.
  2. motion detectors based on infra-red technology which trigger an alarm when an object passes through their field of view.
  3. installing sensors sensitive to the sound of breaking glass which can be used to trigger an alarm to alert security personnel.

c) using those alarms to cover all external doors and accessible windows. Unoccupied areas should be alarmed at all times; cover should also be provided for other areas (e.g. computer or communications rooms).

The design of monitoring systems should be kept confidential because disclosure can facilitate undetected break-ins. Monitoring systems should be protected from unauthorized access in order to prevent surveillance information, such as video feeds, from being accessed by unauthorized persons or systems being disabled remotely. The alarm system control panel should be placed in an alarmed zone and, for safety alarms, in a place that allows an easy exit route for the person who sets the alarm. The control panel and the detectors should have tamper proof mechanisms. The system should regularly be tested to ensure that it is working as intended, particularly if its components are battery powered. Any monitoring and recording mechanism should be used taking into consideration local laws and regulations including data protection and PII protection legislation, especially regarding the monitoring of personnel and recorded video retention periods.

In the built environment, we often think of physical security control examples like locks, gates, and guards. While these are effective, there are many additional and often forgotten layers to physical security for offices that can help keep all your assets protected. A comprehensive physical security plan combines both technology and specialized hardware, and should include countermeasures against intrusion such as: 

  • Site design and layout
  • Environmental components 
  • Emergency response readiness
  • Training
  • Access control
  • Intrusion detection
  • Power and fire protection

Organisations are to implement these three steps at a minimum to detect and deter unauthorized access to facilities that host critical information assets:

Step 1: Put in place a video monitoring system
Organisations should have a video surveillance system, one example being a CCTV camera, in place to continuously monitor access to restricted areas which hosts critical information assets. Furthermore, this surveillance system should keep a record of all entries into the physical premises.

Step 2: Install detectors to set off an alarm
Trigger an alarm when an intruder accesses physical premises enables the security team to respond quickly to security breaches. Furthermore, it can also be effective at deterring the intruder. Organisations should use motion, sound, and contact detectors that set off an alarm when an unusual activity within the physical premises is detected. In particular:

  • A contact detector should be installed and it should set off an alarm when an unknown object/individual gets in contact with an object or breaks contact with an object. For example, a contact detector can be configured to trigger an alarm when a window or a door is contacted with.
  • Motion detectors can be programmed to start an alarm when the movement of an object is detected within their range of view.
  • Sound detectors such as break glass detectors can be activated when a sound is detected.

Step 3: Configuration of alarms to protect all internal premises
The third compliance step requires the configuration of the alarm system to ensure that all sensitive areas, including all external doors, windows, unoccupied areas and computer rooms are within the range of the alarm system so that there is no vulnerability that can be exploited. For example, if premises such as smoking areas or even gym entrances are not surveilled, these may be used as attack vectors by intruders.

The top 5 most common threats your physical security system should protect against are:

  • Theft and burglary
  • Vandalism
  • Natural disasters
  • Terrorism or sabotage
  • Violence in the workplace

Depending on where your building is located, and what type of industry you’re in, some of these threats may be more important for you to consider. For example, if your building or workplace is in a busy public area, vandalism and theft are more likely to occur. If your building houses a government agency or large data storage servers, terrorism may be higher on your list of concerns. Before updating a physical security system, it’s important to understand the different roles technology and barriers play in your strategy. The smartest security strategies take a layered approach, adding physical security controls s. This means building a complete system with strong physical security components to protect against the leading threats to your organization. The four main security technology components are:

  1. Deterrence – These are the physical security measures that keep people out or away from the space. Deterrent security components can be a physical barrier, such as a wall, door, or turn style. Technology can also fall into this category. Access control systems and video security cameras deter unauthorized individuals from attempting to access the building, too.
  2. Detection – Just because you have deterrents in place, doesn’t mean you’re fully protected. Detection components of your physical security system help identify a potential security event or intruder. Sensors, alarms, and automatic notifications are all examples of physical security detection.
  3. Delay – There are certain security systems that are designed to slow intruders down as they attempt to enter a facility or building. Access control, such as requiring a key card or mobile credential, is one method of delay. Smart physical security strategies have multiple ways to delay intruders, which makes it easier to mitigate a breach before too much damage is caused.
  4. Response – These are the components that are in place once a breach or intrusion occurs. Examples of physical security response include communication systems, building lock downs, and contacting emergency services or first responders.

Together, these physical security components work to stop unwanted individuals from accessing spaces they shouldn’t, and notify the necessary teams to respond quickly and appropriately. Your physical security plans should address each of the components above, detailing the technology and processes you’ll use to ensure total protection and safety. Before implementing physical security measures in your building or workplace, it’s important to determine the potential risks and weaknesses in your current security. Detection is of the utmost importance in physical security. While it is impossible to prevent all intrusions or physical security breaches, having the right tools in place to detect and deal with intrusions minimizes the disruption to your business in the long run. To locate potential risk areas in your facility, first consider all your public entry points. Where people can enter and exit your facility, there is always a potential security risk. Baseline physical security control procedures, such as proper access control measures at key entry points, will help you manage who is coming and going, and can alert you to potential intrusions. Once inside your facility, you’ll want to look at how data or sensitive information is being secured and stored. Do you have server rooms that need added protection? Are desktop computers locked down and kept secure when nobody is in the office? Do employees have laptops that they take home with them each night? Even USB drives or a disgruntled employee can become major threats in the workplace. List out all the potential risks in your building, and then design security plans to mitigate the potential for criminal activity. Take a look at these physical security examples to see how the right policies can prevent common threats and vulnerabilities in your organization.

  • Restrict access to IT and server rooms, and anywhere laptops or computers are left unattended
  • Use highly secure access credentials that are difficult to clone, fully trackable, and unique to each individual
  • Require multi-factor authentication (MFA) to unlock a door or access the building
  • Structure permissions to employ least-privilege access throughout the physical infrastructure
  • Eliminate redundancies across teams and processes for faster incident response
  • Integrate all building and security systems for a more complete view of security and data trends
  • Set up automated security alerts to monitor and identify suspicious activity in real-time

Physical security planning is an essential step in securing your building. Use this guideline to create a physical security plan that addresses your unique concerns and risks, and strengthens your security posturing.

  1. Identify the scope of your physical security plans. This should include the types of employees the policies apply to, and how records will be collected and documented.
  2. Determine who is responsible for implementing your physical security plans, as well as the key decision-makers for making adjustments or changes to the plan.
  3. Include the different physical security technology components your policy will cover.
  4. State the types of physical security controls your policy will employ. Include any physical access control systems, permission levels, and types of credentials you plan on using.
  5. List out key access points, and how you plan to keep them secure.
  6. Define your monitoring and detection systems. What types of video surveillance, sensors, and alarms will your physical security policies include? Identify who will be responsible for monitoring the systems, and which processes will be automated.
  7. Outline all incident response policies. Your physical security planning needs to address how your teams will respond to different threats and emergencies.
  8. Scope out how to handle visitors, vendors, and contractors to ensure your physical security policies are not violated.
  9. Create a cybersecurity policy for handling physical security technology data and records. Include your policies for encryption, vulnerability testing, hardware security, and employee training.
  10. Address how physical security policies are communicated to the team, and who requires access to the plan.

 Here’s a quick overview of the best practices for implementing physical security for buildings.

  • Install perimeter security to prevent intrusion. Physical barriers like fencing and landscaping help establish private property, and deter people from entering the premises. 
  • Use access control systems to provide the next layer of security and keep unwanted people out of the building. When selecting an access control system, it is recommended to choose a cloud-based platform for maximum flexibility and scalability.
  • Integrate your access control with other physical security systems like video surveillance and user management platforms to fortify your security.
  • Employ cyber and physical security convergence for more efficient security management and operations.
  • Regularly test your physical security measures to ensure you’re protected against the newest physical security threats and vulnerabilities.
  • Always communicate any changes to your physical security system with your team.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply