ISO 27001:2022 A 7.5 Protecting against physical and environmental threats

Physical security for information systems refers to the prevention methods put into place that aim to stop people entering a physical premises that will give them access to information. The most obvious example is having locks, alarms and perhaps security guards on premise at your organisation, meaning only authorised personnel can enter. Environmental controls are mechanisms put in place that will ensure the protection of your organisations information and resources from any environmental impact. This could include (but is not limited to) the threat of floods, earthquakes, fires, or extreme weather conditions. Any of these threats could result in interruptions to your organisation and its information, such as power outages, blockages of communication or the lack of access to filtered water, and gas.

Physical controls are important because you do not want just anybody having access to your information. In order to implement effective physical controls, you must review the physical building your organisation is set up in, and any other buildings that employees may work from or information be held. You may also need to review any hosts of your product or service (for example if you are a software company), ensure the host of your service is protected.You then need to record this information down, and review it regularly to ensure it is always secure.Environmental controls are important for information security because if there is a failure in environmental controls, there could be a threat of loss of important information or data. For example, if an environmental force causes a power outage at the offices of your organisation, you may be at threat of losing information that is not backed up or secure.

This clause centers on protecting the inevitable attacks on the organizations. These attacks can be environmental, or a cyber threat that steals your information, or the private data on your customers and/or suppliers. Natural disasters like floods, earthquakes, and fires are inevitable events. Organizations must include procedures and policies to deal with these threats. This pandemic has made organizations aware of the fact they need to proceed with remote working; some may work where the risk is high, and this needs to be identified by the management team. This could be addressed by identifying the risk around the business areas. Understanding your location and what is in the immediate vicinity is critical to identifying potential risks. It is required under this standard, physical and environmental threats are recognized and controlled by the organization well.

Appropriate environmental threat protection controls are necessary to limit the impact that either human-made or environmental threats may have on an organization’s operations, systems, personnel, or data availability. If not appropriately addressed, the lack of these controls can have a negative impact on an organization’s ability to maintain the delivery of their products or services. Organisations must be enabled to measure the potential adverse effects of environmental and physical threats and to mitigate and/or eliminate these effects by putting in place appropriate measures. Threats to information assets are not merely digital: An organisation’s critical physical infrastructure hosting information assets are also exposed to environmental and physical threats that may result in loss, destruction, theft and compromise of information assets and sensitive data. These threats may include natural events such as earthquakes, floods and wildfires. They may also include man-made disasters such as civil unrest and criminal activities. Organisations can assess, identify and mitigate risks to critical physical infrastructure due to physical and environmental threats.

Control

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.

Purpose

To prevent or reduce the consequences of events originating from physical and environmental threats.

ISO 27002 Implementation Guidance

Risk assessments to identify the potential consequences of physical and environmental threats should be performed prior to beginning critical operations at a physical site, and at regular intervals. Necessary safeguards should be implemented and changes to threats should be monitored. Specialist advice should be obtained on how to manage risks arising from physical and environmental threats such as fire, flood, earthquake, explosion, civil unrest, toxic waste, environmental emissions and other forms of natural disaster or disaster caused by human beings. Physical premises location and construction should take account of:
a) local topography, such as appropriate elevation, bodies of water and tectonic fault lines;
b) urban threats, such as locations with a high profile for attracting political unrest, criminal activity or terrorist attacks.
Based on risk assessment results, relevant physical and environmental threats should be identified and appropriate controls considered in the following contexts as examples:
a) fire: installing and configuring systems able to detect fires at an early stage to send alarms or trigger fire suppression systems in order to prevent fire damage to storage media and to related information processing systems. Fire suppression should be performed using the most appropriate substance with regard to the surrounding environment (e.g. gas in confined spaces);
b) flooding: installing systems able to detect flooding at an early stage under the floors of areas containing storage media or information processing systems. Water pumps or equivalent means should be readily made available in case flooding occurs;
c) electrical surges: adopting systems able to protect both server and client information systems against electrical surges or similar events to minimize the consequences of such events;
d) explosives and weapons: performing random inspections for the presence of explosives or weapons on personnel, vehicles or goods entering sensitive information processing facilities.

Other information

Safes or other forms of secure storage facilities can protect information stored therein against disasters such as a fire, earthquake, flood or explosion. Organizations can consider the concepts of crime prevention through environmental design when designing the controls to secure their environment and reduce urban threats. For example, instead of using bollards, statues or water features can serve as both a feature and a physical barrier.

This control relates primarily to natural disasters and infrastructural damage. Threats include weather events, such as floods, fires and heavy snowfall, as well as man-made incidents, including property damage and sabotage. The external and environmental threats that an organisation is most likely to face will depend on its location – on a macro and micro level. For example, an organisation based in a cold-weather city is more likely to consider the risk of rain and snow. Meanwhile, an organisation based in an older building might face greater risks related to infrastructural damage, such as leaky pipes. The key to compliance is to identify the likelihood and probability of external and environmental risks occurring, and to treat them appropriately. Some risks will be unavoidable or prohibitively expensive to eradicate, so organisations should focus on ways to mitigate the risk. Other times, there will be potentially devastating risks that can be addressed with simple fixes.

Physical protection against the damage from fires, floods, earthquakes, explosions, civil unrest, and other forms of environmental or human-made disasters should be implemented to protect organization. These protective controls are generally defined and documented in a Physical Security Policy that is made available to all appropriate personnel. Once defined, these controls can be used to not only protect information systems and personnel, but also address the risk treatment or risk mitigation of findings identified by your organization’s risk assessment. Smoke or heat activated fire detectors and alarms should be installed. Organizations should ensure these detectors and alarms are continuously operating effectively. Detectors should not be located near air conditioning vents or intake ducts that can disperse smoke, thus preventing the triggering of alarms. Fire authorities should be automatically notified when a fire alarm is activated. Appropriate fire suppression systems, such as sprinklers, should be implemented throughout your facilities and within secure areas containing information systems. These suppression systems should be automated for any facilities or areas that are not staffed continuously. Fire suppression and detection devices or systems that are supported by independent energy sources should be implemented and maintained. Maintenance logs should be kept up to date to demonstrate these physical security devices are regularly maintained. Water or moisture detection devices should be located in dropped ceilings and within raised floors to detect water leaks or possible flooding. Information systems should be protected from damage resulting from water leaks by ensuring that master shutoff valves are installed, accessible, and working properly. Master shutoff valves should be clearly marked, and their location should be known by all key personnel.

A three-step process to identify and eliminate risks due to physical and environment threats:

Step 1: Complete a Risk assessment
Organisations should conduct a risk assessment to identify potential physical and environmental disasters that may occur on each specific physical premise and then measure the effects likely to arise due to the identified physical and environmental threats. Considering that each physical premise and infrastructure therein will be subject to different environmental conditions and physical risk factors, the type of threat and the level of risk identified will vary by each premise and its location. For instance, while one premise may be most vulnerable to wildfire, another premise may be located in an area where earthquakes occur frequently. Another critical requirement is that this risk assessment should be carried out before launch of operations on a physical premise.

Step 2: Identify and Implement Controls
Based on the type of threat and the level of risk identified in the first step, organisations should put in place appropriate controls taking into account the likely consequences of the environmental and physical threats. To illustrate, examples of controls that can be put in place for the following threats:

  • Fire: Organisations should deploy systems to trigger alarms when a fire is detected or to activate fire suppression systems capable of protecting storage media and information systems from damage.
  • Flooding: Systems should be deployed and configured to detect flooding in areas where information assets are stored. Furthermore, tools such as water pumps should be ready to be used in case of flooding.
  • Electrical Surges: Servers and critical information management systems should be maintained and protected against electrical outages.
  • Explosives and Weapons: Organisations should carry out random audits and inspections on all individuals, items and vehicles entering into premises that hosts critical infrastructure.

Step 3: Monitoring
Considering that the type of threats and the level of risks may change over time, organisations should continuously monitor the risk assessments and reconsider the controls they implemented if needed.

The four specific considerations that organisations should take into account.

  • Consultation With Experts: Each specific type of environmental and physical threat, whether it is toxic waste, earthquake or fire, is unique in terms of its nature, the risks it presents and counter-measures it requires. Therefore, organisations should seek for expert advice on how to identify eliminate and/or mitigate risks arising out of these threats.
  • Choice of Location for Premises: Taking into account the local topography, water levels and tectonic movements of the potential location for premises can help identify and eliminate risks early on. Furthermore, organisations should consider the risks of man-made disasters in the chosen urban area such as political unrest and criminal activity.
  • Extra Layer of Security: In addition to the specific controls implemented, secure information storage methods such as safes can add an extra layer of security against disasters such as fire and flooding.
  • Crime Prevention Through Environmental Design: Organisations can consider this concept when implementing controls to enhance the security of premises. This method can be used to eliminate urban threats such as criminal activities, civil unrest and terrorism.

Incidents are always a question of when, not if. By actual business trends, technical and administrative controls may catch more attention from security practitioners, but they can never forget that those controls ultimately rely on physical assets that must be protected as well, in many cases with superior levels of reliability. In addition to hardware and software, construction measures can be incorporated that reduce the likelihood of compromise, like:

  • Location: By knowing the previous history of a place, an organization can avoid those subject to natural events like earthquakes, floods, and hurricanes, or activities like criminal actions and vandalism. If it does not have other options, at least it can prepare the site/facility to deal with those kinds of situations (e.g., reinforced foundations and election of an alternative site).
  • Walls: Reinforced walls and treatments to protect them against agents like fire, water, and chemicals can help minimize or delay the effects of those agents over an organization’s assets.
  • Entrances: Windows and doors represent a dilemma, since they should consider reinforcement against unauthorized access as well as facilitate people’s exit in case of emergency. For other not-so-obvious entrance points (e.g., ventilation ports and shafts), they should consider measures to prevent both people and animals from sneaking into the site or gaining access to the cabling or piping.
  • External services: No organization is fully autonomous, and that means they depend on some external services like energy, communications, public transport, and, in case of accidents and disaster, emergency services. An organization should consider its needs for locations accessible by multiple routes and providers.
  • Natural surveillance: See and be seen is a key factor for threat mitigation, and landscaping obstructions may cause points of vulnerability. While thinking about site surroundings, try to ensure there is a clear view of people, to make threatening activities easier to spot. Low solid fences, high tree foliage and points of observation are good examples.
  • Natural access control: Use the natural landscape to direct traffic flow. Entrances sided by low hills offer more protection than those sided by flat terrain. A single entrance is better than multiple. Colored lines signaling routes are another alternative to make users naturally find their way in and out and increase opportunities to spot and discourage suspicious behavior.
  • Territorial reinforcement: And though spaces can be welcoming, they should be well defined and possess clear boundaries. In this way you can change the way people use the areas, through unconscious rules that help prevent or spot undesirable behavior. Subtle changes in layout and signaling are good examples of territorial reinforcement.
  • Other elements that can be considered are traffic calming, transition zones, maintenance, and lighting.

Prevention and Protection

Physical security needs to conform to the standards in force concerning both fire and environmental risks. Next, organisations should define sensitive areas (computer room, specific offices…) which must be protected in a specific way because they shelter vital data or critical infrastructures; a sort of high-level inventory dedicated to security.The protection of sensitive areas must be based on a prioritization of which risks to combat first. For example, in the case of a fire, fire suppression mechanisms using products that are not likely to damage computer hardware should be used, fireproof cabinets may be required, and restrictions on smoking should be enforced. A recovery plan should be put in place and tested, including the protection of all IT infrastructure. For all types of risk, the approach should be the same:

  1. Define the perimeter.
  2. Introduce preventive (to avoid the disaster) and protective (to protect the installation in case the disaster occurs) measures.
  3. Test and evaluate these measures regularly.

To protect against all of these risks, approaches may vary depending on the situation. Below are some basic protective measures which are required for most cases:

To guard against:Protective Measure:
Electrical failureElectronic protection/controls (inverters…)
Redundancy (duplication of machines/circuits)
FireDetection and fire protection: smoking ban, disaster plan, fireproof cabinets…
Decentralised back-ups
Redundancy (duplication of machines/circuits)
FloodingLocation of computer rooms outside risk areas
Flood detection system
Elevation of computer equipment
Use of hermetic tubes for wiring
Compartmentalised flooring
Decentralised back-ups, dry archives
Theft, Intrusion, Espionage,Restricted physical access
Tracking of visitors
Alarm systems
SabotageRedundancy (duplication of machines / circuits)
Decentralised back-ups
Restricted physical access
Hardware MalfunctionsRegulation of Temperature (computer rooms)

Leave a Reply