ISO 27001 - Annex A.11: Physical & Environmental Security
What is the objective of Annex A.11.1 of ISO 27001:2013?
Annex A.11.1 is about ensuring secure physical and environmental areas. The objective in this Annex A control is to prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.11.1.1 Physical Security Perimeter
This describes the security perimeters and boundaries which have areas that contain either sensitive or critical information and any information processing facilities such as computers, laptops etc. A physical security perimeter is defined as “any transition boundary between two areas of differing security protection requirements”. This might be quite specific such as; At the outermost boundary of the site and encompassing outdoor and indoor spaces; Between outside a building and inside it; Between a corridor and office or between the outside of a storage cabinet and inside it. It could also be stated simply as being the HQ with its address and the boundaries in scope around it.
Examples of the types of property and premises the organisation will need to consider in terms of physical security could include;
- The Data centres that host information assets;
- Head office;
- Workers who tend to work from home; and
- Workers who travel and therefore use hotels, customer premises etc.
With increasing outsourcing e.g. for datacentres and use of rented offices it is also important to reference these controls with the supplier policy in A15.1 and the numerous other policies that affect home/mobile/teleworkers too. This also dovetails and relates to your Scope in 4.3.
Put in simple terms, the organisation must establish secure areas that protect the valuable information and information assets only authorised people can access. This is also related to the risk assessment and risk appetite for an organisation in line with 6.1 actions to address risks and opportunities. As a basic example, offices containing valuable information should only be accessed by employees of that organisation, or by permission being granted for others e.g. visitors, and external cleaners/facilities maintenance resources who have been approved in line with the supplier policy.
A.11.1.2 Physical Entry Controls
Secure areas need to be protected by the appropriate entry controls to ensure only authorised personnel are allowed access. As a really basic example, only those employees who have been given the alarm access code and received a key can access the office. More risk averse organisations and or those with more sensitive information at threat might go much deeper with policies that include biometrics and scanning solutions too.
Entry controls will need to be selected and implemented based on the nature and location of the area being protected, and the ability to implement such controls if for example, the location is not owned by the organisation. The processes for granting access through the entry controls need to be robust, tested and monitored and may also need to be logged and audited. The control of visitors will also be especially important and the processes related to such should be considered. Extra consideration should be given to access being granted to areas in which sensitive or classified information is being processed or stored. Whilst areas containing key IT infrastructure equipment in particular need to be protected to a greater extent and access limited to only those that really need to be there. The auditor will expect to see that appropriate controls are in place as well as regularly tested and monitored.
A.11.1.3 Securing Offices, Rooms and Facilities
Security of offices, rooms and facilities may seem easy and obvious, but it is worth considering and regularly reviewing who should have access, when and how. Some of the things that often get missed are; Who can see or even hear into the office from outside and what to do about it?; Is access updated when staff leave or transfer so no longer need access to this particular room; Do visitors need to be escorted in this area and is so, are they?; And are staff vigilant about challenging and reporting people they do not recognise? For rooms that are shared with others (eg if a rented office meeting room) policies would also include the protection and or removal of valuable assets when it is not occupied by the organisation – ranging from laptops, through to information posted on whiteboards, flipcharts etc.
The external auditor will be inspecting the security controls for offices, rooms and facilities and checking to see that there is evidence of adequate, risk-based control implementation, operation and review on a periodic basis.
A.11.1.4 Protecting against External & Environmental Threats
This control describes how physical protection against natural disasters, malicious attacks or accidents is prevented.
Environmental threats can be naturally-occurring (e.g. floods, tornados, lightning etc) or man made (e.g. water leakage from facilities, civil unrest etc). Considerations for such threats needs to be made and risks identified, assessed and treated appropriately. Some threats (e.g. sitting on a flood plain) may be unavoidable without considerable cost or inconvenience, however, that does not mean that there are no actions that can be taken. Specialist advice may be required for some aspects of environmental management and should be considered if necessary. Understanding your location and what is in the immediate vicinity is critical to identifying potential risks. The auditor will be looking for evidence that thought has gone into identifying potential threats and vulnerabilities (both naturally-occurring and man-made) and that environmental risks have been assessed and either treated or tolerated accordingly.
A.11.1.5 Working in Secure Areas
One the access controls have been identified and implemented for secure areas, it is important that these are complemented with procedural controls relating to risks that might happen when inside the secure area. For example there might need to be:
- A restricted awareness of the location and function of secure areas;
- Restrictions on the use of recording equipment within secure areas;
- Restriction on unsupervised working within secure areas wherever possible;
- In and out monitoring and logging.
Having inspected the secure area access controls, the auditor will then be looking to see that these are supported, where necessary with appropriate policies and procedures and that evidence of their management is maintained.
A.11.1.6 Delivery & Loading Areas
Access points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access. Cloud only or digital workplaces might not have any need for a policy or control around delivery and loading areas; in that instance they would note it and specifically exclude this from the Statement of Applicability (SOA).
For some organisations, delivery/loading areas are either not available or not controlled by the organisation (e.g. a shared office accommodation). However, where the organisation can control or influence these areas, it is important that risks are identified and assessed and appropriate controls are therefore implemented. Examples of these controls may include; Location away from the main office building; Extra guarding; CCTV monitoring & recording; And procedures to prevent external and internal access being open at the same time. The auditor will inspect the delivery and loading protection to assure there are appropriate controls relating to the control of incoming materials (e.g. deliveries) and the control of outgoing materials (e.g. for information leakage prevention). Although, the level of assurance around delivery and loading relative to the assessed risk levels that the auditor will be looking for will depend on the availability and ownership of such facilities.
What is the objective of Annex A.11.2 of ISO 27001:2013?
Annex A.11.2 is about Equipment. The objective in this Annex A control is to prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.
A.11.2.1 Equipment Siting & Protection
Equipment needs to be sited and protected to reduce the risks from environmental threats and hazards, and against unauthorised access. The siting of equipment will be determined by a number of factors including the size and nature of the equipment, it’s proposed use and accessibility and environmental requirements. Those responsible for siting equipment must conduct a risk assessment and apply the following wherever possible in line with the risk levels:
- Information processing facilities (laptops, desktops etc) handling sensitive data should be positioned and the viewing angle restricted to reduce the risk of information being viewed by unauthorised persons during their use.
- Storage facilities are secured to avoid unauthorised access with keys held by authorised key holders.
- Food and drink should be kept away from ICT equipment.
- Wireless routers, shared printers etc should be positioned to allow easy access when required and not distract anyone from working or have information left on the printer that should not be there.
- Information processing facilities like laptops are sited so they are securely stored when not in use and easily accessed when required.
- Home workers also need to carefully consider their siting and positioning of equipment to avoid risks similar to those addressed for workers in at the offices as well as unintentional use or access by family & friends.
A.11.2.2 Supporting Utilities
Equipment needs to be protected from power failures and other disruptions caused by failures in supporting utilities. For example, risks related to failing or faulty power supplies should be assessed and considered. This might include; Dual power supplies from different sub-stations; Backup power generation facilities; Regular testing of power provision and management. For telecommunications, in order to maintain the ability for them to continue – considerations might include; Dual or multiple routing; Load balancing and redundancy in switching equipment; Bandwidth capacity monitoring and alerting. Many of the risks will relate to the “availability” of information processing systems and so controls should support the business requirements for availability in line with any business continuity planning and impact assessments carried out for this purpose. The auditor will be looking for evidence that controls have been regularly tested to ensure they function correctly to the desired levels (backup-generators etc).
A.11.2.3 Cabling Security
Power and telecommunications cabling carrying data or supporting information services needs to be protected from interception, interference or damage. If power and network cables are not sited and protected adequately it is possible that an attacker may be able to intercept or disrupt communications or shut down power provision. Wherever possible, network and power cables should be underground or otherwise protected and separated in order to protect against interference. Depending on the sensitivity or classification of data it may be necessary to separate communications cables for different levels and additionally inspect termination points for unauthorised devices. The auditor will be visually inspecting the cables and if they are relevant to the level of classification/risk request evidence of visual inspection.
A.11.2.4 Equipment Maintenance
Equipment should be correctly maintained to ensure its continued availability and integrity. The requirement for routine, preventative and reactive maintenance of equipment will vary according to the type, nature, siting environment and purpose of the equipment and any contractual agreements with manufacturers and third party suppliers. Maintenance needs be carried out on equipment at appropriate frequencies to ensure that it remains effectively functional and to reduce the risk of failure. It is a good idea to keep maintenance schedules as evidence for the auditor if your equipment needs servicing or has repairs (This can be neatly tied into the A8.1.1 information asset inventory if desired). Logs of this maintenance should include who carried out the maintenance, what was done and who authorised the maintenance. The auditor will be checking these logs to see that the schedules are adequate and proportionate, and that the activities have been appropriately authorised and conducted.
A.11.2.5 Removal of Assets
Equipment, information or software taken off-site needs management too. That might be controlled with some form of check in-out process or more simply associated to an employee as part of their role and managed in accordance with their terms and conditions of employment – Annex A 7 which should deal with information security of course!)
In the ever mobile working world, some assets such as mobile devices, may be routinely removed from organisational premises to facilitate mobile or home working. Where assets are not designed to be routinely removed from site or if they are of a sensitive, highly classified, valuable or fragile nature then processes should be in place to request and authorise removal and to check return of the assets. Consideration for limiting the length of time assets are allowed to be removed for should be made and should be risk based. The auditor will be looking to see that these risk assessments have been carried out for when non-routine removal of assets occurs and for policies that determine what is and isn’t routine.
A.11.2.6 Security of Equipment & Assets Off-Premises
Security controls need to be applied to off-site assets, taking into account the different risks involved with working outside the organisation’s premises. This is a common area of vulnerability and it is therefore important that the appropriate level of controls is implemented and tie into other mobile controls and policies for homeworkers etc. Considerations should be made and risk assessments carried out for assets that are taken off site, either routinely or by exception. Controls will likely include a mixture of; Technical controls such as access control policies, password management, encryption; Physical controls such as Kensington Locks might also be considered too; alongside policy and process controls such as instruction to never leave assets unattended in public view (e.g. locking in the boot of the car). It is particularly important to review security incident trends relating to off-site assets. The auditor will expect to see evidence of this risk assessment taking place and the proportionate controls selected according to the evaluated risk levels. They will also expect to see evidence of policy compliance.
A.11.2.7 Secure Disposal or Re-Use of Equipment
All items of equipment including storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. This is another area of common vulnerability where many incidents have arisen from poor disposal or re-use practices. If equipment is being disposed of that contained sensitive information, it is critical that data bearing devices and components are either physically destroyed or securely wiped using appropriate tools and technologies. If equipment is going to be re-used it is important that any previous data and potentially installed software is securely “wiped” and the device returned to a known “clean” state. Depending on the level of sensitivity of data contained on equipment being destroyed it may be necessary to ensure physical destruction and this should be done using a process that can be fully audited. Often third party companies are used for disposal and if this is the case it is essential to ensure the appropriate level of “certificate of destruction” is provided – powerful customers may expect to see this too if you have been holding valuable customer data and part of your contract with them specifies secure destruction. For this control, the auditor will be looking to see that appropriate technologies, policies and processes are in place and that evidence of destruction or secure erasure have been carried out correctly when required (tied back to decommissioning in your information asset inventory where relevant too).
A.11.2.8 Unattended User Equipment
As with securing offices, users must ensure that any unattended equipment has the appropriate protection, even if that is a password and lock screen for basic information security. It is common sense to protect equipment when leaving it unattended, however this will depend on the levels of trust placed in the location where the device is being left (e.g. hotel bedrooms, conference venues etc). Organisational premises need to be considered too if there is a risk, e.g. high volume of visitor traffic, hot desking by frequently changing staff with differing roles. If equipment is being left overnight where cleaning and other contractors may have access out of normal office hours, it is important to consider the risks of theft and tampering and apply sensible and adequate controls. Policies, process and awareness programmes should be in place to ensure that users are aware of their responsibilities when leaving equipment unattended either within the organisation or outside if mobile. The auditor will be looking to see that layers of control are in place that are appropriate to the risk levels and that there is evidence of compliance checking (e.g. walk-around inspections after hours or during lunchbreaks is a popular one for onsite audits).
A.11.2.9 Clear Desk & Screen Policy
Operating procedures for papers and removable storage media and a clear screen policy for information processing facilities should generally be adopted unless all the other controls and risks mean they are not required. Clear desk and clear screen policies are considered good practice and are relatively simple to implement, however, in some time-sensitive operational environments they may not be practical. In this case other controls designed to manage the risks can be implemented instead. For example, if an office has a strong level of physical access control with very little visitor and external contractor traffic then such controls may be deemed unnecessary, however, the risk of “insider threat” may still be relevant and may be at unacceptable levels. Ultimately as with all security considerations, the decisions relating to the implementation or not of clear desk and clear screen policies should be based on risk assessment. The auditor will be looking to see how the decisions to implement or not clear desk and clear screen policies were made and reviewed at an appropriate frequency. If such policies are in place, they will be looking for evidence of compliance testing and the reporting and management of any breaches.
How does ISMS.online help with Physical & Environmental Security?
ISMS.online has made this control objective very easy with to describe and manage thereafter. Our template policies trigger areas of consideration and the optional Virtual Coach service goes deeper on the areas you should be considering too.
The Risk tool will make it easy for you to simply add in any possible risks, scoring them on their likelihood and potential impact, and then help you decide how much action you need to take against the risk in order to mitigate against it. Controls in use can then be neatly tied back to the information asset inventory and any reliance on outsource physical security impacted suppliers can be managed in the supplier accounts area too.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement