What Is Control 7.3?
Control 7.3 in the new ISO 27002:2022 covers the need for designing and implementing physical security for offices, rooms and facilities.
This control was designed to encourage organisations to have appropriate measures in place to prevent unauthorised access to rooms, offices and facilities, especially where information security is being handled, through the use of locks, alarms, security guards or other appropriate means, to prevent information security issues.
Physical Security for Offices, Rooms and Facilities Explained
Physical security is a critical element of information security. The two go hand in hand and must be considered together. Information security is the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.
Physical security refers to protective measures taken to safeguard personnel, facilities, equipment and other assets against natural or man-made hazards by reducing risks related to burglary, sabotage, terrorism and other criminal acts.
The first step in physical security for information sensitive locations is determining if you have one. Information sensitive locations are rooms, offices and facilities, where there are computers that contain sensitive data or where there are people who have access to sensitive data.
Physical security can include.
Locks and Keys
Locking doors, windows and cupboards; using security seals on laptops and mobile devices; password protection for computers; encryption for sensitive data.
CCTV
Closed circuit television cameras are an excellent way of monitoring activity around premises or in specific areas of a building.
Intruder Alarms
These can be activated by movement, heat or sound and are used to alert you to intruders or people who shouldn’t be in a particular area (for example, an alarm sounding when someone tries to break into the office).
Attributes Table of Control 7.3
Attributes allow you to rapidly match your control selection with typical industry specification and terminology. The following controls are available in control 7.3.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventative | #Confidentiality | #Protect | #Supplier Relationships Security | #Governance and Ecosystem |
| #Integrity | #Protection | |||
| #Availability |
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is the Purpose of Control 7.3?
The purpose of Control 7.3 is to prevent unauthorised physical access, damage and interference to the organisation’s information and other associated assets in offices, rooms and facilities.
The main purpose of Control 7.3 is to reduce the level of risk of unauthorised physical access to offices, rooms, and facilities, to an acceptable level by:
- Preventing unauthorised physical access to offices, rooms and facilities by persons other than authorised personnel.
- Prevent damage or interference with the organisation’s information and other associated assets inside offices, rooms and facilities.
- Ensuring that any information security sensitive areas are unobtrusive to to make it hard for people to determine their purpose.
- Minimising the risk of theft or loss of property within offices, rooms and facilities.
- Ensuring that people who have authorised physical access are identified (this can be achieved by using a combination of uniform badges, electronic door entry systems and visitor passes).
- Where possible, CCTV or other monitoring devices should be used to provide security surveillance over key areas such as entrances/exits.
Control 7.3 applies to all buildings used by the organisation for offices or administrative functions. It also applies to rooms where confidential information is stored or processed, including meeting rooms where sensitive discussions take place.
It does not apply to reception areas or other public areas of an organisation’s premises unless they are used for administrative purposes (e.g. a reception area that doubles as an office).
What Is Involved and How to Meet the Requirements
The control 7.3 specifies that rooms and facilities must be secured. The following security measures can be taken, according to the control guidelines in ISO 27002:2022, to ensure that rooms and facilities are secure:
- Siting critical facilities to avoid access by the public.
- Where applicable, ensuring buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities.
- Configuring facilities to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate.
- Not making directories, internal telephone books and online accessible maps identifying locations of confidential information processing facilities readily available to any unauthorised person.
You can get more information on what is involved in meeting the requirements for the control in the ISO 27002:2022 standard document.
Changes and Differences from ISO 27002:2013
Originally published in 2013, the revised 2022 revision of ISO 27002 was released on February 15, 2022.
Control 7.3 is not a new control. It refers to a modified version of control 11.1.3 in ISO 27002. A major difference between the 2013 and 2022 versions is the change in control number. The control number 11.1.3 was replaced with 7.3. Apart from that, the context and meaning are largely the same, even though the phraseology is different.
Another difference between both controls is that the 2022 version comes with an attributes table and statement of purpose. These sections are not available in the 2013 version.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Who Is in Charge of This Process?
The first person to consider when it comes to securing offices, rooms and facilities is the individual who has the most control over the physical building and its contents. This person is typically the facility manager or director.
Then there’s the security manager. The security manager is responsible for making sure that all areas are secure, including the office spaces and facilities. The security manager is also in charge of keeping track of all employees who have access to these areas and making sure they’re using their access appropriately.
In some cases, however, multiple people share responsibilities for security. For example, when an individual has access to sensitive information that could be used against your company’s interests or other employees’ personal lives, it’s important to have multiple people involved in their protection.
A HR department may handle employee insurance policies and benefits while IT handles computer systems and networks; both departments may have a hand in managing physical safety as well as cyber security concerns like phishing scams and unauthorised access attempts.
What Do These Changes Mean for You?
No major changes are required to comply with the most recent version of ISO 27002.
You should, however, assess your current information security solution to ensure that it complies with the revised standard. If you’ve made any modifications since the last edition was released in 2013, it’s worth revisiting those adjustments to determine if they’re still relevant or if they need to be updated.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.Online Helps
Our platform has been developed specifically for those who are new to information security or need an easy way to learn about ISO 27002 without having to spend time learning from scratch or reading through lengthy documents.
ISMS.Online comes equipped with all the tools needed for achieving compliance including document templates, checklists and policies which can be customised according to your needs.
Want to see how it works?
Get in touch today to book a demo.
