ISO 27001:2022 Annex A Physical Controls

Like the organisational, people and technological controls, physical security controls enable your organisation to protect its people, assets and data from threats.  Physical security measures complement your security measures in other areas, such as personal data, information handling, communications, and IT.  Whilst other information security controls are often regarded as largely being the responsibility of the IT Department, a number of physical security controls in ISO 27001:2022 are relevant to all employees.  These controls can serve as an effective method for you to promote and sustain a strong security culture across your organisation.

Every employee can help protect themselves and others by preventing unauthorised access to your premises, and no amount of investment in physical security will be effective without fostering an appropriate security culture.  It only takes one person being tailgated or an unsecured reception area to compromise your entire organisation.  Physical security controls will help to mitigate these risks, enabling you to protect equipment, information, intellectual property, personnel and stakeholder data, as well as helping you to maintain customers’ and other stakeholders’ trust.

One of the mandatory clauses (Clause 7.3 Awareness) of ISO 27001 requires that ‘persons doing work under the organisation’s control shall be aware of their contribution to the effectiveness of the information security management system (ISMS), including the benefits of improved information security performance’.  A recognised best practice is to include physical security as part of your training and awareness programme to ensure your people and partners understand your organisation’s security risks and physical security policies, adopt the right security behaviours, and are encouraged to speak up about security issues or incidents.

‍

Effective physical security controls encourage your people to report emerging concerns or near misses. To assist the growth of a healthy security culture, it is useful to positively reinforce security behaviour and ensure employees know they won’t be viewed as troublemakers if they flag a security concern.

The physical security controls can be organised into three categories:

Deterrent Controls – Measures designed to discourage potential intruders, such as visible security cameras and bright lighting, or physical entry controls such as barriers, gates or a staffed reception.  Deterrent controls also include your security policies and the fact that a disciplinary procedure may be invoked.  

Detective Controls – Systems that detect unauthorised access attempts, such as alarms and motion sensors, supported by physical security monitoring, e.g., security guards or CCTV.  Personnel also act as a detective control, for example when they identify someone in a particular area who isn’t authorised to be there and report it, when they identify that a key has been left in the lock of a secure cupboard, or any other situation that could lead to a security incident.  

Preventive Controls – Physical barriers and access control mechanisms that actively prevent unauthorised entry.  This can include fences, staffed gate houses and building access control systems.  Other preventive controls can be applied internally, for example clear desk and clear screen rules to ensure sensitive information is not freely available.  Laptops and desktop computers can also be positioned in a manner that prevents unauthorised individuals from viewing the information by ensuring the screens are angled away from windows. Meanwhile, screen covers can be used to ensure information is only visible to the intended user, and not to anyone viewing from the side or at an angle.  Some environmental controls are also preventive in nature, such as maintenance programmes that prevent equipment from malfunctioning and insulation on water pipes to prevent them from bursting when temperatures drop below freezing.

As with any ISO 27001 audit, an auditor reviewing your physical controls is looking for objective evidence that the requirements of ISO 27001 are understood, documented and are effectively managed to meet the requirements of not only the Standard, but also your organisation.

‍

Below are the physical security controls and some hints on how to prepare for an audit.

7.1 Physical security perimeters

For this control, the auditor will be observing physical security perimeters upon their arrival at your organisation’s premises, particularly if it has a perimeter fence or access barrier.  They may even embark on a physical tour of the site to inspect the perimeter.  Different organisations will have different thoughts on what constitutes a perimeter.  There may not be a perimeter fence or barrier in some locations, such as buildings accessible directly from a high street.  In this case, the perimeter becomes the outside fabric of the building (essentially the brickwork or other material that forms the building’s external structure) and includes things like perimeter CCTV systems to deter and to detect any intruders.  

7.2 Physical entry

As with Control 7.1, as soon as an auditor arrives on site, they will be observing how physical entry to the organisation is managed or it may be a part of a site tour.  An auditor may even arrive early and attempt to gain access to your premises through tailgating or through some form of social engineering (tricking their way past security or reception).  The auditor may have unrestricted access to a reception area but is unable to proceed any further, or they may be required to wait outside until given access.  A good practice is to ensure that employees are aware of the audit and are expecting a visitor.  There should be processes in place that ensure everyone is aware of how to handle visitors, including the use of visitor log books, visitor badges and escorts.  

Your organisation may have a physical entry system where employees require swipe cards or key fobs to gain entry.  The auditor will be interested to observe the physical entry system and the type of information it provides, such as who is allowed access to which parts of the building, how swipe card provision works and what happens if a member of staff arrives at work and has forgotten their pass, so it will be beneficial to have a member of staff available who can demonstrate the system and its reporting.  

7.3 Securing offices, rooms and facilities

For this control (and for all the physical security controls), you should be prepared to give the auditor a site tour or a walk around the office.  Doing so will allow the auditor to observe whether there are any secure rooms and who has access to them, and whether there are any supporting facilities that will be considered for Control 7.11 and 7.13.  As mentioned above, it is advisable to inform employees in advance that the audit will involve a tour, and it may be useful to complete the tour yourself prior to the audit in case there are areas you cannot access and to ensure you can explain how offices, rooms and facilities are secured.  For example, if there is a room not in use, what checks are made to ensure that unauthorised activity is not taking place within it?  If there are areas where activity is taking place that is highly confidential, what controls are in place to prevent unauthorised observation of the activity?  

7.4 Physical security monitoring

If an organisation has CCTV or a security guard, the auditor will already be aware of this when they arrive. Their focus during the audit will be on understanding which individuals have access to the CCTV footage, the retention period of the footage, and the coverage of the CCTV cameras. For a security guard, they may be interested in the guard’s responsibilities, whether they have awareness of your organisation’s ISMS and, if an incident occurs, how this will be reported and managed.  Don’t forget that monitoring is not all about unauthorised access; it also extends to environmental protection, such as the monitoring of smoke and fire detection systems.  

7.5 Protecting against physical and environmental threats

For this Control, the auditor will be observing whether your organisation has considered the potential risks associated with any identified physical threat.  For example, if your organisation’s site is located in an area with a high crime rate, the auditor will want to verify that you have assessed the potential risk of theft, vandalism, or intrusion and implemented appropriate measures to mitigate this risk, such as installing security alarms, CCTV, external security lighting, and securing all windows and doors.  In some cases, it may be necessary to employ security guards who protect the building around the clock.  

For environmental threats, the auditor will focus on how threats such as the risk of fire are managed, usually via fire alarms, fire exits, fire drills and fire-fighting equipment (e.g., fire extinguishers).  Evidence of regular fire alarm and fire extinguisher maintenance will be required, as well as evidence of regular fire drills taking place. As such, it’s important to ensure prior to the audit that these processes are being followed, and that you can evidence this; when did you last have an evacuation test?  Did you document the results so that you can use it as evidence during an audit?

7.6 Working in secure areas

By definition, any area that exists behind a locked or security-controlled door is a secure area.  Therefore, it is likely that even the open office space should be regarded as a secure area, and so it is expected that you will have defined how people behave in that area.  For example, you may not allow personnel to have phones, bags or coats at their desks to reduce the likelihood that confidential information could be taken away from the workplace.  A physical security policy will define such behaviours, and will include other controls such as clear desk and clear screen requirements, handling of visitors and evacuation procedures.  If your organisation has other secure working areas such as an IT comms room, you will need to demonstrate how these secure areas are managed; for example, you may have lone worker rules and signage displayed in and around the secure area, individuals may be need to submit a request in order to access it, and entry and exit logs for the secure area may be required.  CCTV systems may also be used both inside and outside the secure area, as well as elevated door access control systems that only allow a small number of authorised personnel to have access.  

7.7 Clear desk and clear screen

Clear desk and clear screen requirements are highly effective in demonstrating to an auditor that your organisation has embedded a strong security culture.  The auditor will notice this as they move around your premises and observe the employees’ behaviour when they leave their workstation.  The auditor will also be interested to review your organisation’s clear desk and clear screen policy to understand the requirements employees are expected to meet, and may assess employees’ knowledge of these requirements during interactions with people around the site.  Another aspect that tends to fall under the heading of clear desk and clear screen is the need to keep printers and fax machines clear of printed material.  

7.8 Equipment siting and protection

During the site tour, the auditor will be noting the position of company equipment such as laptops and desktop computers to identify whether their positioning would enable unauthorised individuals to view the information displayed.  As discussed previously, you should consider fitting devices with screen covers and/or ensuring the screens are angled away from windows.  Tinted exterior windows will also prevent people outside or in a neighbouring building overlooking sensitive information.  Conducting regular site tours, outside of your scheduled physical control audits, is an effective means of establishing whether there are any equipment siting concerns.

Equipment protection may include measures such as securely locking company laptops to the desk whilst in use, or having encryption software installed along with unique access credentials (e.g., username and password protection).

For server and communications rooms, the auditor will expect to see that important equipment such as servers, firewalls, switches, routers, etc., are located where they receive the best protection, for example in a dedicated rack designed for the purpose with appropriate power supply, fire protection and air conditioning.  

7.9 Security of assets off-premises

Here, the auditor will be looking for evidence that company assets are protected when off site, which may be similar to the measures implemented for the ‘equipment protection’ aspect of Control 7.8, i.e., the installation of encryption software on company assets and unique access credentials such as username and password protection.  You will also need to explain your organisation’s requirements for how assets are to be protected when off site, and are how these requirements are communicated to all relevant employees.  Generally, the most effective method of communicating these security requirements to employees is through your organisation’s information security policies, such as an acceptable use policy and through related training and awareness.  Personnel will be required to ensure the physical protection of any assets they take off site, such as laptops.  This includes ensuring that the asset is never left unattended whilst travelling, that it isn’t visible on the car seat if driving, and that it is left in a secure place when not in use.  

7.10 Storage media

If your organisation has established rules and requirements for use of storage media, such as USB ports on devices being blocked as a default, the auditor will want to observe that these rules and requirements have been effectively implemented and are being followed.  They may ask to observe that an employee’s device cannot use the USB ports, or they may want evidence that a device has this function blocked within the device set up configuration.

If storage media is allowed to be used in your organisation, then personnel need to understand how to use it properly and how to protect it.  Storage media such as USB storage devices should not be used to store information on a long-term basis.  They are best used as communications tools, to enable the transfer of information from one device to another.  Once the task is complete, the information should be deleted, thus removing the risk of unauthorised access.  If you have no choice but to use such a device for storage, ensure it is encrypted to prevent unauthorised access to the contents if it were to become lost or stolen.  

7.11 Supporting utilities

For this control, you will need to demonstrate that your organisation has considered the impact of a power failure or loss of communication, such as telephone lines or internet access.  This may include having a backup generator or unlimited power supply (UPS) batteries in place to maintain operations in the event of a power outage.  You may also benefit from having separate telephone lines provide communication continuity if one line is down.  Even your water supply should be considered as part of this control, as failure of supply could lead to issues not only for your personnel but for other elements, such as air conditioning.  

7.12 Cabling security

During the site tour, the auditor will be considering how the organisation has approached cable security.  For example, you may have organised all cables carrying power or data securely underground or overhead.  How are these cables protected from interception or damage?  Also, best practice dictates that, where possible, power cables and data cables should be separated, as this reduces data interference from the electromagnetic radiation that emanates from power cables.  

Within the comms room, the auditor will be interested in seeing how you manage your cabling.  Is it labelled so that it is easy to see what cables are being used for which purpose?  Is it well managed, in terms of being neat and tidy?  This is not only for aesthetic reasons; untidy cables can hang down onto cables below them in the rack, which causes stress to those cables and may eventually lead to them failing.  Are there any cables that are strung between cabinets at head height or across the floor, causing potential health and safety risks?  

7.13 Equipment maintenance

The auditor may observe the equipment your organisation has installed, such as security and fire alarms, fire prevention systems, fire extinguishers, air conditioning systems, backup generators or UPS batteries, and it is good practice to be able to evidence any service/maintenance records of this equipment. You may also benefit from, prior to the audit, establishing whether this equipment is your organisation’s responsibility or the responsibility of the building landlord, and whether you can obtain evidence of equipment maintenance from them.

7.14 Secure disposal or re-use of equipment

You will need to be able to demonstrate a documented process for managing secure disposal or re-use of company equipment, such as laptops, and it is good practice to include this process within an asset management policy.  The auditor may request evidence that returned devices are retained in a secure location, that information is securely removed from the device before disposal, and that the device is tracked via asset management, demonstrating whether it was disposed of or re-used.  If a third-party secure disposal company is used, then evidence of records for disposal will also be required.

Physical security controls are a key component of an effective ISMS.  Despite sometimes being overlooked in the context of ISO 27001 due to the Standard often being associated with technical and IT-related aspects of information security, physical security threats can have impacts as significant as those created by technical or cyber threats.  As such, effective implementation of the physical security controls contained in Annex A of ISO 27001 will not only help ensure your organisation’s conformance and lead to a successful audit, but will also play a critical role in maintaining the security culture of your organisation and protecting its information.