Does ISO 27001 Cover Physical Security?November 29th, 2022 By Amber Benjamin
ISO/IEC 27001 is the international standard for maintaining an information security management system (ISMS). Implementing an ISMS is essential for any business that aims to be securely protected against security risks or data breaches.
ISO/IEC 27001 will enable your business to keep its information and data, whether it’s customer, staff, or supplier data, secure from potential threats.
These potential threats can include the following:
- Intellectual property theft
- Identity theft
- Information extortion
- Equipment or information theft
- Sabotage and hacking
- Viruses, worms, phishing attacks and trojan horses
The ISO/IEC 27001 standard aims to reduce the probability of possible threats occurring in your business. Processes will be implemented according to ISO/IEC 27001, allowing your organisation to identify hazards and take corrective actions to prevent them.
What do we mean by physical and environmental security?
Physical and environmental security refers to your organisation’s precautions to prevent physical threats. Your organisation must be protected from any danger that could happen, no matter how big or small.
Threats directed at your organisation from your physical environment can cause irreversible reputational damage and harm the safety of your clients, customers, staff, and suppliers.
Physical threats can include:
- Intentional destruction directed towards your organisation, or specific person
- Unintentional destruction
- Hardware failures from accidents or deliberate tampering
- Power failures
ISO/IEC 27001 enables your organisation to look within its physical environment and understand where there are potential non-conformities within your company. With ISO/IEC 27001’s policies, your organisation can improve and build upon the current framework you already have to establish a system with minimised flaws.
An example would be implementing a policy in which data is double-checked and stored in a location where select authorised individuals can access it. Preventative actions and strategies are in place for those who do not have access to this data to minimise the probability of threats.
Why is physical and environmental security essential for business protection?
Having a security management system in place against any physical or environmental threats is critical for maintaining good business practices regarding data and information security.
Suppose an unknown source hacks into your systems or physically gains access to your devices and software. In that case, all data and information stored on that device will become available for them to use or sabotage.
Environmental and physical threats can occur within any business that uses and stores data or information.
There are three types of personal data:
- General personal data
- Sensitive personal data
- Details of criminal offences
General personal data can include your client’s or customer’s personal information, such as names, emails, or physical addresses. Information such as passwords, security numbers, financial records, and employment details are also deemed as general personal data, among many others.
Data classified as sensitive or special category data, according to GDPR, needs a greater level of protection because it is sensitive. This data includes:
- Ethnic or racial origins
- Political, religious, or philosophical opinions
- Trade union memberships
- Genetic data
- Biometric data (where used for identification purposes)
- Health-related data
- Sex life or sexual orientation
Does ISO/IEC 27001 cover physical security?
ISO/IEC 27001 does include a section on how your organisation should be guided in the event of a data breach occurring in the physical environment of your business.
ISO/IEC 27001:2022 includes controls that are distributed across four categories; these include organisations, people, physical, and technological. Clause 7 of Annex A includes physical controls, which must be maintained to a high efficiency to protect physical security.
The environment in which data is handled should be competently assessed for non-conformities and hazards which could occur unexpectedly.
Through implementing ISO/IEC 27001 within your organisation, the probability of environmental and physical security risks occurring will be significantly reduced. You can be assured that your systems will be continually assessed to a high standard, and you can regularly maintain your business’ competency.
The controls outlined in Clause 7 or Annex A of ISO/IEC 27001:2022 are:
- 1 Physical security perimeters
- 2 Physical entry
- 3 Securing offices, rooms, and facilities
- 4 Physical security monitoring
- 5 Protecting against physical and environmental threats
- 6 Working in secure areas
- 7 Clear desk and clear screen
- 8 Equipment siting and protection
- 9 Security of assets off-premises
- 10 Storage media
- 11 Supporting utilities
- 12 Cabling security
- 13 Equipment maintenance
- 14 Secure disposal or re-use of equipment
For example, in control 7.2, physical entry controls detail that secure areas should be protected by appropriate entry controls and access points. This ensures that only authorised personnel should have physical access to your organisation’s information. Physical entry controls include technical mechanisms to manage areas of access, such as entry doors, gates, card readers, ID scanners, keypads, and revolving doors.
In control 7.10, storage media, ISO/IEC 27001 addresses how organisations can manage their storage devices, such as SSD’s, USB sticks, external drives, and mobile devices, through their life cycle of acquisition, use, transportation, and disposal in accordance with their handling requirements.
ISO/IEC 27001 includes controls and clauses that cover physical security within your organisation. Therefore, you can be assured that by following ISO/IEC 27001, your controls and security management are protected against physical security risks.
According to a 2022 Verizon Investigations Report, 82% of cyber security breaches involved a human element; this includes social attacks, errors, and misuse.
I’m interested in ISO/IEC 27001, what can I do next?
If you are interested in ISO/IEC 27001, you can contact us and schedule a free consultation with one of our specialist consultants. Here at IMSM we have a transparent fixed fee and flexible approach, helping you to seamlessly earn certification.
For a free quotation or remote presentation by an ISO specialist, contact us today!
IMSM Ltd Head Office
The Gig House