All the controls in ISO27001 Annex A7 address the physical aspects of information security in your business. There are, in fact 14 controls in this set, all looking at different aspects of physical information security. These controls are;
A7.1 - Physical security perimeter
A7.2 - Physical entry controls
A7.3 - Securing offices, rooms and facilities
A7.4 - Physical security monitoring
A7.5 - Protecting against physical and environmental threats
A7.6 - Working in secure areas
A7.7 - Clear desk and clear screen
A7.8 - Equipment siting and protection
A7.9 - Security of assets off-premises
A7.10 - Storage media
A7.11 - Supporting utilities
A7.12 - Cabling security
A7.13 - Equipment maintenance
A7.14 - Secure disposal or re-use of equipment
As with many aspects of ISO27001’s Annex A controls, it’s important to recognise that these controls, while being independent of each other also overlap and intersect across various areas. Therefore, care should be taken to consider each control and see them all as supportive of each other.
What does the standard require?
The standard states that “Security perimeters shall be defined and used to protect areas that contain information and other associated assets.” (A7.1 – Physical security perimeter).
Why is this required?
Although technical security threats have increased, burglary and common theft are still commonplace in society, and therefore we need to protect our physical premises in much the same way that we do our technical infrastructure.
People often say that implementing information security should involve taking a layered approach to the topic. If this is true, then you could say that physical security perimeters are the initial outer layer of protection that deters or prevents intruders from gaining access to information and other assets. And keep in mind that ‘other assets’ can include your personnel, so this control is also about keeping your people safe too.
During the COVID pandemic we worked with a pharmaceutical business who were partially responsible for roll-out of the vaccine. Ensuring perimeter defences were in place was of paramount importance not only because journalists would attempt to gain access to the site for an exclusive ‘scoop’, but also from competitors who might seek to gain access to the plans of the company.
What the auditor is looking for
Unsurprisingly the auditor will want to be looking for physical evidence of perimeter defences in place. These perimeter defences can include;
Defined perimeters using fences, walls or hedges
Security gates or controlled entry points
Externally facing doors and windows are secured (e.g. shutters on the windows)
Even when your audits are remote, the auditor will want to have a ‘virtual tour’ of your site, so be prepared to have the ability to show them your defences from outside, in.
The auditor will also want to review audit reports, incident logs and risk registers to see how you’re managing physical security, along with any incidents or risks that have been raised.
What do you need to do?
In relation to this control, it is difficult to list exactly what you need because each office and location is going to be different. Therefore, we would suggest that you start by identifying what perimeter defences you currently have, by going outside your location to identify any gaps in the perimeter.
Work with the person responsible for facilities to identify what security controls are in place and look for any vulnerabilities that may exist. These vulnerabilities could include breaks in the fence or walls, or a lack of secure doors and windows.
Take note of these vulnerabilities on your risk register and make sure to discuss them in your risk workshops and management review meetings.
It is important to manage any identified risks appropriately, as per your risk management methodology.
Q & A
Is this control applicable if we are a Cloud business?
Yes, this control will apply, but will be less critical, and possibly easier to comply with. We have clients who offer consultancy services, and work remotely, choosing only to come together for specific days, in temporary office spaces. They have implemented appropriate security at home, with office space locked and other assets stored away securely when left unattended for an extended period of time.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This ISO27001 control isn’t difficult, because it’s unlikely that you’re going to have a lot of say in what the defences are. However, if you are lucky enough to get to design your own physical perimeter defences, then the difficulty rating will increase, as you will need knowledge of a variety of physical security controls, some of which will be covered in other Annex A7 control areas (such as entry controls).
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.