While ISO27001 Annex A Control A7.1 (Physical security perimeter) focuses on perimeter controls, Annex A7.3 looks for controls surrounding individual offices, rooms and facilities under your control. The purpose is to ensure that access to your information and other associated assets is only possible, by authorised individuals.
There is a subtle but important distinction as A7.1 looks at the perimeter controls, whereas this control requires a more granular approach to securing your processing facilities.
What does the standard require?
The standard states that “Physical security for offices, rooms and facilities shall be designed and Implemented.” (A7.3 – Securing offices, rooms and facilities).
Why is this required?
Good information security should be implemented in a layers, and this is how ISO27001 approaches the physical aspects of security. From A7.1 (Physical Security Perimeter), through to A7.14 (Secure disposal or re-use of equipment), each control builds upon the last to provide additional layers of security.
This is important because perimeter defences can be penetrated, and there may also be a need for additional levels (or layers) of security to protect information, and the people who work in your facilities.
For example, server rooms should include additional levels of security because they contain expensive equipment that could be the target for (physical) attack. One of our clients manufactures sensitive medical equipment, and the facilities where this takes place must be tightly controlled, because of the risk of contamination. If there is any contamination or unauthorized access, it could lead to the failure of their product and services, compromising the availability of their service.
What the auditor is looking for
Typical evidence that an auditor will review will include;
Physical Access controls (e.g. RFID card access, bio-metric, PIN codes, scanners) on rooms or facilities which should have restricted access
Policies on how visitor will be controlled in these areas
Segregation of Duties (Annex A Control A5.3)
Security Classification Scheme (Annex A Control A5.12)
Personnel access management processes (e.g. allocation of keys and RFID cards)
Access Control policy
Access rights reviews
Onboarding and off-boarding processes
Incident logs
Risk Register
If you’re paying close attention, you’ll notice that the evidence required for this control is almost identical to ISO27001 Annex A Control A7.2 (Physical entry controls). This is no accident. The purposes of these controls is to ensure that only authorised personnel have access to your facilities, from the macro to the micro layers.
As with the previously mentioned controls, the auditor will want to have a ‘virtual tour’ of your site, so be prepared to show them how you manage physical entry for areas such as server rooms, comms cabinets or storerooms.
What do you need to do?
As before, take a walk around your premises to review your physical entry controls and note any vulnerabilities on your risk register. Look for rooms or processing facilities that require addition security controls. These will range from entire buildings, to store cupboards, housing equipment and other important assets.
Keep in mind this ‘layered’ approach and think about who has access and why. For example, everyone working for your business will need access to the building (layer 1), but do they all need access to the IT department (layer 2)? Does everyone working in your IT department need access to your server room? (layer 3)?
Also, consider removing signage from the room or facility, to protect it through anonymity. Afterall, you wouldn’t put a sign over your garage or shed saying “Expensive Equipment Stored Here”! If possible, keep these secure locations discreet and don’t promote their existence. People in the field commonly call this approach 'Security through obscurity'.
Remember to update your onboarding and off-boarding processes to include the allocation and collection of keys and RFID cards. The off-boarding process should also include consideration for changing PIN codes when someone leaves the business. Of course, you might not want to do this every time someone leaves, but there may be exceptional situations where this becomes necessary. At the very least, ensure that you change PIN codes periodically (e.g. bi-annually)
Q & A
Is this a mandatory ISO27001 control?
No, because in truth, no control is truly mandatory (although it would be difficult to see how you would implement security without some of the key ones!). But you might not have any areas which require additional levels of security, and therefore feel that this control isn’t applicable to you.
However, be sure to look at your offices with a critical eye. Note that this control focuses on securing offices, rooms and facilities. Do you have any specific rooms that should be controlled? Perhaps you should consider tightening control over the server room where you store expensive technical equipment, or the CEO's office, where confidential papers are held?
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This ISO27001 control isn’t difficult, because it’s unlikely that you’re going to have a lot of say in what the defences are. If you find there are vulnerabilities, then you should provide guidance on managing these by designing additional security measures.
Remember that you need to evidence that entry controls are in place, using a variety of physical evidence, and policies and procedures. Therefore, although this is a relatively simple control to understand, it can quickly become complex.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.