This ISO27001 control should focus your attention on physical and environmental threats, in order to prevent them from occurring, or reduce any impact if they do.
What does the standard require?
The standard states that “Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.” (A7.5 – Protecting against physical and environmental threats).
You may feel that this is a control that you have little sway over, but notice that the requirement is that protection against these threats shall be designed and implemented. This means, where you can influence the selection of processing facilities, you need to take these matters into account.
Why is this required?
When you purchased your home, no doubt you had a lawyer conduct a survey of the area to see if there were any risks that you needed to be aware of before signing the contract. This is because you don’t want to find that your building is prone to flooding every winter.
Natural disasters, and extreme weather are a concern for us all. And dependent upon where you are in the world, these can be a serious risk to your business. From bush fires and droughts to flooding and hurricanes, all countries have their own climate risks which need to be considered and catered for.
What the auditor is looking for
The auditor will look for both physical and process evidence that you have considered physical and environmental threats, and typical evidence will include;
Site Specific Risk Assessments
Risk Register
Audit reports
Walls and fences
Security posts (e.g. Bollards or barrier posts)
Intruder Alarms
Environmental Alarms and Alerts (e.g underfloor water detection)
Smoke Alarms
Fire alarm tests
Fire drills (i.e. evacuation tests)
HVAC maintenance contracts
Shutters on doors and windows (to prevent intruders accessing the site)
Flood defences (e.g. barriers, moats and channels, sandbags etc)
Incident Response Plans (A5.26 - Response to information security incidents)
Incident Investigation Processes (A5.28 - Collection of evidence)
Uninterruptible Power Supplies (UPS) in server rooms or attached to critical equipment
Onsite Generators (to keep power going, in the event of a pro-longed power outage)
Incident logs
Test results of plans, UPS and/or generators
What do you need to do?
Dependent upon your location, some or these controls could be necessary, but it is important that it starts with a risk assessment, so that you know what threats you face. Once you complete the risk assessment, you should identify mitigating controls that you can implement.
Start with the list outlined above and identify what is already in place, what is easy to implement, and then what you feel is necessary. For example, a UPS is a relatively straightforward piece of technology to purchase, install, and manage. But is it really necessary? A UPS will only keep the equipment running for a short period, but will it be sufficient? Will it reduce the impact on your business if there was a short-term power outage, or surge?
Conduct some local research (using Google) to identify any risks or issues, and also go speak to your neighbours.
We worked for a large law firm whose head office was next to a government office. The risk to the site was from protestors frequently congregating outside the client building (next to the government agency), and occasionally causing it damage (thinking they were attacking the government building). The business was relatively unaffected, but it resulted in issues and protestors verbally assaulted members of staff on several occasions, which of course was distressing to them.
By working with your neighbours, you can build a relationship where they report any increase in threat levels to you in a timely manner. After all, as the saying goes, everybody needs good neighbours!
Q & A
What do we do if we’re in a city centre with no control over these threats?
City centre locations have a different threat profile to more rural areas, including risks from social disturbances through to acts of terrorism. Are you near an airport, under their flight path? How you manage these risks will depend on where you are and what you do, so start with your site risk assessment and build out from there.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This ISO27001 control isn’t difficult, as it requires that you speak to those in control of the physical aspects of your business. You need to establish what is in place and identify any vulnerabilities and risks to your facilities, which is achieved by completing your site risk assessment.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.
Comments