Physical security is an important aspect of information security management.
The physical security perimeter is defined as the area where an organization’s critical assets are located.
The perimeter is used to protect against unauthorized access, theft, and damage to information systems and data.
This article will cover the A.11.1.1 control objective of the ISO/IEC 27001 standard, which focuses on physical security perimeters.
We will provide a checklist of items to review and evaluate the controls implemented to meet this objective.
- Are facilities discreetly located and sited to minimize disaster potential or cost of protective countermeasures?
- Are all defined security perimeters to sites, buildings, offices, computer and network rooms, network cabinets, archives, plant rooms, electrical switchgear etc., adequate and effective?
- Are exterior roof, walls, and flooring of solid construction?
- Are all external access points adequately protected against unauthorized access?
- Is the construction physically sound with solid ‘slab-to-slab’ walls, extending past false floors and ceilings?
- Are all doors and windows strong, lockable and regularly maintained?
- Are all fire doors on the external perimeter wall alarmed, cannot be opened from outside, monitored by cameras, periodically tested and operate in a ‘failsafe’ manner?
- Are only authorized personnel permitted to enter the premises, and is this controlled effectively?
- Are intruder detection systems in place and functioning correctly, and is there evidence of periodic testing?
- Are the controls implemented compliant with local or national standards and laws such as building codes and health and safety regulations?
The A.11.1.1 control objective of the ISO/IEC 27001 standard emphasizes the importance of physical security perimeters.
The checklist provided in this article can assist organizations in evaluating the effectiveness of their physical security controls.
Properly implemented physical security controls can help protect against unauthorized access, theft, and damage to information systems and data.
Compliance with local or national standards and laws is crucial to ensure that the controls are adequate and effective.