Introduction:
Physical security is an important aspect of an organization’s overall security posture.
It includes the security measures taken to protect physical assets, people, and information technology infrastructure from physical threats such as theft, damage, and unauthorized access.
A.11.1.2 of ISO 27001 standard focuses on physical entry controls and outlines the requirements for access control systems and procedures that need to be implemented to secure an organization’s physical perimeter.
Sample Checklists:
Access Control Systems:
- Are suitable access control systems in place such as proximity or card-swipe, security locks, CCTV monitoring, and intruder detection?
- Are the access control systems appropriate for the level of security required?
- Are the access control systems regularly maintained, tested, and monitored for any anomalies?
- Is multifactor authentication (e.g. biometric plus PIN code) required for critical areas, and if so, how is it implemented, functioning, monitored and administered?
Procedures:
- Is there a physical security policy that covers all relevant areas such as issue of ID badges, visitor management, entry to defined areas of the building based on roles and responsibilities, access to the data centre(s), communication rooms, and other critical areas?
- Are the procedures covering all these areas documented, and are they up-to-date?
- Is there a sound audit trail of all entries and exits, and are there access registers (e.g. visitor books) at data centres/IT rooms?
- Is there a physical access review audit for the organization, and what is the method and periodicity of the audit?
Compliance:
- Are the access control systems and procedures compliant with local or national standards and laws (e.g. building codes, health and safety rules)?
- Are the access control systems and procedures compliant with ISO 27001 standards?
Conclusion:
Physical security is an important aspect of an organization’s overall security posture.
A.11.1.2 of ISO 27001 standard outlines the requirements for access control systems and procedures that need to be implemented to secure an organization’s physical perimeter.
By following the sample checklists provided, organizations can ensure that they have appropriate access control systems and procedures in place, and that they comply with local, national, and international security standards and laws.
This will help organizations to minimize the risk of physical threats such as theft, damage, and unauthorized access to their physical assets, people, and information technology infrastructure.