ISMS-DOC-A07-1-1 Physical Security Policy

Physical Security Policy

classification]

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This document defines the organization’s policy regarding the controls used to ensure the physical security of its buildings, offices etc.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

• A.5 Organizational controls

o A.5.1 Policies for information security

• A.7 Physical controls

o A.7. 1 Physical security perimeters o A.7.2 Physical entry

o A.7.3 Securing offices, rooms and facilities

A.7.4 Physical security monitoring

A.7.5 Protecting against physical and environmental threats

A.7.6 Working in secure areas

A.7.8 Equipment siting and protection

A.7.9 Security of assets off premises

A.7.10 Storage media

A.7.11 Supporting utilities

A.7.12 Cabling security

A.7.13 Equipment maintenance

A.7.14 Secure disposal or re use of equipment

• A.8 Technological controls

o A.8.1 User endpoint devices

General guidance

Physical security is often common sense as it is one of the most visible aspects of information security. But often penetration testers have found that it’s all too easy to gain access to a building and explore unchallenged. Don’t assume that the building services or facilities management service provider has covered everything needed; look carefully at your organization’s specific needs and be prepared to put additional controls in place if

Physical Security Policy

[Insert classification]

necessary. Do not forget that awareness training is a key part of physical security in order to ensure that procedural controls are followed and that physical controls are not easy circumvented for example via tailgating.

Review frequency

We would recommend that this document is reviewed annually and upon significant change to the organization.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Physical Security Policy

classification]

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Physical Security Policy

Physical Security Policy

Revision history

VERSION

Distribution

Approval

Physical Security Policy

[Insert classification]

1 Introduction

The protection of the physical environment is one of the most obvious yet most important tasks within the area of information security. A lack of physical access control can undo the most careful technical precautions and potentially put lives at risk.

[Organization Name] is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. This policy sets out the main precautions that must be taken and, together with the supporting documented listed, forms a significant part of our Information Security Management System (ISMS).

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.

The following policies and procedures are relevant to this document:

• Physical Security Design Standards

• Procedure for Working in Secure Areas

• Mobile Device Policy

• Remote Working Policy

• Data Centre Access Procedure

Physical Security Policy

classification]

2 Secure areas

Information must be stored securely according to its classification. A risk assessment must be conducted to identify the appropriate level of protection to be implemented to secure the information being stored.

Physical security must begin with the building itself and an assessment of perimeter vulnerability must be conducted. A building must have appropriate control mechanisms in place for the classification of information and equipment that is stored within it.

These may include, but are not restricted to, the following:

• Alarms fitted and activated outside working hours

• Window and door locks

• Window bars on lower floor levels

• Access control mechanisms fitted to all accessible doors (where codes are utilised they should be regularly changed and known only to those people authorised to access the area/building)

• CCTV cameras

• Staffed reception area

• Protection against damage e.g. fire, flood, vandalism

Staff working in secure areas must challenge anyone not wearing a badge.

Identification and access tools/passes (for example badges, keys, entry codes etc.) must only be held by persons authorised to access those areas and must not be loaned/provided to anyone else.

Visitors to secure areas are required to sign in and out with arrival and departure times and are required to wear an identification badge.

An organization employee must always monitor all visitors accessing secure areas.

Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally by the [Service Provider] as appropriate.

Where breaches do occur, or an employee leaves outside normal termination circumstances, all identification and access tools/passes (for example badges, keys etc.) must be recovered from the employee and any door/access codes should be changed immediately.

Physical Security Policy

classification]

3 Paper and equipment security

Paper based (or similar non electronic) information must be assigned an owner and a classification. Appropriate information security controls must be put in place to protect it according to the provisions in the Asset Handling Procedure.

Paper in an open office must be protected by the controls for the building and via appropriate measures that could include, but are not restricted to, the following:

• Filing cabinets that are locked with the keys stored away from the cabinet

• Locked safes

• Stored in a secure area protected by access controls

All general computer equipment must be located in suitable physical locations that:

• Limit the risks from environmental hazards for example heat, fire, smoke, water, dust and vibration

• Limit the risk of theft e.g. if necessary, items such as laptops should be physically attached to the desk

• Allow workstations handling sensitive data to be positioned so as to eliminate the risk of the data being seen by unauthorised people

Data must be stored on network file servers or approved cloud locations where available. This ensures that information lost, stolen or damaged via unauthorised access can be restored and its integrity maintained.

All servers located outside of the data centre in [Organization Name] premises must be sited in a physically secure environment.

Business critical systems must be protected by an Un interruptible Power Supply (UPS) to reduce the operating system and data corruption risk from power failures.

All items of equipment must be recorded in the [Service Provider] inventory. Procedures must be in place to ensure the inventory is updated as soon as assets are received or disposed of.

All equipment must be security marked and have a unique asset number allocated to it. This asset number must be recorded in the [Service Provider] inventory.

Cables that carry data or support key information services must be protected from interception or damage.

Power cables must be separated from network cables to prevent interference. Network cables must be protected by conduit and where possible avoid routes through public areas.

Physical Security Policy

classification]

4 Equipment lifecycle management

[Service Provider] and third party suppliers must ensure that all of [Organization Name]’s IT equipment is maintained in accordance with the manufacturer’s instructions and any documented internal procedures to ensure it remains in effective working order.

Staff involved with maintenance must:

• Retain all copies of manufacturer’s instructions

• Identify recommended service intervals and specifications

• Enable a call out process in event of failure

• Ensure only authorised technicians complete any work on the equipment

• Record details of all remedial work carried out

• Identify any insurance requirements

• Record details of faults incurred and actions required

A service history record of equipment must be maintained so that decisions can be made regarding the appropriate time for it to be replaced.

Manufacturer’s maintenance instructions must be documented and available for support staff to use when arranging repairs.

The use of equipment off site must be formally approved by the user’s line manager.

Equipment that is to be reused or disposed of must have all its data and software erased / destroyed. If the equipment is to be passed onto another organization (for example returned under a leasing agreement) data removal must be achieved by using approved, appropriately secure software tools.

Equipment deliveries must be signed for by an authorised individual using an auditable formal process. This process must confirm that the delivered items correspond fully to the list on the delivery note. Actual assets received must be recorded.

Loading areas and holding facilities must be adequately secured against unauthorised access and all access must be auditable.

Subsequent removal of equipment must be via a formal, auditable process.

Information security arrangements must be subject to regular independent audit and security improvements recommended where necessary.