What does ISO 27001 say about physical security?
When we think about information security, we often focus on digital threats like hackers and viruses. But important information can just as well be taken from you in the physical realm. ISO 27001, the international standard for information security management, includes crucial guidelines on physical security. In this article, you’ll learn all about it.
How is physical security described in the ISO 27001 standard?
Physical security in ISO 27001 refers to measures that protect your physical assets—like buildings, servers, and other hardware—from physical threats. These threats can include theft, vandalism, natural disasters, and unauthorized access.
Why is physical security deemed important in this standard?
Even the best digital security measures can be undermined if someone can physically access your systems and data. Imagine someone walking into your office and stealing a laptop or accessing a server room.
It wouldn’t be the first time an outsider acts as a contractor who is there ‘to fix something’, only to steal valuable data. Physical security measures help prevent these scenarios, ensuring that your information remains safe and secure.
Key physical security measures in ISO 27001
ISO 27001 outlines several important physical security controls. Here are the main ones you need to know about:
- Secure areas
- Controlled access: Only authorized personnel should have access to areas where sensitive information is stored. There are different ways to go about this, options can include using key cards, biometric scanners, or traditional locks and keys.
- Visitor logs: Make sure to keep a record of who enters and exits secure areas. This helps you track access and identify any suspicious activity.
- Equipment security
- Physical protection: One of the key parts of the standard is to ensure that equipment such as servers, laptops, and external hard drives are physically secure. This can involve locking them in cabinets or securing them with cables.
- Environmental controls: Protect equipment from environmental hazards like fire, flooding, or extreme temperatures — as far as possible. Use fire suppression systems, temperature controls, and water detectors.
- Safe disposal of equipment
- Data erasure: Before disposing of old equipment, make sure all sensitive data is thoroughly erased. Simply deleting files is not enough; use specialized software to wipe data completely. Cybercriminals are able to retrieve deleted files with specialized software, so you have to be thorough.
- Physical destruction: For highly sensitive information, physically destroy storage media like hard drives to ensure data cannot be recovered.
- Protection against natural disasters
- Backup Locations: Store backups in a different location to ensure they are safe if a disaster strikes your primary site.
- Disaster Recovery Plan: Have a plan in place for how to recover and continue operations after a disaster. This plan should include steps for restoring data and equipment.
- Workstation security
- Locking workstations: Encourage employees to lock their computers when they leave their desks. This can prevent unauthorized access.
- Clean desk policy: Implement a policy requiring employees to clear their desks of sensitive information when they are not present. This reduces the risk of information being accessed by unauthorized individuals.
Implementing physical security measures
Implementing these measures can be quite the task. But here’s how you can get started in simple steps:
- Assess your current situation Conduct a physical security audit to identify any weaknesses in your current setup. Look for areas where unauthorized access could occur and where equipment might be vulnerable.
- Develop a plan Based on your audit, develop a plan to address any weaknesses. This might include installing new locks, setting up access control systems, or training employees on physical security practices.
- Implement and train Implement the necessary measures and ensure all employees understand and follow the new procedures. Regular training sessions can help keep physical security top of mind.
- Monitor and improve Continuously monitor your physical security measures and make improvements as needed. Regular audits can help you stay on top of potential threats and ensure your security measures are effective.
Conclusion
Physical security is often overlooked when it comes to information security. We’ve grown accustomed to be vigilant for hackers and viruses, only to forget the old-fashioned dangers of the physical world.
Remember, securing your physical environment is just as important as protecting your digital data. Take the necessary steps today to ensure comprehensive security for your business.