and environmental security (ISO)
The objective of this category is to prevent unauthorized
physical access, damage or interference to the organization's
premises and infrastructure, using controls appropriate
to the identified risks and the value of the assets protected.
Authorities: ISO-27002:2005 9.1.; HIPAA
Physical security perimeter •
Security perimeters should be used to protect areas that contain
information and information processing facilities -- using
walls, controlled entry doors/gates, manned reception desks
and other measures. Control includes:
- perimeter siting and strength determined by risk assessment;
- clearly defined and marked perimeters, except in
situations where hidden/disguised perimeters would
- use of physically sound walls, windows and doors, protected
with bars, locks, alarms as appropriate;
- use of additional physical barriers, where appropriate
to prevent unauthorized access or physical contamination;
- provision of appropriate protection against fire,
water or other reasonably anticipated environmental threats;
- use of appropriate intrusion detection systems, such as
motion and perimeter alarms, audio and video surveillance;
- use of manned reception areas or appropriate lock/ID systems
to control passage into the restricted area;
- measures designed with sufficient redundancy such that
a single point of failure does not compromise security;
- regular maintenance to and review of the adequacy of the
components of these physical protections.
Authorities: ISO-27002:2005 9.1.1.; HIPAA
Physical entry control •
Secure areas should be protected by appropriate entry controls
to ensure that only authorized personnel are allowed access.
- authentication mechanisms (e.g., keycard and PIN)
proportionate to the identified risks and the value of the
- recording of date/time of entry and exit, and/or
video recording of activities in the entry/exit area, as
- requirement for authorized personnel to wear visible identification,
and to report persons without such identification;
- appropriate authorization and monitoring procedures for
third-party personnel who must be given access to the restricted
- regular review and, when indicated, revocation of access
rights (see also human resources security.)
Authorities: ISO-27002:2005 9.1.2.; HIPAA
Secure offices, rooms and facilities •
Physical security for offices, rooms and facilities should
be designed and implemented. Control includes:
- use of measures that are commensurate to the identified
risks and the value of the assets at risk in each setting;
- use of measures that balance relevant health, safety
and related regulations and standards;
- use of highly visible controls, where appropriate as a
- use of unobtrusive or hidden controls/facilities, where
appropriate for highly sensitive assets; and
- restrictions on information about facilities, including
directory and location information.
Authorities: ISO-27002:2005 9.1.3.
Protecting against external and environmental threats •
Physical protection against damage from fire, flood, wind,
earthquake, explosion, civil unrest and other forms of natural
and man-made risk should be designed and implemented.
- consideration of probabilities of various categories of
risks and value of assets protected against those risks;
- consideration of security threats posed by neighboring
facilities and structures;
- appropriate fire-fighting equipment and other counter-measures provided
and suitably located on site; and
- appropriate siting of backup facilities and
data copies in a suitable location off-site.
Authorities: ISO-27002:2005 9.1.4.
Working in secure areas • Physical
protection and guidelines for working in secure areas should
be designed and implemented. Control includes:
- limiting personnel's awareness of, and activities within,
a secure location on a need-to-know basis;
- limiting or prohibiting unsupervised/unmonitored work
in secure areas, both for safety reasons and to avoid opportunities
- keeping vacant secure areas locked, subject to periodic
inspection, and/or monitored remotely as appropriate by
video or other technologies;
- limiting video, audio or other recording equipment, including
cameras in portable devices, in secure areas.
Authorities: ISO-27002:2005 9.1.5.
Public access, delivery and loading access •
Access points such as delivery and loading areas, and other
points where unauthorized persons may enter the premises,
should be controlled. Control includes:
- limits on access to the delivery and loading areas, and
to other public access areas, to the degree possible;
- inspection of incoming and outgoing materials, and separation
of incoming and outgoing shipments, where possible; and
- isolation of these areas from information processing facilities
and areas where information is stored, where possible.
Authorities: ISO-27002:2005 9.1.6.
This category aims to prevent loss, damage, theft
or compromise of assets or interruption to the organization's
Authorities: ISO-27002:2005 9.2; HIPAA
Equipment siting and protection •
Equipment should be sited or protected to reduce the risks
from environmental threats and hazards, and to reduce the
opportunities for unauthorized access by human threats.
- siting to minimize unnecessary risks to the equipment,
and to reduce the need for unauthorized access to sensitive
- siting to isolate items requiring special protection,
to minimize the general level of protection required;
- use of particularized controls as appropriate to minimize
physical threats -- e.g., theft or damage from vandalism,
fire, water, dust, smoke, vibration, electrical supply variance,
or electromagnetic radiation; and
- guidelines for eating, drinking, smoking or other activities
in the vicinity of equipment.
Authorities: ISO-27002:2005 9.2.1.; HIPAA
Supporting utilities • Equipment
should be protected from power failures, telecommunications
failures, and other disruptions caused by failures in
supporting utilities such as HVAC, water supply and sewage.
- assuring that the supporting utilities are adequate to
support the equipment under normal operating conditions;
- making reasonable provision for backups (e.g., a UPS)
in the event of supporting utility failure.
Authorities: ISO-27002:2005 9.2.2.
Cabling security • Power and telecommunications
cabling carrying sensitive data or supporting information
services should be protected from interception or damage.
- physical measures to prevent unauthorized interception
or damage, including additional protections for sensitive
or critical systems;
- alternate/backup routings or transmission media where
appropriate, particularly for critical systems;
- clearly identified cable and equipment markings, except
where security is enhanced by removing/hiding such markings;
- documentation of patches and other maintenance activities.
Authorities: ISO-27002:2005 9.2.3.
Equipment maintenance • Equipment
should be correctly maintained to ensure its continued availability
and integrity. Control includes:
- appropriate preventive maintenance;
- documentation of all maintenance activities, including
scheduled preventive maintenance;
- documentation of all suspected or actual faults, and associated
- maintenance only by authorized employees or contracted
third parties; and
- appropriate security measures, such as clearing of information
or supervision of maintenance processes, appropriate to
the sensitivity of the information on or accessible by
the devices being maintained;
Authorities: ISO-27002:2005 9.2.4.
Security of equipment off-premises •
Appropriate security measures should be applied to off-site
equipment, taking into account the different risks of working
outside the organization's premises. Control includes:
- authorization of any off-site processing of organizational
information, regardless of the ownership of the processing
- security controls for equipment in transit and in off-site
premises, appropriate to the setting and the sensitivity
of the information on or accessible by the device;
- adequate insurance coverage, where third-party insurance
is cost-effective; and
- employee and contractor awareness of their responsibilities
for protecting information and the devices themselves, and
of the particular risks of off-premises environments.
Authorities: ISO-27002:2005 9.2.5.; HIPAA
Secure disposal or re-use of equipment •
All equipment containing storage media should be checked to
ensure that sensitive data and licensed software has been
removed or securely overwritten prior to disposal. Control
- use of generally accepted methods for secure information
removal, appropriate to the sensitivity of the information
known or believed to be on the media;
- secure information removal by appropriately trained
personnel, or verification of secure information removal
by appropriately trained personnel.
Authorities: ISO-27002:2005 9.2.6.; HIPAA
Removal of property • Equipment,
information or software should not be taken off-premises without
prior authorization. Control includes:
- limitations on types/amounts of information or equipment
that may be taken off-site;
- recording of off-site authorizations and inventory of
equipment and information taken off-site; and
- for persons authorized to take equipment or information
off-site, appropriate awareness of security risks associated
with off-premises environments and training in appropriate
controls and counter-measures.
Authorities: ISO-27002:2005 9.2.7.; HIPAA