We split ISO27001 for Information Security Management Systems Annex Clause A11 into 2 parts to try and keep it a bit shorter but also to emphasis that you do need to think about both areas as two steps of the process. In Part 1 we talked about Annex Clause A11.1 – Secure Areas, here we'll talk about 11.2 Equipment.
It's easy to just think of secure areas and equipment as one thing and try saying that all your stuff is in a secure area. That's never really going to be the case, so you need to think about that second level of physical and environmental security for your equipment because your auditor certainly will.
Annex Clause 11.2 - Equipment
Like all the ISO27001 annex clauses A.11.2 for equipment starts off with a nice clear objective, in this case: "To prevent loss, damage, theft or compromise of assets and interruption to the organisation's operations."
Now that's a broad scope when you think about it in terms of things to consider. Again, from an Information Security point of view we aren't just talking about your computers, laptops, and phones we are talking all of your equipment involved in making sure your information security management system operates correctly. It'll include servers, security key fobs, access control panels, fire suppression systems (you know those ones you installed in your server room and your secure documents area?) and much more than that. The standard thankfully has some guidance around that in terms of thing you need to check. Keep in mind the standard is always the minimum, there may well be more things specific to your organisation you need to include.
- A.11.2.1 - Equipment siting and protection – here the standard is asking you to carefully consider exactly where things are and how you will protect them. The prompt for you to think about is that you need to "reduce the risks from environmental threats and hazards, and opportunities for unauthorised access." Companies often remember the unauthorised part but for get about the environmental ones, do so at your peril.
- A.11.2.2 - Supporting utilities – what is a supporting utility? Power is an obvious one, but so is airflow, light, heat, fire suppressions etc. You need to protect equipment from power failures and any other disruptions that could happen linked to these supporting utilities. Power is easy, get a UPS, now what about the rest?
- A.11.2.3 - Cabling security – Cabling is more than just your CAT6e or CAT7 data cabling or your fibre, ISO27001 wants you to also consider power as well. Anything that is carrying data or that is supporting information services needs to be considered and protected from interception, interference, or damage.
- A.11.2.4 - Equipment maintenance – You knew that this was coming right? Ensuing that your equipment is fully maintained is going to be a key requirement in making sure it's available. Ensuring that patching is done on a regular controlled manner is the bare minimum here. Inspection of cables is also something to consider there they may be in exposed areas or areas that are prone to movement or excess heat for example.
- A.11.2.5 - Removal of assets – this is about ensuring that equipment, information (both in terms of electronic based and physical) or software is not removed from the work site without it being authorised. This can be tricky in the age of working from home, shared workspaces and so on so you do need to carefully consider the various impacts and controls you will implement.
- A.11.2.6 - Security of equipment and assets off-premises – this control is taking the next step on from 11.2.5 and is interested in how you shall apply the security requirements you need for any information security assets that are taken off site. You need to factor into your thinking the various risks for the items taken off site and where they could be used or physically be. For example, if you have your design team working from home and they take the deigns of your next generation flagship device with them... how will you secure that? It isn't just limited to long term of site, there is no timeframe stated in the ISO27001 standard so even if it only leaves site for an hour, what are your controls?
- A.11.2.7 - Secure disposal or reuse of equipment – all equipment comes to the end of their useful life, and we know that companies repurpose equipment, what was previously a great machine for the Finance Director to use is no longer powerful enough for their huge spreadsheets so it's given to a new graduate just starting to avoid cost. Now you have risks in your information security that you need to manage. This clause requires you to do just that, it says "All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use." In other words, get processes in place to ensure that any data on your systems that you dispose of, or reuse is irrecoverable by anyone when you do it.
- A.11.2.8 - Unattended user equipment – this will span from your servers sitting alone in the server room to the laptop or phone you have left on the desk when you popped off to get a coffee from the machine. The information security management systems standard requires that you ensure the equipment has the appropriate protection. Passwords alone may not be enough; drive encryptions and secure keys may be the requirement you need to meet the risks you identify.
- A.11.2.9 - Clear desk and clear screen policy – We have all worked in companies or heard of ones that have a clear desk policy and let's be honest, we all probably thought well that's just dumb and controlling. When you think about it however it's not. As people we tend to keep things to hand that we are working on, so if I'm wrapping up today and haven't quite finished the work on that new design then perhaps, I can just leave it on the side of the desk here to grab and get started on tomorrow. The problem is someone else can happily come along and just lift it. The clean desk policy is about ensuring that there is nothing left available for anyone to just pick up and walk off with or see that they shouldn't. This includes those post-it notes you have stuck to your monitors.The clear screen side of things is similar in intent, if you get up to go get that coffee no one should be able to read your screen. Equally storing working documents on your desktop screen is bad, firstly it's unlikely to be backed up secondly, it's not going to be secure either. Of all the sections in this clause, this is by far the hardest to implement as it requires a change in behaviours and as we all know that's the hardest thing to accomplish!
Again, from a remote working point of view all the elements outlined above need to be considered, it's not going to be exempt from your auditing or compliance requirements for your ISO27001 information security management system.
Reviews
Review your controls on a regular basis, as both the business and technology evolve so too must your controls and systems you have put in place. Schedule these reviews on a regular basis to ensure that are working effectively. As a company we use our Mango QHSE system to document and communicate all the controls and we use the auditing function to schedule and carry out our reviews to ensure we are still meeting our requirements.