When people think about ISO27001 for Information Security Management Systems (ISMS) they tend think about the world of cyberspace, of virtual set ups and protecting their information form someone on a PC hacking in from the other side of the world. That's certainly a part of it and in reality, a small part of it. Your real-world threats are just as important and more likely than you may think. That means you need to think about your real physical and environmental security.
Keep in mind the management system is about securing the information that is important to your organisation, making sure it is physically secure is pretty important. What about ensuring that it is secure from the environment? With the environmental impacts of climate change the weather is getting wetter and more unpredictable, storms, tornadoes, hurricanes, flooding how will these impact your data security? Clause A11 of the iSO27001 standard looks for you to consider all of these things for both the areas you have your information in (ISO27001 Annex Clause 11.1) and the equipment itself (ISO27001 Annex A11.2). In this post we'll cover the 1st section – Secure Areas which is Clause 11.1 and in our next post we'll talk about Clause 11.2 for equipment.
Annex Clause 11.1 – Secure area
Firstly, the Objective of the clause is simple: "To prevent unauthorised physical access, damage and interference to the organisation's information and information processing facilities."
So simply put you need to decide which areas of your business should be secure, and from whom they need to be secured from. Is it all staff, some staff, external visitors? How will you control these security areas and if it is breached how will you know?
There are size areas that the standard wants you to think about and outlines what your control must achieve.
- A11.1.1 Physical security perimeter. For areas that the organisation has deemed sensitive or holds critical information and information processing facilities the standard wants you to identify a security perimeter around it hat will used to protect areas. What does this look like in reality? Think about your server room, is it open or locked? It should be locked at all times and the key should be pretty hard to get, ideally it's a swipe access so you manage who goes in and know when they do. Remember it's not just about your server room, you will have other areas that need similar set ups or similar access control, identify them and management.
- A11.1.2 Physical entry controls. As in the example about the requirement here is that any secure areas need to be protected by appropriate entry controls to make sure that only authorised personnel are allowed access to it. As an organisation you need to decide what those entry controls could be such as the swipe cards describe before, finger scanners, a 4 digit pass core or just a key, it's up to you based on your assessment of the risk to data and it's integrity.
- A11.1.3 Securing offices, rooms and facilities. This control is about considering what physical security is going to be required for your offices, rooms and facilities. The aim again is to ensure that only those authorised gain entry to restricted areas.
- A11.1.4 Protecting against external and environmental threats. This is where your thinking has to get both inventive and realistic. This section of the requirement wants you to ensure that you have physical protection against natural disasters, malicious attack or accidents. So, if you are in a flood prone area then you should be designing in things to protect your information security should a flood hit for example. Don't forget here you aren't just thinking about protecting the information from being damaged by the flood but also about the security implications. If the information survives the flood but your access security doesn't, and all the doors swing open then you may be in trouble.
- 11.1.5 Working in secure areas. Here the standard is looking for you to develop procedures for how you will work in secure areas. That may be about what you can take in and out, it may be about how many people are in there or for how long someone is in a secure area. All these things should be considered.
- 11.1.6 Delivery and loading areas. In movies, the robbers always seem to decide that the easiest way in is via the delivery or loading area, perhaps there is a grain of truth to the Hollywood approach? Clearly you need to think realistically about areas like this as they are designed to give access to your premises. This means that those areas and any other points where an unauthorised person could enter the organisation needs to be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
Remote working is not exempt
Obviously one of the big challenges in today's Covid-19 world is remote working. When you are thinking about your ISO27001 Information Security Management System required you need to consider those areas as well. I sit possible to set up a secure area for remote working for example? Do you need to. Here you need to be realistic and practical about what you are doing and what information is going to be accessible. But it does need to be considered.