Physical and Environmental Security is a key factor in implementing and maintaining information security in an organisation. Annex a 11 of ISO 27001 guides organisations on how data breaches can occur in the physical environment and how precautions can be taken.
Even if you have the strongest firewalls, procedures and methodology, if there is a breach in physical security, issues may arise. This is why ISO 27001 covers more than only the application of technical controls.
In this article, we take a look at the Annex that is designated for physical security, its objectives, controls, and how this Annex helps your organisation in your journey of information security.
*Update: It's important to highlight that the ISO 27001:2013 standard was updated on 25th October 2022, resulting in the ISO 27001:2022 most recent edition with revised guidelines. For the most current and precise details about the ISO 27001 Annex A Controls, please refer to the updated version.
What is Annex A 11?
Annex A 11 is the physical and environmental security of your organisation. Sometimes, organisations may be under the impression that data breaches, losses and cyber threats could only occur via technology. However, Annex A 11 of ISO 27001 brings light upon the physical landscape of the organisation that otherwise may be overlooked.
Annex A 11 covers a range of controls that define and protect organisations from incidences that may occur in the physical landscape of an organisation, such as:
- Natural disasters
- Theft
- Intentional destruction
- Unintentional destruction
- hardware failures
- Power failures
Instances such as theft and intentional destruction may occur due to unauthorised access, careless handling of records, improper disposal of records, etc.
These incidents can be prevented and avoided if adequate physical security measures are taken timely and the physical environment of the organisation is inspected frequently for its functionality.
There are two main controls under Annex A 11 that define the main reasons why it must be implemented in an organisation.
What is the objective of Annex A 11?
Each of the two main controls under Annex A 11 have similar but different objectives.
The two main controls are: A.11.1 Secure areas and A.11.2 Equipment.
Objective of A.11.1 Secure areas
Physical and environmental security are at the core of Annex A.11.1. The objective of this control is to prevent unauthorised physical access and damage to the organisation's stored data.
Objective of A.11.2 Equipment
Equipment is equally important as secure areas of Annex A.11.2. The objective of this control is to avoid asset loss, damage and or theft as well as disruption of business activities.
What is physical and environmental security?
Physical and environmental security refers to the precautions put in place to protect systems, buildings, and supporting equipment against physical threats. It refers to the protection of people's data, property data, and physical asset data against physical threats such as natural disasters, theft, and intentional destruction.
Physical and environmental security, according to ISO 27001, are sometimes overlooked yet remain critical in safeguarding information.
There are three principles that organisations must follow when it comes to physical and environmental security. They are: physical deterrence, detection of intruders, and response to those risks.
What are the Annex A 11 controls?
A.11.1.1 Physical Security Perimeter
Security perimeters, as well as each parameter's location, must be provided. Your organisation can use the risk assessment results, as well as the security needs of the assets within the perimeter, should be used to decide this.
ISO 27001 defines a physical security perimeter as "any transition barrier between two locations with varying security protection demands." Therefore, employees who work from home or an office may all have access to data that is designated as part of your physical security perimeter.
A.11.1.2 Physical Entry Controls
Once you have established physical security perimeters, you are required to install entry controls to manage who may move between secure areas of the premises.
Handheld metal detectors, walk-through metal detectors, swipe cards, and keycodes are all options for gaining access to different areas of your organisation. Different degrees of protection might be used in different sections of your organisation. The approach you take to build and administer security restrictions should align with the significance of the data you are storing.
A.11.1.3 Securing Offices, Rooms and Facilities
Annex A 11 focuses on an organisation's physical environment security (which means it does not just monitor the data it holds), but also focuses on safeguarding where that data is stored.
Equipment containing sensitive information is kept in various rooms, offices, and facilities, and these locations may not be as secure as we believe. Even though the information contained on these devices is of lesser importance, any type of unauthorised access is harmful to the organisation.
Firstly, organisations must identify the equipment stored in these spaces and the types of data stored in them. Then they must grade the importance of each type of data set found on each device and implement security controls accordingly.
A.11.1.4 Protecting against External & Environmental Threats
This control is about how natural disasters such as fires, earthquakes, tsunamis, snowfall, and floods may damage an organisation's physical premises. This component is purely dependent on natural occurrences that might result in infrastructure damage and the loss of data storage devices like files, hard drives, and pen drives.
The key to preventing your organisation from being damaged in such scenarios is to analyse the environment in which it operates and detect macro and micro external threats.
Following the analysis of these possibilities, it is recommended that your organisation take the required steps and measures to protect the physical premises of your organisation so that natural occurrences cause little to no harm on the premises.
A.11.1.5 Working in Secure Areas
Certain operations that must be completed inside an organisation may be restricted to senior employees alone. As a result, your company may need to isolate this type of work from the rest of the workforce and have it done in an undisclosed location.
Any suspicious behaviour carried out by internal and external unauthorised access can be detected using surveillance cameras and screen monitors.
A.11.1.6 Delivery & Loading Areas
This control is not limited to businesses in the manufacturing industry. Even if you're a service provider, you may almost certainly have one or more delivery and loading areas on your premises.
This area/areas might be utilised to unload new electronic gadgets, furniture, food, and other items that your company might purchase. Unauthorised persons can exploit this area/areas as a swift entry point into the premises, placing your organisation's physical and environmental safety at risk.
Your organisation must identify delivery and loading entry points and add security personnel, surveillance cameras, and a staff member to monitor the unloading and loading of items within the premises.
If your company is housed in a shared workplace, such as a coworking space, you may be restricted to the security measures available at the point of entry. However, there should always be someone in the office who can immediately spot any suspicious conduct and take appropriate action before it occurs.
Why is physical and environmental security important for your organisation?
An organisation requires administrative, technological and physical control in order to carry out business operations smoothly. While it is important that an organisation's digital assets and systems infrastructure are protected, organisations must also protect its physical environment, which includes but is not limited to:
- Offices, rooms and facilities
- Delivery and loading areas
- Entry and exit points of buildings
- Physical data storage devices such as computers, hard drives and pen drives.
Paying attention to and protecting these physical components of the organisation will help improve overall information security implementation. This will help protect existing and new data sets of employees and customers that flow into the organisation.
Protecting your organisation's physical security's primary goal is to protect the company's most precious asset: its employees and customers.
Conclusion
Annex A 11 is one of the 114 controls in ISO 27001 that organisations can choose to adopt as part of their information security procedures. Physical security, on the other hand, is advised to be chosen as one of those controls and should be prioritised since it protects your company from physical data breaches in the long run.
Annex A 11 and other controls are all important for your organisation's ISO 27001 implementation. ISO 27001 certification not only helps you showcase strong security procedures, but it also gives you a competitive edge over your competitors.
If you are interested in setting up data privacy and information security procedures within your organisation and want to become ISO 27001 certified, schedule a no-obligation call with our Infosec specialists today.
Information Security 101
Learn how an ISMS (Information Security Management System) can protect your organisation.
Get your free guide