ISO 27001 Information Security Management Standard

Part 30 - A11 Physical and Environmental Security

This clause in the Annex of ISO 27001 is all about how you manage the physical security of your business. This covers both the facilities you work in and the equipment that you use.

physical and environmental security

A.11.1 Secure Areas

The first part of the clause revolves around the secure areas of your business. The objective here is to prevent any unauthorized physical access, damage and interference to your organisation’s information and information processing facilities.

So you need to review all the security measures you have on your facilities, any outsourced facilities and for your remote workers.

The standard makes this easy as it requires you to check the following:

Security perimeters
Entry controls
Securing your offices, rooms and facilities
Protecting you against external and environmental threats
Working in secure areas
Delivery and loading areas

Here at Mango we reviewed the physical building where we are housed and the buildings that some remote workers work from. We also reviewed the facility that hosts our Mango application. We checked and tested the controls we have in place. We recorded those physical items and the controls on our Plant/Equipment module in Mango. We have also implemented processes now to check those controls on a regular basis.

A.11.2 Equipment

The second part of the clause looks at the security involved with your equipment. The objective here is prevent the loss, damage, theft or compromise of your assets and the interruption to your organisation’s operations.

So again you need to review all the equipment you use and its impact on information security.

The standard gives you great guidance around this. The standard requires you to check the following:

Equipment siting and protection
Supporting utilities (power failure)
Cabling security
Equipment maintenance
Removal of assets
Security of equipment and assets off-premises
Secure disposal or reuse of equipment
Unattended user equipment
Clear desk and clear screen policy

Here at Mango we spent a lot of time checking the controls for each of these activities. We listed all the equipment we use in our Plant/Equipment module in Mango. We then documented each control in the module. These get reviewed on a regular basis to ensure these controls are working effectively.

Takeaways

Review your physical buildings where you are housed and the buildings that some remote workers work from.
List them in a risk register (or if you are a Mango user then list it in the Plant/Equipment module in Mango).
Review all the equipment you use.
List the equipment in a risk register (or if you are a Mango use then list it in the Plant/Equipment module in Mango).

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate