{"id":4394,"date":"2015-03-23T19:37:41","date_gmt":"2015-03-23T19:37:41","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/015\/03\/23\/physical-security-in-iso-27001-how-to-protect-the-secure-areas\/"},"modified":"2025-07-10T16:13:41","modified_gmt":"2025-07-10T16:13:41","slug":"physical-security-in-iso-27001-how-to-protect-the-secure-areas","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2015\/03\/23\/physical-security-in-iso-27001-how-to-protect-the-secure-areas\/","title":{"rendered":"Physical security in ISO 27001: How to protect the secure areas"},"content":{"rendered":"<p>Your information and IT assets aren\u2019t located in the middle of nowhere. They need a roof, walls, doors, and adequate operating conditions. Just like human beings. Software has back doors (not always to be exploited for malevolent acts) just as any building has. Many IT security features are built on \u201cold\u201d physical security principles and solutions. As for IT, without proper physical security controls, our information assets are at risk.<\/p>\n<h2>What are secure areas?<\/h2>\n<p>Secure areas are sites where you handle sensitive information or shelter valuable IT equipment and personnel to achieve the business objectives. In the context of physical security, the term \u201csite\u201d means buildings, rooms, or offices that host all the services and facilities (electricity, heating, air conditioning).<\/p>\n<p>The primary role of physical security is to protect your \u2013 material and less tangible \u2013 information assets from physical threats: unauthorized access, unavailabilities and damages caused by human actions, and detrimental environmental and external events.<\/p>\n<p>The material assets are, of course, hardware and information media. Less tangible information assets are spoken words and shown data (on screens and posters).<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Elements of the physical context<\/h2>\n<p>Sites, buildings, public areas, work areas, and secure areas aren\u2019t in the middle of nowhere or somewhere in the air. They are located at a place suitable for people. Three elements are to be taken into account as your physical context to decide for the appropriate protection:<\/p>\n<p style=\"padding-bottom: 15px;\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-21473\" style=\"margin-top: -5px;\" src=\"\/wp-content\/uploads\/\/sites\/5\/2015\/03\/physical-context-iso-27001.jpg\" alt=\"ISO 27001 physical security: Keeping the secure areas protected\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2015\/03\/physical-context-iso-27001.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2015\/03\/physical-context-iso-27001-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2015\/03\/physical-context-iso-27001-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p><strong>Perimeter &amp; borders.<\/strong> We have up to four defense lines to take into account:<\/p>\n<ul>\n<li>First: the site (fence) or building (wall)<\/li>\n<li>Second: (eventually) the building floor or story<\/li>\n<li>Third: the room<\/li>\n<li>Fourth: the \u201csmaller box\u201d you put the assets in (cabinet, cupboard, safe)<\/li>\n<\/ul>\n<p><strong>Gates.<\/strong> There is obviously a need to enter and exit the physical environment. The doors and windows are first thought of, but most people overlook the cable ducts, air inlets\/outlets, etc.<\/p>\n<p>Don\u2019t forget the ways to and from the gates: access and exit ways, both normal and \u201cemergency\u201d \u2013 required by the safety regulations.<\/p>\n<p><strong>Surroundings.<\/strong> This concerns the corridors, paths, roads, green space, or parking areas that lay around the perimeters.<\/p>\n<h2>Security Measures<\/h2>\n<p>The physical environment, and especially the secure areas, should meet security expectations. This happens through providing the adequate level of strength as defined by the risk management activities to each of its elements. See also this article: <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-risk-assessment-treatment-management\/#assessment\" target=\"_blank\" rel=\"noopener\">ISO 27001 risk assessment: How to match assets, threats and vulnerabilities<\/a>.<\/p>\n<h3><em>Perimeter &amp; border<\/em><\/h3>\n<p>The first requirement is obvious: the strength of the perimeter should be adapted to its content.<\/p>\n<p>Second: all six faces (4 walls + floor and ceiling) of the three last perimeters (floor, room, cabinet) should have the same strength. It serves little to have strong walls if you can get into the room via false ceiling or floor.<\/p>\n<p>By \u201cnature\u201d (as it has always been the case in history), the most sensitive asset should be put within the strongest perimeter (\u201csecure area\u201d), which is protected by another one and so on (the \u201conion technique\u201d).<\/p>\n<p>The concept of \u201czoning\u201d describes the different categories of \u201crooms\u201d depending on what they contain and how they are located in relation with the others.<\/p>\n<p>When it comes to working in a secure area, you may be required to control:<\/p>\n<ul>\n<li>presence (in case the gate access control was inoperative): volumetric protection (same stuff as smoke or fire detectors)<\/li>\n<li>what people do inside: e.g., never work alone or use cameras<\/li>\n<\/ul>\n<p>Control A11.5 also restricts the use of these secure areas. They should only be devoted to handling sensitive information and hosting valuable IT and facilities. They shouldn\u2019t serve as storage places for paper, equipment, or other maintenance devices. Their location also shouldn\u2019t ever be indicated to strangers.<\/p>\n<p>For some parts of your facilities it shouldn\u2019t even be authorized to take pictures.<\/p>\n<p>When it comes to delivery and loading areas, you just have to make sure they don\u2019t give direct access to the secure areas.<\/p>\n<h3><em>Gates &#8230;<\/em><\/h3>\n<p>The doors and windows should have the same strength as the perimeter: a strong wall and a weak door or window (or reverse, as has already been seen) make little sense.<\/p>\n<p>The gates should allow for an adequate level of access control of who wants to get in (or out). Again, the rights and rules are harmonized with the strength of the walls (and the value of what\u2019s inside). For example, you could use a rule like this: <em>For secure areas, an airlock (a security double door) could be necessary that makes sure to only authorize one person at a time (and prevents tailgating and piggybacking).<\/em><\/p>\n<p>All gates should provide the necessary protection: if you need to let air (or cables) in and out, the aperture shouldn\u2019t be big enough to let any animal (smart or not) inside, in relation with the damage it can cause.<\/p>\n<p>The presence of a welcome desk where all visitors should come first is one possibility. Having personnel challenging the unknown persons or security guards patrolling is also a solution.<\/p>\n<p>If you adequately protect the \u201cnormal\u201d gate(s), it\u2019d be wise to also design, install, and protect \u201cemergency\u201d gates (both for exit, obviously, and entrance \u2013 when the normal gate is blocked, to protect availability\/accessibility of what\u2019s inside).<\/p>\n<h3><em>Surroundings<\/em><\/h3>\n<p>All spaces around the perimeter(s) could be monitored (according to the value or sensitivity of what\u2019s inside) to prevent, deter, and detect any attempts to enter (or exit) through alternative and specially made gates. Monitoring of surroundings is generally performed with cameras or patrols.<\/p>\n<h2>Don\u2019t underestimate physical security<\/h2>\n<p>Securing your physical environment, and especially your secure areas, follows the same approach you use for your digital information: defining the context, assessing the risks, and implementing the most appropriate security controls: the highest the value and the risk, the highest your protection level. The necessary access control and monitoring activities follow the same rules as for digital information.<\/p>\n<p>But, when speaking of physical security, this isn\u2019t sufficient: you also need to secure the equipment and deal with environmental threats \u2013 but that\u2019s a topic for another article.<\/p>\n<p><em>To see all the necessary tasks for ISMS implementation and maintenance, and learn how to comply with ISO 27001 with less bureaucracy,\u00a0<\/em><a href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener noreferrer\">sign up for a 14-day free trial<\/a><em> of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Your information and IT assets aren\u2019t located in the middle of nowhere. They need a roof, walls, doors, and adequate operating conditions. Just like human beings. Software has back doors (not always to be exploited for malevolent acts) just as any building has. Many IT security features are built on \u201cold\u201d physical security principles and &#8230;<\/p>\n","protected":false},"author":42,"featured_media":21473,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,461,462,463,464,465],"class_list":["post-4394","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-entry-control","tag-perimeter","tag-physical-security","tag-secure-areas","tag-site-and-facilities"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4394","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4394"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4394\/revisions"}],"predecessor-version":[{"id":104357,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4394\/revisions\/104357"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/21473"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}