This ISO27001 control is not only concerned with the reduction of risks from physical and environmental threats, but also from unauthorised access and damage. Where you put your equipment can almost be as important as what you do with it!
What does the standard require?
The standard states that “Equipment shall be sited securely and protected.” (A7.8 – Equipment siting and protection).
Why is this required?
If equipment is not protected, it could lead to a data breach or loss of data that could lead to outages, reputational damage, sanctions or fines. But how can this happen?
We worked with a client who operated on the ground floor of an office, where the doors and windows opened onto the main street, where pedestrians could walk up, and down. When we performed their site security assessment, we advised them to position the computer screens so that any passersby couldn’t observe anything on their screens. This worked for a while, but ultimately we decided to buy screens for the windows which would prevent those outside, from looking in. This wasn’t a huge cost, but minimised the risk of a data breach.
In another example, we visited a client who had their servers and comms equipment located in the basement of their building. This was despite the fact that the area had suffered a significant flood, just two years prior. Siting their equipment in the basement presented a significant risk to the business, which they ultimately recognised and relocated the equipment to a more appropriate, third-floor location.
In other ISO27001 Annex A controls, such as Annex A7.3 (Securing offices, rooms and facilities), the requirement is that physical security for offices, rooms and facilities shall be designed and Implemented. The key word here is designed.
What the auditor is looking for
The auditor will be looking for evidence that you have a number of security measures in place that demonstrate this control is being addressed. These measures typically include;
Site Risk Assessments
Risk Registers
Incident Logs
Privacy screens on equipment
Physical protection and appropriate siting of critical equipment (e.g. servers, PCs etc)
Awareness, Education and Training for personnel
Remote Working Policies and Procedures
Audit Reports
During the site tour the auditor will look for evidence that you have designed your offices to ensure security is in place. For example, is your HR function in an open plan office or do they have their own space? They deal with a lot of personal data, so if they are in an open plan office, are their screens protected by privacy screens, or are they positioned in such a way that prevents people overlooking their desks and screens?
What do you need to do?
Conduct a site risk assessment and identify any areas of weakness and vulnerability. Ensure these are identified and discussed in your MRT and identify any improvements that can be made to the siting of the equipment.
For example, it is not uncommon to find servers have been stored in a make-shift server room (aka a ‘Cupboard’!), which has no ventilation or fire suppressant capabilities. If this sounds familiar, then you should either look to relocate the equipment, install ventilation, or add it to your risk register, assess the risk and assign a risk owner. The risk owner will then decide on how the risk should be treated.
You should also develop a remote working policy and procedures which can be communicated to those you work with. This is covered in more detail in ISO27001 Annex A control A6.7 (Remote Working) where the requirement is to implement security measures for personnel who are working remotely. This is required to ensure people know not to leave equipment unprotected, for example on trains while they go to the bathroom or buffet car!
Q & A
What if only use Cloud software?
Your information may be in the Cloud, but you view it through the device on your desk and in your hand. Therefore you need to consider where you will be, when you access the information and consider the risk of it being exposed, lost or damaged.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This ISO27001 control isn’t technical in nature and should be relatively easy to address. By carrying out the actions above, and providing the evidence that auditors will typically request, this control should be relatively simple to implement.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.