{"id":5113,"date":"2023-01-16T09:09:27","date_gmt":"2023-01-16T09:09:27","guid":{"rendered":"https:\/\/www.imsm.com\/nz\/?p=5113"},"modified":"2023-10-18T12:20:43","modified_gmt":"2023-10-18T11:20:43","slug":"does-iso-27001-cover-physical-security","status":"publish","type":"post","link":"https:\/\/www.imsm.com\/nz\/news\/does-iso-27001-cover-physical-security\/","title":{"rendered":"Does ISO 27001 cover physical security?"},"content":{"rendered":"
ISO\/IEC 27001<\/a> is the international standard for maintaining an Information Security Management System (ISMS). Implementing an ISMS is essential for any business that aims to be securely protected against security risks or data breaches.<\/p>\n ISO\/IEC 27001<\/a> will enable your business to keep its information and data, whether it’s customer, staff, or supplier data, secure from potential threats.<\/p>\n These potential threats can include the following:<\/p>\n The ISO\/IEC 27001<\/a> standard standard aims to reduce the probability of possible threats occurring in your business. Processes will be implemented according to ISO\/IEC 27001, allowing your organisation to identify hazards and take corrective actions to prevent them.<\/p>\n Physical and environmental security refers to your organisation’s precautions to prevent physical threats. Your organisation must be protected from any danger that could happen, no matter how big or small.<\/p>\n Threats directed at your organisation from your physical environment can cause irreversible reputational damage and harm the safety of your clients, customers, staff, and suppliers.<\/p>\n Physical threats can include:<\/p>\n ISO\/IEC 27001<\/a> enables your organisation to look within its physical environment and understand where there are potential non-conformities within your company. With ISO\/IEC 27001<\/a> policies, your organisation can improve and build upon the current framework you already have to establish a system with minimised flaws.<\/p>\n An example would be implementing a policy in which data is double-checked and stored in a location where select authorised individuals can access it. Preventative actions and strategies are in place for those who do not have access to this data to minimise the probability of threats.<\/p>\n Having a security management system in place against any physical or environmental threat is critical for maintaining good business practices regarding data and information security.<\/p>\n Suppose an unknown source hacks into your systems or physically gains access to your devices and software. In that case, all data and information stored on that device will become available for them to use or sabotage.<\/p>\n Environmental and physical threats can occur within any business that uses and stores data or information.<\/p>\n There are three types of personal data:<\/p>\n General personal data can include your client’s or customer’s personal information, such as names, emails, or physical addresses. Information such as passwords, security numbers, financial records, and employment details are also deemed as general personal data, among many others.<\/p>\n Data classified as sensitive or special category data, according to GDPR<\/a>, needs a greater level of protection because it is sensitive. This data includes:<\/p>\n With ISO\/IEC 27001<\/a>, data and information will be managed safely and appropriately to prevent misuse. Data must be retained solely for its purpose and by GDPR<\/a> rules and regulations.<\/p>\n ISO\/IEC 27001<\/a> does include a section on how your organisation should be guided in the event of a data breach occurring in the physical environment of your business.<\/p>\n ISO\/IEC 27001:2022<\/a> includes controls that are distributed across four categories; these include organisations, people, physical and technological. Clause 7 of Annex A includes physical controls, which must be maintained to a high efficiency to protect physical security.<\/p>\n The environment in which data is handled should be competently assessed for non-conformities and hazards which could occur unexpectedly.<\/p>\n Through implementing ISO\/IEC 27001<\/a> within your organisation, the probability of environmental and physical security risks occurring will be significantly reduced. You can be assured that your systems will be continually assessed to a high standard, and you can regularly maintain your business’s competency.<\/p>\n The controls outlined in Clause 7 of Annex A of ISO\/IEC 27001:2022<\/a> are:<\/p>\n For example, in control 7.2, physical entry controls details that secure areas should be protected by appropriate entry controls and access points. This ensures that only authorised personnel should have physical access to your organisation’s information. Physical entry controls include technical mechanisms to manage areas of access, such as entry doors, gates, card readers, ID scanners, keypads, and revolving doors.<\/p>\n In control 7.10, storage media, ISO\/IEC 27001<\/a> addresses how organisations can manage their storage media devices, such as SSD’s, USB sticks, external drives, and mobile devices, through their life cycle of acquisition, use, transportation, and disposal in accordance with their handline requirements.<\/p>\n ISO\/IEC 27001<\/a> includes controls and clauses that cover physical security within your organisation. Therefore, you can be assured that by following ISO\/IEC27001<\/a>, your controls and security management are protected against physical security risks.<\/p>\n <\/p>\n Are you interested in learning more about what ISO\/IEC 27001<\/a> can do to help your business? Please download our free guide<\/a> for more information.<\/p>\n If you are interested in ISO\/IEC 27001<\/a>, you can contact us and schedule a free consultation<\/a> with one of our specialist consultants. Here at IMSM, we have a transparent fixed fee and flexible approach, helping you to seamlessly earn certification.<\/p>\n Do you already have ISO\/IEC 27001<\/a>? You can become certified to conduct internal audits as an ISO\/IEC 27001<\/a> internal auditor through one of our live online training courses<\/a>.<\/p>\n Sources:<\/p>\n https:\/\/www.verizon.com\/business\/en-au\/resources\/reports\/dbir\/<\/a><\/p>\n\n
What do we mean by physical and environmental security?<\/h2>\n
\n
Why is physical and environmental security essential for business protection?<\/h2>\n
\n
\n
Does ISO\/IEC 27001 cover physical security?<\/h2>\n
\n
I’m interested in ISO\/IEC 27001. What can I do next?<\/h2>\n