ISO 27001 Annex: A.11 Physical and Environmental Security

ISO 27001 Annex: A.11 Physical and Environmental Security discusses Secure areas, Physical Security Perimeter and Physical Entry Controls.

A.11.1 Secure areas

In addition to preventing physical access, damage, and interference with the organization’s information, it also protects the ability to process data.

A.11.1.1 Physical Security Perimeter


The establishment of perimeter security is important to secure sensitive or confidential data and information processing areas.

Implementation Guidance

For physical security perimeters, the following guidelines should be considered and followed:

1. Establish security perimeters, with the location and intensity of each perimeter depending on the security requirements of the assets within the perimeter, and how the risk assessment analyses those requirements;
2. It is crucial that the perimeter of the building is tight and secure (that is, there shouldn’t be any openings where someone could easily break in); all the building’s perimeter walls, floors, and external doors should be secured to prevent unauthorized entry (such as alarms, locks, bars); When windows are left open, doors and windows should be locked, and external security should be considered, especially at ground level;
3. The site or building should have a manned reception area or other forms of physical access control and only authorized personnel should be able to enter.
4. Wherever possible, physical barriers should be installed to prevent unauthorized access and environmental contamination;
5. Fire doors should be alerted, monitored and tested along walls to determine whether they need additional resistance following State and National standards; acting in a failsafe manner following local codes;
6. An intrusion detection system, compliant with national, regional, and international standards, must be installed and tested regularly to ensure that all exterior doors and windows are covered. It is a good idea to alarm unoccupied spaces at all times.
7. Facilities for information management under the control of an organization should be physically separated from those run by outside parties.

Other Information

To protect an organization’s premises and information processing areas, it is necessary to create one or more physical barriers. When a single barrier malfunction does not immediately affect security, the use of multiple barriers can provide additional protection.

Protected spaces may be offices or other buildings that have internal physical protection restrictions. There may need to be additional physical barriers or perimeters within the safety perimeter to control access between areas with different levels of security. Special attention should be paid to the physical security of entry when buildings have assets for more than one organization.

As outlined in the risk assessment, physical controls, especially in the safe areas, need to be adjusted according to the organizational technical and economic circumstances.

A.11.1.2 Physical Entry Controls


To ensure that only employees who are authorized to enter a facility can do so, access control should be in place.

Implementation Guidance

Keep in mind the following points:

1. Upon entry and departure, visitors should be registered and supervised, without prior authorization; Only approved purposes should be granted access, and guidelines should be provided regarding the region’s safety and emergency procedures. A suitable method should be used to verify visitors’ identities;
2. Suitable access controls should be introduced to areas where information is handled or stored, such as a two-factor authentication system that uses an access card and a PIN;
3. Maintaining and monitoring an audit trail of all access records in a physical logbook or electronically;
4. Employees, contractors, and external parties should all wear some kind of visible identification and tell security personnel immediately if they meet persons who are not escorted or who do not have identification;
5. Employees outside of the company who require external support should only have limited access to secure areas or confidential information processing facilities; access authority should be provided and monitoring should be carried out;
6. It is necessary to review, update, and revoke access privileges to protected areas periodically. Whenever necessary.

Related Questions

1. What types of perimeter barriers are there?
2. What do perimeter controls do?
3. What are the 5 physical security controls necessary for information security?
4. According to NIST, what are the three possible ways for data to be intercepted?
5. Describe ISO 27001 Annex: A.11 Physical and Environmental Security?
6. What controls are included in ISO 27001 Annex: A.11 Physical and Environmental Security?

About Author /

Start typing and press Enter to search