In the technology driven world we live in, it’s often high profile and damaging cyber-attacks that grab the headlines. This is perhaps justified when considering the scale and potential impact they have on all parties.
However, when it comes to information security, defending your organization against physical threats must not be overlooked.
ISO 27001 is the international standard which defines the requirements for an Information Security Management System (ISMS). The requirements are wide-ranging and feature controls specifically relating to physical and environmental security. When Lloyd’s Register audit organizations against ISO 27001, non-conformities relating to physical security are some of the most common.
According to research conducted by Gemalto, data records are being lost or stolen at a rate of over 5 million per day – that equates to 68 every single second. While these numbers owe much to the growing sophistication and complexity of cyber-attacks, there is a trend emerging that indicates that physical security is being somewhat neglected with many organizations prioritizing their resources to combat cyber and online threats.
This is supported by a recent survey conducted by the Ponemon Institute where 71% of respondents said they had picked up or seen a paper document in a public space that contained sensitive or confidential information.
Preventing unauthorized physical access, damage and interference to an organization’s information and information processing facilities is a key objective for any ISO 27001 certified management system – irrespective of company size, sector or type.
Interestingly, when we audit organizations against ISO 27001, we typically find that around 15% of our findings relate to physical security. This suggests that a gap is developing between how organizations mitigate physical security risks and cyber risks. Closing this gap is crucial and ISO 27001 certification is a viable solution to mitigate all information security risk.
None of the identified controls within ISO 27001 operate in isolation and one size certainly does not fit all. For that reason, when we assess organizations we aim to ensure that a series of cohesive processes exist, enabling effective and sustainable asset protection.
Building a risk profile & process
Before specifically addressing physical security requirements, building a risk profile is a crucial step in establishing effective processes. As a starting point, you must develop an understanding of the context as well as interested parties and their specific needs and expectations.
For organizations operating as part of a supply chain, it is essential to recognize the risk appetite of those you work closely with – any supply chain is only as strong as its weakest link.
Interested parties are many and varied, however, collectively they drive top management and more specifically their approach to risk management. When it comes to information security this is a critical step.
Throughout the assessment process we look for evidence that an organization has established a repeatable process that prioritizes risk treatment, not just in terms of order but in terms of design. This allows us to appreciate how your controls are designed to work, so together with you and your internal audit team we can assess the effectiveness of the controls used.
Addressing physical security through detailed control feedback
An organization’s ability to successfully achieve the key ISO 27001 objective of physical security is reliant on two focus areas - secure access and equipment protection. Regarding these we tend to find issues in equal measure:
Secure access
Most organizations physically allocate an operating space and within the divisions of that space the sensitivity of data storage and access privileges vary. It’s important that you understand where your most secure areas need to be and how they are protected - whether that is a safe in the corner of the room, an area where sensitive activities take place or a secure data center hall.
Identifying the business value associated with confidential information is a logical way of ensuring appropriate investment in its protection. However, despite putting physical barriers in place, it can be difficult to confirm who is and isn’t entering the space in question. An organization that has adequately addressed requirements around secure access:
- Regularly reviews the access log or the list of those who are authorized to have access Identifies and regularly reviews temporary access requirements e.g. for cleaning and repair works
- Ensures and enforces supervision requirements
- Conducts identity checks to ensure those accessing secure spaces are who they are expected to be
Equipment protection
Protecting equipment and maintaining infrastructure is vitally important in ensuring working environment security. In all cases, organizations must strike a balance between the short-term task and the long-term impact. This is especially relevant when considering planned preventive maintenance (PPM) schedules.
In our experience, PPM schedules are not all as comprehensive or as carefully followed as was the intention when they were first proposed as a mitigation to the risks identified. For example, what is the impact if a generator test slips a month or two? Will the backup Uninterruptible Power Supply (UPS) provide enough time to shut down your important IT?
These are just a few of the many questions that organizations must be able to answer to evidence compliance with the equipment protection requirements highlighted in ISO 27001.