ISO 27001 and Physical Security

Physical access control, physical security monitoring, CCTV, and more

When we hear the term ‘information security’ – or, for that matter, ‘ISO 27001’ – our thoughts usually turn straight to cyber security.

However, physical security is also an important aspect of information and data security. In fact, in the 2022 versions of ISO 27001 and ISO 27002, ‘physical’ is one of just four control themes.

As such, the Standards also list explicit physical security controls, which organisations must either implement or justify why they don’t need to in their SoA (Statement of Applicability) to certify against ISO 27001.

Matthew Peers, one of our GRC (governance, risk and compliance) consultants, helps organisations implement the Standard and prepare for ISO 27001 certification.

Before joining IT Governance, Matthew served in the British Army Intelligence Corps for 12 years, providing intelligence and security advice to personnel and their families in the UK and abroad. This included conducting physical security surveys of British Army bases in the south of England.

Just the man to talk to about ISO 27001 and physical security!

In this interview

  • Why ‘physical’ is a separate control theme
  • Physical (and logical) access controls and visitor policies
  • Why physical security monitoring needed a new Annex A control
  • The benefits and drawbacks of CCTV as a preventive and detective measure
  • Key considerations around building security – even if you’re a small organisation
  • How to remotely audit physical security
  • Remote-working tips

One of the big changes in the 2022 editions of ISO 27001 and ISO 27002 are the four themes, one of which is physical. Is this an acknowledgement that physical security can be overlooked?

I’d say that the separate category just filters out those controls better.

Since COVID, many organisations operate remotely. So, for the purposes of control selection, many physical security controls can be justifiably excluded if all staff work from home.

Having a separate category for those controls makes this more practical to do.

For the organisations that still have a physical location, what physical security measures must they consider?

They should look at their overall physical security system[s]. That said, one big thing clients often talk me through is their visitor policy: how do they process visitors? How do they make sure visitors only go to the designated areas? And so on.

This fits into a wider conversation around physical access control. Just because someone is an employee, doesn’t mean they should be allowed to go everywhere.

For example, if you have a room that stores sensitive information or equipment, only those who have a need to see or use it should be able to access that room.

Similar principles apply to logical access: organisations must restrict this on a need-to-know basis and by the principle of least privilege [PoLP].

What access controls should organisations implement?

Common logical [cyber/digital] access controls include passwords and MFA [multifactor authentication], firewalls, and network segmentation and segregation. Ideally, you’d apply these in a zero-trust architecture.

For physical security, you can use:

  • The simple but effective key and lock;
  • A combination lock or PIN pad; or
  • Card readers.

You could also use biometric access control, but using biometric data is subject to stricter legal requirements around privacy [under the UK GDPR – General Data Protection Regulation].

What about physical security monitoring?

That’s the only new control introduced in the 2022 Standards for the ‘physical’ theme. Control 7.4: “Premises should be continuously monitored for unauthorized physical access.”

This could be something like CCTV, or a human element – a security guard, whether physically near the door or at the other end of a switchboard.

Alarms are good, too, but they raise questions like who’s going to come in to investigate when it goes off at, say, 4:00 am on a Saturday.

Why was a new, separate control for physical security monitoring needed?

It gives you enhanced peace of mind.

Suppose you own a lot of sensitive equipment and are in an area with a high crime rate [an aspect of environmental security]. You’d want that peace of mind that you’ll become aware of anyone interfering with your equipment.

In this respect, CCTV and other security monitoring act as both preventive measures – i.e. a deterrent – and detective measures. They’ll help detect suspicious activity, but also deter burglars. CCTV won’t stop everyone, but it’ll make at least a few people think twice, knowing their actions will be caught on camera.

In fact, CCTV can work well as a forensic measure, too. If someone does break in, CCTV can help identify the culprit. At the very least, it can inform the police where to dust for fingerprints, as the cameras show which surfaces the burglar has touched.

What are the risks or drawbacks around CCTV?

Cameras aren’t infallible – they can be covered up or out of order, for example.

Then there’s the footage itself – recordings might be overwritten, and you’re only going to keep them for a certain period anyway, if only for the sake of cost.

In addition, you need to be aware of your privacy obligations. Ensure that people know they’re being recorded – e.g. via a clearly visible CCTV notice – and why you’re collecting that data.

[This guide to the GDPR and CCTV in the workplace discusses this in more detail.]

So, control 7.4 in ISO 27001 isn’t accounting for a new phenomenon, but filling in a gap in the old Standard?

Yes, it just brings ISO 27001 up to date. Plus, ISO 27002 provides guidance beyond just installing video monitoring systems and intruder alarms – it also raises points like preventing them from being disabled remotely.

By formalising this as a control, organisations can get clearer guidance on its various aspects. They’ll also be less prone to overlooking things.

[Note: ISO 27002 provides generic guidance on how to implement each control in Annex A of ISO 27001.]

The ‘physical’ theme in ISO 27001:2022 and ISO 27002:2022 contains relatively few controls. Which are the most important?

The controls around building access:

  • How will you control access to your physical premises?
  • How will you identify who is and isn’t permitted to enter?
  • How will you keep unauthorised staff and other people out of restricted areas?

It’s about not overlooking anything. You may, for example, have your HR team in one part of the building to keep sensitive personal information about staff separate from, say, the sales team.

For similar reasons, you’d want to separate finance, too – very few people need access to financial information, so make sure you restrict it on a need-to-know basis.

What you don’t want to do is mix teams. When all finance staff sit together, it doesn’t matter whether one person looks at another’s screen and sees confidential financial data. But you can’t police casual glances from, say, a sales employee sitting next to finance staff.

Again, even vetted staff shouldn’t be seeing information not relevant to their job – particularly where that information is sensitive.

What if you’re a small organisation, with very few staff?

Even when you have different functions sitting in the same small room, you can designate a quiet space for sensitive work.

Or you can position screens in such a way that you can’t see what the person is working on if, for example, you walked into the managing director’s office. If you’re then invited to look at their screen, the director can make sure you can only see what you need to.

What, if any, aspect of physical security do you believe is overlooked?

Actually, organisations do quite a good job at this. Many are very switched on and alert about the physical side – the cyber side is where more problems emerge. That may be due to a lack of experience – we’ve had to think about physical security long before the Internet emerged.

Situations like having multiple organisations within the same tall building are so common. It’s very normal to have, say, a tenth-floor office, with staff given a key card that only gives them access to that floor and the front door of the building.

Or if you have a visitor, they’d call at the front-desk reception, who then sends them to the correct floor and lets you know to buzz them in, or whatever.

Can you remotely audit physical security?

With cameras! An auditee will use something like a camera phone or laptop, then walk and talk the auditor through the process.

So, they’d say something like: ‘I’m standing outside the building. I’m now going to get my key card out and swipe into the building. If I was a guest, I’d call into reception here. I’d press that button, then tell the receptionist who I am and who I’ve come to see.

‘The receptionist then gives me a visitor lanyard, and phones the office. Someone from the office then comes down to show me upstairs.’

Admittedly, you get a better feel for the physical security when you’re there. Not least because you’re the visitor in that scenario.

But the remote camera makes for a good substitute in, say, a lockdown situation. Or when the organisation spans multiple premises. This is a particularly good option for internal audits, rather than certification audits, where the auditor would need a higher level of assurance.

Speaking of remote, even when all staff are home-based, work still involves a physical element, such as their home offices. What can organisations do to address those risks?

A remote working policy is a good place to start. This should cover things like physically securing company equipment. For example:

  • Avoid working in public
  • Only use secured Wi-Fi networks
  • Never leave your equipment unattended in public
  • When travelling by car, put the equipment in the car boot
  • When travelling by plane, put laptops, etc. in your carry-on luggage

Also, don’t let unauthorised people use the device!

Last November, a Scottish minister let his children use his tablet, running up a massive bill. He’d initially charged the taxpayer for that, but that aside, unauthorised users – family included – mustn’t gain access to company equipment under any circumstances.

What are some other remote-working tips?

Remote working typically involves putting stuff in the Cloud – old-school server and communications rooms are dying off.

Involving a Cloud service provider means you’re sharing the risk. Your data might be managed and secured by the provider, but you remain responsible for that data, legally speaking.

So, ask questions like:

  • What assurances can the provider give around security?
  • How will I make sure I can retrieve the data in the Cloud at any time?
  • What third-party suppliers does your provider use, where are they based, and how do you know you can trust them?

Under ISO 27001:2022, supply chain management stretches across multiple controls:

  • 5.19: Information security in supplier relationships
  • 5.20: Addressing information security within supplier agreements
  • 5.21: Managing information security in the ICT supply chain
  • 5.22: Monitoring, review and change management of supplier services
  • 5.23: Information security for use of Cloud services [another new control]

That signals its importance to overall information security. If your supply chain isn’t secure, nor are you.

Note: To learn more about how to simplify supply chain risk management, check out this interview with Andrew Pattison, head of GRC consultancy at IT Governance Europe.

Looking to improve staff awareness around physical security?

Our 45-minute Physical Security Staff Awareness E-learning Course may be just the thing.

This engaging course teaches staff what physical security is, and how they can contribute to keeping their workplace and your assets secure. It also addresses the threats posed by remote working.


More interested in general information security awareness training for staff? Check out our Information Security Staff Awareness Elearning Suite.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert with GRC International Group.

In the meantime, why not check out our interview with Group CEO Alan Calder about transitioning to ISO 27001:2022?

Alternatively, explore our full index of interviews here.