Just a quick one on the Physical Security aspect of the policy - specifically with regards to "Procedures for Working in Secure areas". The only secure area is actually the data centre location where our server is located. Should that be listed as a secure area? If so, it's a little different to the template as access is generally only to data centre staff who actually manage the facility and these are not direct employees. Or do we not need such procedure in this scenario?
Answer:
Yes, from my point of view you can list the data centre as secure area, and in your scenario the procedure is necessary, although is not mandatory to be documented. This article about the list of mandatory documents can be interesting for you List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And also this article abou t the physical security Physical security in ISO 27001: How to protect the secure areas : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
Comment as guest or Sign in
Jan 13, 2016