Facilities protection

Answer: Considering ISO 27001, the security measures focus first on protection of information deemed important for the business (in your case the private data of hotel''s guests are a good example), and after that on the protection of assets that support the information (e.g., the hotel facilities).

Said that, the first measure you must consider is the implementation of a risk management process, so you can create a trustful information basis for determining which controls to apply.

For protection of information, common preventive measures are the establishment of an access control policy, criteria for information classification, and training of staff about how to handle sensitive information.

For protection of facilities the main controls recommended are perimeter definition (e.g., lobby, parking lot, guest''s rooms, etc.) , implementation of access controls (card keys for rooms), use of identification (e.g., badges and uniforms), and segregation of working and public areas (e.g., looby and management office).

These articles will provide you further explanation about Facilities protection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

These materials will also help you regarding Facilities protection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/