Guest user Created: May 29, 2019 Last commented: May 29, 2019

Physical controls selection

My company is new and there is no physical entry control device which can restrict any one from coming inside during business hours. Is it okay to go for certification audit without implementing this control as the cost and time for implementing it is way too high ? Or an entry control is mandatory for certification audit ?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal May 29, 2019

Answer:

ISO 27001 does not prescribe which controls for physical premises must be used.

A control is mandatory to be implemented only if:
- results of risk assessment identify unacceptable risks that can be treated by the control
- there are laws , contracts or regulations that require the control to be implemented
- there is a top management decision requiring the control Implementation.

If none of these occurs you do not have to Implement a control.

The following articles can provide you a view about physical protection:
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
- How to pro tect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

This article will provide you further explanation about selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 29, 2019

Expert Advice Community