LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Physical security

  Quote
Guest
Guest user Created:   Mar 04, 2019 Last commented:   Mar 04, 2019

Physical security

1. I would like to clarify one thing please. In terms of physical security/access control. Would the departments who are in scope need to be physically isolated from the other departments who are out of scope?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 04, 2019

Answer: First is important understand that for ISO 27001 a "need" is based on results of risk assessment. Considering that, you only have to physically separate your scope if there are unacceptable risks related to keeping a single environment.

2. Our staff always have meetings and they always need to sit and discuss and collaborate on certain tasks and projects that happen between different departments. Shutting down the entrances and closing all the doors between the departments and limiting access will hinder the workflow and coherence of the company. Is there another way about that? Or is the policy very clear and very strict in terms of physical isolation of the departments that are in the scope from the rest of the company? In case it was very strict and isolation measures need to be implemented, would magnetic see throug h doors with swipe cards to isolate the departments who are in scope from the external of scope be sufficient enough? I found this article on your website:
https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

Answer: The same previous answer applies here, you only need to limit access to the scope if there are unacceptable risks that must be treated. In case you indeed have to limit access, you can use the alternative you mentioned (i.e., swipe cards) if it does lead to unacceptable risks.

3. But I would greatly appreciate it if there are more detailed articles about physical security that you might be able to share with me, especially for organizations that are only certifying part of their services.

Answer: First of all thanks for this feedback. In fact this answer may be a good idea for an article. If you kindly provide additional examples of what you would like to see we can verify this possibility. For other articles about physical security, please see:
- The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 04, 2019

Mar 04, 2019