Hi, we are a software development company following your templates to achieve ISO27k1.
Currently we have a visitors management system in place. Every visitor gets a badge and has to wear it constantly and some other rules apply of course.
My question is : where do I state the rules for visitors ? The "Procedure for working in secure areas" seems to be a document that describes only areas where the security measures are higher than the other areas. For example, we have selected our server room environment as a secure are and also the archives and ceo's office, since those are the places where documents are being held in a safe or cabinets with locks.
I would like to define and write down rules for visitors for common areas - like conference rooms, the developer's den, kitchen and WCs. Is there a suitable policy that exists in the realm of iso271k ( I've searched, but couldn't find a perfect match ) for such a purpose or should I create my own policy that might not be a part of the ISO 271k. What would be a good place to describe those rules ? We would like to use the ISO27k1 ISMS as backbone for security in the office and it seems like a good idea to have our visitors system integrated in the policies. Please advise. Thank you.
Please note that section 3.4 of the "Procedure for working in secure areas" covers the access of visitors. You can edit the first paragraph of this section to explain the general rules for visitor access to common areas.
Additionally, you should also consider defining a visitor profile in the Access Control Policy, since this policy is referred to in section 3.4.
This article will provide you a further explanation about access control: