How to protect against external and environmental threats according to ISO 27001 A.11.1.4

Physical security plays a critical role in information protection, because even the best designed, implemented, and maintained technical and administrative controls, whether IT related or from some other area, are of little help if an event physically affects the environment or the assets on which those controls work.

For example, those state-of-the-art procedures and software for backup are of little help if someone, or something, damages the media or hardware where the operation is performed, or if you can’t reach the backup media location to retrieve it.

And, to make things a bit more complicated, there are physical events with minimal probability of happening, but that can cause a lot of damage, and those you have little to no influence or control over. How to deal with these situations?

Fortunately, ISO 27001 offers a set of recommendations on what you should consider to make your physical security more reliable. In this article I’ll focus on the control A.11.1.4 – Protecting against external and environmental threats.

Threat landscape and general solutions

By external and environmental threats, ISO 27001 control A.11.1.4 refers to events caused by nature (e.g., fire, flood, earthquake, lightning, severe weather, animals, etc.) and man-made actions, whether intentional or accidental, performed by people who are not under an organization’s responsibility, influence, or control (e.g., vandalism, civil unrest, collision, etc.). For more examples of threats, see this Catalogue of threats & vulnerabilities.

These characteristics make the identification of threats a little more complex, because they depend mostly upon information that is outside the organization (e.g., location history, demographics, population, cultural aspects, criminal statistics, etc.). To help gather this information, an organization can use ISO 31000 (Risk management – Principles and guidelines), clause 5.3.2, and ISO 27005 (Information technology — Security techniques — Information security risk management), Annex C, as guides to determine relevant external issues for its Information Security Management System (ISMS).

However, regardless of the specificity of the external issues, there are some good practices that can generally be observed: sites can be hardened against accidents and environmental disasters, and obstacles can be placed to discourage or delay potential agents. We’ll see some of them in the next sections.


Construction hardening

In addition to hardware and software, construction measures can be incorporated that reduce the likelihood of compromise, like:

Location: By knowing the previous history of a place, an organization can avoid those subject to natural events like earthquakes, floods, and hurricanes, or activities like criminal actions and vandalism. If it does not have other options, at least it can prepare the site/facility to deal with those kinds of situations (e.g., reinforced foundations and election of an alternative site).

Walls: Reinforced walls and treatments to protect them against agents like fire, water, and chemicals can help minimize or delay the effects of those agents over an organization’s assets.

Entrances: Windows and doors represent a dilemma, since they should consider reinforcement against unauthorized access as well as facilitate people’s exit in case of emergency. For other not-so-obvious entrance points (e.g., ventilation ports and shafts), they should consider measures to prevent both people and animals from sneaking into the site or gaining access to the cabling or piping.

External services: No organization is fully autonomous, and that means they depend on some external services like energy, communications, public transport, and, in case of accidents and disaster, emergency services. An organization should consider its needs for locations accessible by multiple routes and providers.

Crime Prevention Through Environmental Design (CPTED)

CPTED is a method used in security planning focused on design, placement, and the way a building is used as a means to increase security, and like ISO standards, can be used in virtually any type of building or scenario, new or existing. And though its principles can vary from place to place, there are three common aspects you always find:

Natural surveillance: See and be seen is a key factor for threat mitigation, and landscaping obstructions may cause points of vulnerability. While thinking about site surroundings, try to ensure there is a clear view of people, to make threatening activities easier to spot. Low solid fences, high tree foliage and points of observation are good examples.

Natural access control: Use the natural landscape to direct traffic flow. Entrances sided by low hills offer more protection than those sided by flat terrain. A single entrance is better than multiple. Colored lines signaling routes are another alternative to make users naturally find their way in and out and increase opportunities to spot and discourage suspicious behavior.

Territorial reinforcement: And though spaces can be welcoming, they should be well defined and possess clear boundaries. In this way you can change the way people use the areas, through unconscious rules that help prevent or spot undesirable behavior. Subtle changes in layout and signaling are good examples of territorial reinforcement.

Other elements that can be considered as CPTED are traffic calming, transition zones, maintenance, and lighting.

Do not expect events to never happen. Make them irrelevant

Incidents are always a question of when, not if. By actual business trends, technical and administrative controls may catch more attention from security practitioners, but they can never forget that those controls ultimately rely on physical assets that must be protected as well, in many cases with superior levels of reliability.

To know more about physical security recommendations and how these fit inside ISO 27001, try our  ISO 27001:2013 Foundations Course.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.