• (0)

    ISO 27001 & ISO 22301 Blog

    How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1

    Most of the companies today have controls to protect themselves from malicious software (viruses, trojans, etc.), to prevent employees from accessing malicious sites (filtering addresses through proxy servers), or to encrypt information when it is sent/received through email. However, I often find companies that neglect the physical protection of equipment, perhaps because many companies think that security issues are handled if they buy a good anti-virus, proxy, or any other good software solution.

    Regarding physical protection of equipment, I like to differentiate between two types of measures: those that directly affect the equipment (for example: maintenance of equipment, reuse of equipment, etc.), and those that indirectly affect the equipment (such as supporting utilities, cabling security, etc.).

    By the way, this article about physical security might be interesting for you: Physical security in ISO 27001: How to protect the secure areas.

    In this article I will give you some suggestions and best practices on measures that indirectly affect the equipment, which will help your organization to be more secure through protecting the security of your company’s information. For these tips, I will follow the subsection A.11.2 of Annex A of ISO 27001:2013, which focuses on the physical security of the equipment.

    Supporting utilities (control A.11.2.2)

    It seems obvious that the equipment must be connected to a power outlet, and in many cases there is a UPS and/or a generator that can provide power if the main energy supplier fails. But, often I find companies that have never tried their alternative energy supply, or do not know the capacity, i.e., the time that the business can work with this alternative energy. Therefore, it is not only important to establish an alternative, but it is also important to define a maintenance plan and define the tasks that will be performed. And, it is highly recommended that you generate a report with results (conclusions, failures, duration of the tests, etc.).

    I have also found companies that work in a shared facility, and they have a generator that is managed by a third party. Well, it shouldn’t be a problem – you can request from your service provider a maintenance plan and tests (and my recommendation is that this should be defined in an agreement).

    Cabling security (control A.11.2.3)

    In this case, it also seems obvious that today’s technologies are not possible without cables (network cables, power supply cables, cables for telephones, etc.), and it is very common that nobody bothers ordering the wiring in a structured way. But, to avoid mistakes (someone can disconnect a cable by mistake, or even break it):

    • wiring must not be loose or untagged
    • it must be collected and channeled through ways prepared to lay the cable (by the wall, along the racks of servers, etc.)
    • cabinet racks, electrical panels, or any other material to protect and canalize cables should be used, and they should be locked

    In this case, I have also found companies that have a robust and impressive rack protected with a padlock, but with the key left in the lock; please, do not do this! This is no better than not having a rack at all.

    Clear desk and clear screen policy (control A.11.2.9)

    Generally, today’s users are aware and know that they should not write their password on a sticky note and stick it on the screen of their computer, or on their desktop. However, this issue should not be neglected, nor should you think that users are aware of clear desk/clear screen practices. So, you must set policies that remind users that they should not leave any sensitive information lying around in their workspaces (passwords, users, settings, data from clients, suppliers, etc.).

    This article will explain the details: Clear desk and clear screen policy – What does ISO 27001 require?

    Software is not the solution for everything

    I’m sure you know that software is not a solution for everything related to the information security of your business, because hackers can attack your equipment in many different ways. The point is that there are many threats related to physical security, and because the attackers know that – equipment is a weak point in many companies. So, learn from this article, and apply specific measures for your equipment if you do not want to be one of these companies.

    Remember that this article is only the first part of a two-part series related to the protection of equipment. If you want to know more about this, I recommend that you read part 2, which you can find here: How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2.

    To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Antonio Jose Segovia
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.