ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Blog

    How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2

    As I mentioned in my previous article How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1, having good solution software to protect the information security is not enough to protect your organization’s information; we must also set up physical security controls to protect the equipment. In the article previously cited, I discussed the security measures that you can use to indirectly protect the equipment (meaning that the measures indirectly affect the equipment) of your organization (supporting utilities, cabling security, etc.). But, with this article I want you to know the measures that you can use to directly protect the equipment (meaning that the measures directly affect the equipment, for example: maintenance of equipment, reuse of equipment, etc.) of your organization. As in Part 1 of this article, I will follow the structure of Annex A of ISO 27001:2013 and the suggestion of the best practices of ISO 27002.

    Equipment siting and protection (control A.11.2.1)

    The equipment should be located in a safe location where conditions are met for proper operation (humidity, temperature, etc.). Therefore, it is important to set humidity and temperature sensors, and to control conditions in order to allow the equipment to operate properly. When talking about working conditions – remember that the equipment is prepared to work under certain conditions, and many computers (especially servers) are prepared to shut down automatically at the moment that these conditions are not met (for example, high temperatures). They do this mainly to prevent damage to the equipment, which consequently, implies an interruption to your business.

    Here it is also important that the equipment be sited in a safe location to minimize unnecessary access, and for this, you can use different work areas, protecting them with physical access control. And, it is also important that the information processing facilities handling sensitive data be positioned carefully.

    On the other hand, to maintain an adequate environment, it also tends to be a good practice to establish a norm that employees do not eat, smoke, or drink in the vicinity of the equipment.


    Equipment maintenance (control A.11.2.4)

    This is another point that companies often neglect, which has significant improvement potential. Since all equipment has a life cycle – you must make periodic checks of its status, i.e., general health. In this case, companies typically hire a maintenance service for the equipment (especially for servers and desktops), particularly if the company does not have its own IT Department with specialist knowledge (remember: today’s data centers can be very complex and expensive. You should only allow experts to open your racks and deal with hardware issues.). In any case, a clear plan for review should be established (with respective responsibilities) at least annually. The status of the organization’s equipment should be checked, generating a report indicating the reviewed equipment and its condition (e.g., working properly, HW (state which one) needs maintenance/replacement, etc.).

    Removal of assets (control A.11.2.5)

    The equipment should not leave the facilities of the organization without permission (this is also applicable to the information and the software). Although that may seem obvious, quite often I find that, e.g., an employee takes a corporate laptop home when, in the majority of cases, that hasn’t been approved formally.  And, this is fundamental: establish control of equipment that leaves the company’s facilities by defining, e.g., what is the reason, who is in charge of the equipment, how much time it will be out, where it will be, etc. We should not forget that this is the equipment of the organization, and the organization has the right to know the details of what goes outside its facilities.

    If the company is very small (fewer than 10 employees), and they usually work with the equipment outside the office, it is also recommended that the CEO write a circular letter with clear rules for taking equipment out of the office.

    One more thing: Although the name of this control implies asset removal, the control itself explains what to do, i.e., how to behave when taking assets off-site. Regarding the assets, this article can help you to handle the asset register: How to handle Asset register (Asset inventory) according to ISO 27001.

    Security of equipment and assets off-premises (control A.11.2.6)

    When equipment goes off the premises, it is not only important to establish that its content is encrypted – the employees who take equipment out of the facility must also ensure its physical safety at all times, with special attention in public places, and take care not to let it become damaged. These same measures should also apply if the employee works from home.

    Secure disposal or reuse of equipment (control A.11.2.7)

    As you know, all equipment has a life cycle, after which it is necessary to get rid of it. Be careful with this point: remember that your organization’s information is stored on computers/servers, and it can remain there even if you believe you have removed it. Therefore, to avoid possible leakage of information in computers that are reused or eliminated, you should safely dispose of the information (through software), or physically destroy the hard drive that contains the information. If you want to add an additional layer of security, you can encrypt the information before destroying it – in this way, in the hypothetical case that someone could recover the information through some mechanism, they would then have to decrypt it.

    By the way, this article might be interesting for you: Secure equipment and media disposal according to ISO 27001.

    Unattended user equipment (control A.11.2.8)

    As you know, users have to be trained to protect the equipment that they are using. For example, say an employee needs to go to the bathroom, or goes outside to talk on the phone or to smoke. It happens, many times, that they leave an open session on their systems; i.e., access to the computer is not locked. In real life, many companies control such situations through a centralized server, forcing the system to log out the user automatically if he does not interact with the system after a certain time. But, regardless of this, it is also recommended to raise awareness, giving information about the risks of unattended user equipment, which will also create a culture of information security.

    This is also related to the Clear desk and clear screen policy, so this article may be interesting for you: Clear desk and clear screen policy – What does ISO 27001 require?

    The organization not only works with hardware, software, or digital data – it works with people.

    These measures we have seen in this article help to directly protect the equipment in your organization, and in this case it is important to emphasize that it is crucial to educate and raise awareness among the staff of the organization. A security software solution (firewall, anti-virus, etc.) does not solve all the problems; we need to implement additional security controls that are not related to the software – they are related to the awareness of people, who need to apply adequate security controls related directly to the equipment they use.

    If you would like to learn more about ISO 27001 and its implementation, try this free ISO 27001 Lead Implementer Online Course.

    Advisera Antonio Jose Segovia
    Author
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.