The basics
Control A.7.1 Physical security perimeters requires companies to define the areas where sensitive information is stored or processed in order to know what needs to be protected. For example, an IT company might declare its data center as an area with highly sensitive information that needs adequate physical security controls.
Documentation
ISO 27001 control A.7.1 Physical security perimeters can be documented:
- for smaller companies by defining in the Statement of Applicability (SoA) what are the secure areas and how they are protected (i.e., no separate document is needed)
- for mid-sized and larger companies by writing a Policy for Managing Physical Security
The policy is not mandatory but is recommended.
Implementation
In order to comply with control A.7.1 Physical security perimeters, you might implement the following:
- Technology — the technology to enable physical security perimeters may vary from construction materials (e.g., concrete and steel for walls, doors, and barriers), to access control mechanisms (e.g., bars, locks, and alarms), and monitoring systems (e.g., sensors and cameras). Companies of all sizes need to plan their physical security perimeters based on risk assessment and the sensitivity of the information stored and/or processed in the area.
- Organization/processes — you should set up the criteria for defining security perimeters and how they should be separated from each other according to the sensitivity of the information stored and/or processed on them. You can document those processes through a Policy for Managing Physical Security.
- People — make employees aware of defined secure perimeters and train relevant employees on how to define them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.1 Physical security perimeters: if secure areas are defined where sensitive information is stored or processed.
