The basics
ISO 27001 control A.7.3 Securing offices, rooms and facilities requires companies to design physical security in such a way as to prevent unauthorized physical access and compromise sensitive information within secure areas.
Documentation
ISO 27001 control A.7.3 Securing offices, rooms and facilities can be documented:
- for smaller companies by defining in the Statement of Applicability (SoA) how offices, rooms and facilities are secured (i.e., no separate document is needed)
- for mid-sized and larger companies by writing a Policy for Managing Physical Security
The policy is not mandatory but is recommended.
Implementation
In order to comply with control A.7.3 Securing offices, rooms and facilities, you might implement the following:
- Technology — the technology to enable securing offices, rooms, and facilities may vary from sound cancelers to electromagnetic shielding to prevent images and audio from being seen or heard from outside the area. Companies of all sizes need to plan the security of their offices, rooms, and facilities based on risk assessment and the sensitivity of the information stored and/or processed in the area.
- Organization/processes — you should set up a process for defining how secure areas should be sited and configured, so personnel external to them cannot see activities performed in them, nor see stored/processed information. You can document those processes through a Policy for Managing Physical Security.
- People — make employees aware of the protection put in place in their offices, rooms, and facilities and train them on how to use those which require user’s interaction.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.3 Securing offices, rooms and facilities: if physical security is designed to protect information within secure areas.
