ISO 27001 Annex A Control 7.5

ISO 27001 control 7.5 Protecting against physical and environmental threats

The basics

ISO 27001 control A.7.5 Protecting against physical and environmental threats requires companies to protect infrastructure against environmental threats such as fire and floods, and malicious attacks like bomb threats and hacker attacks. This way such threats have a lower likelihood of materializing or can be completely prevented. The threat of fire can be decreased by installing fire-suppression systems, and by using fire-resistant materials for the building.

Documentation

ISO 27001 control A.7.5 Protecting against physical and environmental threats can be documented:

  • for smaller companies by defining in the Statement of Applicability (SoA) how protection against physical and environmental threats is implemented (i.e., no separate document is needed)
  • for mid-sized and larger companies by writing a Policy for Managing Physical Security

The policy is not mandatory but is recommended.

Implementation

In order to comply with control A.7.5 Protecting against physical and environmental threats you might implement the following:

  • Technology — the technology to enable protection against physical and environmental threats could include software (e.g., monitoring systems), hardware (e.g., sensors), and services (e.g., outsourced providers). Companies of all sizes need to plan their protection against physical and environmental threats based on risk assessment and the required resilience of the facilities from potential damage.
  • Organization/processes — you should set up a process for identifying, implementing, and maintaining solutions to increase the resilience of premises against natural and man-made threats. You can document those processes through a Policy for Managing Physical Security.
  • People — make employees aware of the physical and environmental threats related to company’s premises and train them on how to identify, report, and react to such events in case they occur.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.7.5 Protecting against physical and environmental threats: if infrastructure is protected against environmental threats and malicious attacks.