The basics
ISO 27001 control A.7.6 Working in secure areas requires companies to define security rules for behavior in areas with sensitive information in order to prevent loss of data.
Documentation
ISO 27001 control A.7.6 Working in secure areas can be documented by writing a Procedure for Working in Secure Areas.
This procedure is not a mandatory document but is recommended for mid-size and larger companies.
Implementation
In order to comply with control A.7.6 Working in secure areas, you might implement the following:
- Technology — the technology to enable working in secure areas may consist of sensors (e.g., metal detectors and x-rays) to prevent the entrance of unauthorized photographic, video, audio, or other recording equipment. Companies of all sizes need to plan the security of their working areas based on risk assessment and the sensitivity of the information stored and/or processed in the area, and the probability of external parties being authorized to access them.
- Organization/processes — you should set up a process for defining what is and what is not allowed to do inside secure areas, and under which conditions third-party personnel can access these areas. You can document those processes through a Procedure for Working in Secure Areas.
- People — make employees aware of what is and what is not allowed to do inside secure areas and train them on how to perform required activities.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.6 Working in secure areas: if security rules for behavior in areas with sensitive information are defined.
