Control 7.3 in the new ISO 27002:2022 covers the need for designing and implementing physical security for offices, rooms and facilities.
This control was designed to encourage organisations to have appropriate measures in place to prevent unauthorised access to rooms, offices and facilities, especially where information security is being handled, through the use of locks, alarms, security guards or other appropriate means, to prevent information security issues.
Physical security is a critical element of information security. The two go hand in hand and must be considered together. Information security is the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.
Physical security refers to protective measures taken to safeguard personnel, facilities, equipment and other assets against natural or man-made hazards by reducing risks related to burglary, sabotage, terrorism and other criminal acts.
The first step in physical security for information sensitive locations is determining if you have one. Information sensitive locations are rooms, offices and facilities, where there are computers that contain sensitive data or where there are people who have access to sensitive data.
Physical security can include.
Locking doors, windows and cupboards; using security seals on laptops and mobile devices; password protection for computers; encryption for sensitive data.
Closed circuit television cameras are an excellent way of monitoring activity around premises or in specific areas of a building.
These can be activated by movement, heat or sound and are used to alert you to intruders or people who shouldn’t be in a particular area (for example, an alarm sounding when someone tries to break into the office).
Attributes allow you to rapidly match your control selection with typical industry specification and terminology. The following controls are available in control 7.3.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventative | #Confidentiality #Integrity #Availability | #Protect | #Supplier Relationships Security | #Governance and Ecosystem #Protection |
The purpose of Control 7.3 is to prevent unauthorised physical access, damage and interference to the organisation’s information and other associated assets in offices, rooms and facilities.
The main purpose of Control 7.3 is to reduce the level of risk of unauthorised physical access to offices, rooms, and facilities, to an acceptable level by:
Control 7.3 applies to all buildings used by the organisation for offices or administrative functions. It also applies to rooms where confidential information is stored or processed, including meeting rooms where sensitive discussions take place.
It does not apply to reception areas or other public areas of an organisation’s premises unless they are used for administrative purposes (e.g. a reception area that doubles as an office).
The control 7.3 specifies that rooms and facilities must be secured. The following security measures can be taken, according to the control guidelines in ISO 27002:2022, to ensure that rooms and facilities are secure:
You can get more information on what is involved in meeting the requirements for the control in the ISO 27002:2022 standard document.
Originally published in 2013, the revised 2022 revision of ISO 27002 was released on February 15, 2022.
Control 7.3 is not a new control. It refers to a modified version of control 11.1.3 in ISO 27002. A major difference between the 2013 and 2022 versions is the change in control number. The control number 11.1.3 was replaced with 7.3. Apart from that, the context and meaning are largely the same, even though the phraseology is different.
Another difference between both controls is that the 2022 version comes with an attributes table and statement of purpose. These sections are not available in the 2013 version.
The first person to consider when it comes to securing offices, rooms and facilities is the individual who has the most control over the physical building and its contents. This person is typically the facility manager or director.
Then there’s the security manager. The security manager is responsible for making sure that all areas are secure, including the office spaces and facilities. The security manager is also in charge of keeping track of all employees who have access to these areas and making sure they’re using their access appropriately.
In some cases, however, multiple people share responsibilities for security. For example, when an individual has access to sensitive information that could be used against your company’s interests or other employees’ personal lives, it’s important to have multiple people involved in their protection.
A HR department may handle employee insurance policies and benefits while IT handles computer systems and networks; both departments may have a hand in managing physical safety as well as cyber security concerns like phishing scams and unauthorised access attempts.
No major changes are required to comply with the most recent version of ISO 27002.
You should, however, assess your current information security solution to ensure that it complies with the revised standard. If you’ve made any modifications since the last edition was released in 2013, it’s worth revisiting those adjustments to determine if they’re still relevant or if they need to be updated.
Our platform has been developed specifically for those who are new to information security or need an easy way to learn about ISO 27002 without having to spend time learning from scratch or reading through lengthy documents.
ISMS.Online comes equipped with all the tools needed for achieving compliance including document templates, checklists and policies which can be customised according to your needs.
Want to see how it works?
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
