ISO 27002:2022, Control 7.3 – Securing Offices, Rooms and Facilities

ISO 27002:2022 Revised Controls

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

What Is Control 7.3?

Control 7.3 in the new ISO 27002:2022 covers the need for designing and implementing physical security for offices, rooms and facilities.

This control was designed to encourage organisations to have appropriate measures in place to prevent unauthorised access to rooms, offices and facilities, especially where information security is being handled, through the use of locks, alarms, security guards or other appropriate means, to prevent information security issues.

Physical Security for Offices, Rooms and Facilities Explained

Physical security is a critical element of information security. The two go hand in hand and must be considered together. Information security is the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.

Physical security refers to protective measures taken to safeguard personnel, facilities, equipment and other assets against natural or man-made hazards by reducing risks related to burglary, sabotage, terrorism and other criminal acts.

The first step in physical security for information sensitive locations is determining if you have one. Information sensitive locations are rooms, offices and facilities, where there are computers that contain sensitive data or where there are people who have access to sensitive data.

Physical security can include.

Locks and Keys

Locking doors, windows and cupboards; using security seals on laptops and mobile devices; password protection for computers; encryption for sensitive data.

CCTV

Closed circuit television cameras are an excellent way of monitoring activity around premises or in specific areas of a building.

Intruder Alarms

These can be activated by movement, heat or sound and are used to alert you to intruders or people who shouldn’t be in a particular area (for example, an alarm sounding when someone tries to break into the office).

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Attributes Table

Attributes allow you to rapidly match your control selection with typical industry specification and terminology. The following controls are available in control 7.3.

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventative#Confidentiality #Integrity #Availability#Protect#Supplier Relationships Security#Governance and Ecosystem #Protection

What Is the Purpose of Control 7.3?

The purpose of Control 7.3 is to prevent unauthorised physical access, damage and interference to the organisation’s information and other associated assets in offices, rooms and facilities.

The main purpose of Control 7.3 is to reduce the level of risk of unauthorised physical access to offices, rooms, and facilities, to an acceptable level by:

  • Preventing unauthorised physical access to offices, rooms and facilities by persons other than authorised personnel.
  • Prevent damage or interference with the organisation’s information and other associated assets inside offices, rooms and facilities.
  • Ensuring that any information security sensitive areas are unobtrusive to to make it hard for people to determine their purpose.
  • Minimising the risk of theft or loss of property within offices, rooms and facilities.
  • Ensuring that people who have authorised physical access are identified (this can be achieved by using a combination of uniform badges, electronic door entry systems and visitor passes).
  • Where possible, CCTV or other monitoring devices should be used to provide security surveillance over key areas such as entrances/exits.

Control 7.3 applies to all buildings used by the organisation for offices or administrative functions. It also applies to rooms where confidential information is stored or processed, including meeting rooms where sensitive discussions take place.

It does not apply to reception areas or other public areas of an organisation’s premises unless they are used for administrative purposes (e.g. a reception area that doubles as an office).

What Is Involved and How to Meet the Requirements

The control 7.3 specifies that rooms and facilities must be secured. The following security measures can be taken, according to the control guidelines in ISO 27002:2022, to ensure that rooms and facilities are secure:

  • Siting critical facilities to avoid access by the public.
  • Where applicable, ensuring buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities.
  • Configuring facilities to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate.
  • Not making directories, internal telephone books and online accessible maps identifying locations of confidential information processing facilities readily available to any unauthorised person.

You can get more information on what is involved in meeting the requirements for the control in the ISO 27002:2022 standard document.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Changes and Differences from ISO 27002:2013

Originally published in 2013, the revised 2022 revision of ISO 27002 was released on February 15, 2022.

Control 7.3 is not a new control. It refers to a modified version of control 11.1.3 in ISO 27002. A major difference between the 2013 and 2022 versions is the change in control number. The control number 11.1.3 was replaced with 7.3. Apart from that, the context and meaning are largely the same, even though the phraseology is different.

Another difference between both controls is that the 2022 version comes with an attributes table and statement of purpose. These sections are not available in the 2013 version.

Who Is in Charge of This Process?

The first person to consider when it comes to securing offices, rooms and facilities is the individual who has the most control over the physical building and its contents. This person is typically the facility manager or director.

Then there’s the security manager. The security manager is responsible for making sure that all areas are secure, including the office spaces and facilities. The security manager is also in charge of keeping track of all employees who have access to these areas and making sure they’re using their access appropriately.

In some cases, however, multiple people share responsibilities for security. For example, when an individual has access to sensitive information that could be used against your company’s interests or other employees’ personal lives, it’s important to have multiple people involved in their protection.

A HR department may handle employee insurance policies and benefits while IT handles computer systems and networks; both departments may have a hand in managing physical safety as well as cyber security concerns like phishing scams and unauthorised access attempts.

What Do These Changes Mean for You?

No major changes are required to comply with the most recent version of ISO 27002.

You should, however, assess your current information security solution to ensure that it complies with the revised standard. If you’ve made any modifications since the last edition was released in 2013, it’s worth revisiting those adjustments to determine if they’re still relevant or if they need to be updated.

How ISMS.Online Helps

Our platform has been developed specifically for those who are new to information security or need an easy way to learn about ISO 27002 without having to spend time learning from scratch or reading through lengthy documents.

ISMS.Online comes equipped with all the tools needed for achieving compliance including document templates, checklists and policies which can be customised according to your needs.

Want to see how it works?

Get in touch today to book a demo.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.