Housing sensitive information assets in secure areas such as secure server rooms and implementing strict access controls is not sufficient to maintain the security of these assets:
Control 7.6 deals with how organisations can protect information assets stored in secure areas against the various risks posed by personnel working in these areas.
Control 7.6 enables organisations to put in place appropriate security measures that apply to all personnel working in secure areas so that they cannot access, use, modify, destruct, damage, or interfere with information assets or information facilities without authorisation.
Control 7.6 is preventive in nature as it requires organisations to maintain security, confidentiality, integrity, and availability of information assets housed in secure areas by eliminating risks that may arise due to personnel misconduct.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical Security | #Protection |
Considering that Control 7.6 requires organisations to design and put in place security measures that apply to all operations carried out in secure areas, Information Security Officer (ISO) should be responsible to create, implement and maintain appropriate security measures taking into account the level of risk to each designated secure area.
In designing and applying the appropriate security controls in secure areas, Information Security Officer may cooperate with the facilities management team and information asset owners to put the designed measures into practice effectively.
Control 7.6 highlights that security measures should cover all personnel working in secure areas and should apply to all activities carried out in these areas.
While the type and degree of security measures implemented may vary depending on the level of risk to specific information assets, Control 7.6 lists six specific requirements that organisations should adhere to:
27002:2022/7.6 replaces 27002:2013/(11.1.5)
While both versions are similar to some extent, the 2022 version is more comprehensive in terms of the requirements for security measures to be implemented.
In particular, the 2022 version introduces two new requirements that organisations should take into account when implementing security measures for secure areas:
ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Get in touch today to book a demo.
It helps drive our behaviour in a positive way that works for us
& our culture.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |