ISO 27701, Clause 6.8 – Physical and Environmental Security

ISO 27701 Clause 6.8.1.1 – Physical Security Perimeter

References ISO 27002 Control 7.1

Perimeter protection operates on the principle of creating continuous internal physical barriers, that prevent unauthorised access to private information.

To maintain an end-to-end perimeter protection operation, organisations should prevent physical access to PII by:

• Defining and implementing security perimeters that take into account the storage of sensitive data (PII).
• Maintaining ‘physically sound’ perimeters that provide secure access 24/7.
• Locking all exterior entry and exit points when no personnel are in attendance (and securing ventilation points, where appropriate).
• Protecting doors with alarms and secure access measures (keycodes, auto-locking mechanisms etc).
• Maintaining a robust set of alarmed fire doors, that take into account prevailing legislation on the construction of exterior and interior access points.
• Preparing contingency plans that allow for increased security during critical situations or security incidents.

ISO 27701 Clause 6.8.1.2 – Physical Entry Controls

References ISO 27002 Control 7.2

Whereas ISO 27701 6.8.1.1 focuses on security perimeters, clause 6.8.1.2 outlines general principles to ensure that only authorised personnel are able to access areas that contain PII and privacy-related assets.

General Guidance

Organisations should:

• Uniformly restrict access to entire sites, buildings and office facilities to authorised personnel only (including emergency exit points).
• Conduct periodical reviews of access levels, which should include a blanket update of all access levels, as required (see ISO 27002 control 5.18).
• Keep a logbook, or create a digital audit trail, of site and room access (see ISO 27002 control 5.33).
• Develop and install technical access measures (keycards, fobs, biometric entry systems, coded alarms etc.).
• Maintain a monitored reception area.
• Examine the personal belongings of internal and external personnel, prior to entry (N.B. regional laws on the inspection of personal property may inhibit organisations from doing this).
• Enforce site-wide photo ID regulations.
• Providing visitors with restricted access to any area that stores or processes PII or privacy-related information.
• Create contingency plans for incidents and critical scenarios.
• Maintain a key management system that logs, audits, maintains, grants and revokes access to authentication methods such as door entry systems and combination locks (see ISO 27002 control 5.17).

Visitors

When allowing visitors access to restricted areas, organisations should:

• Verify the identity of the visitor, before providing access.
• Log the date and time of a visit.
• Ensure that the nature of the visit is understood and recorded, and is appropriate within the context of the physical area being accessed.
• Ensure that the visitor is supervised, where relevant.

Delivery and Loading Areas

When designing and operating a loading area, organisations should:

• Restrict access to loading areas to verified companies and individuals.
• Construct the loading area so that no other part of the premises is accessible without the proper authorisation.
• Check received deliveries for hazardous, illegal and explosive materials, and tampering, before moving their contents around the premises.
• Log incoming deliveries in line with organisational asset management controls (see ISO 27002 controls 5.9 and 7.10).
• Offer a space for personnel to physically separate incoming and outgoing material.

Relevant ISO 27002 Controls

• ISO 27002 5.9
• ISO 27002 5.17
• ISO 27002 5.18
• ISO 27002 5.33
• ISO 27002 7.10

ISO 27701 Clause 6.8.1.3 – Securing Offices, Rooms and Facilities

References ISO 27002 Control 7.3

Physical protection of PII and privacy-related assets also extends to rooms inside of an established security perimeter. To secure offices, rooms and facilities, organisations should:

To protect internal facilities, organisations should:

• Avoid constructing office facilities that allow members of the public free access, without proper authorisation.
• Where PII processing facilities are concerned, avoid signage indicating the purpose of the facility (internally or externally).
• Construct facilities that prevent personnel being visible to the public, with appropriate electromagnetic shielding installed if required.
• Hide the presence of PII-processing facilities from online map platforms and communications directories.

ISO 27701 Clause 6.8.1.4 – Protecting Against External and Environmental Threats

References ISO 27002 Control 7.5

A ‘threat’ can be construed as any major event that has the potential to impact PII or privacy-related assets.

Organisations should embark upon a threat risk assessment before carrying out ‘critical operations’, that take into account changes in the threat environment, including both physical (e.g criminal activity) and environmental (floods, fires etc.) threats.

When constructing physical premises, organisations should take into consideration:

• Local geographic and topological factors, including land features, nearby water and the potential for an earthquake.
• Any threats emanating from human sources within urban areas, such as terrorist or criminal activity, and political violence/unrest.

Once the risk assessment is complete, organisations should develop a series of controls that seek to both prevent and minimise the risk of a threat occurring, or reoccurring.

ISO mentions fire, flooding, electrical surges and explosives/weapons as being of particular importance. If resources are stretched, organisations should focus on these four areas as a priority.

ISO 27701 Clause 6.8.1.5 – Working In Secure Areas

References ISO 27002 Control 7.6

Organisations need to safeguard PII and privacy-related assets by implementing a secure working policy for all personnel, that takes into account job roles and physical protection measures.

When formulating working policies in secure areas, organisations should:

• Ensure that staff operate on a ‘need to know’ basis.
• Avoid leaving staff unsupervised for extended periods of time.
• Ensure that all relevant doors are locked, and low footfall or permanently vacant areas are subject to periodic inspections.
• Monitor and control the use of personal and organisational endpoint devices, to a level that is proportionate with the data being held.
• Clearly display contingency plans and emergency procedures, so that personnel understand how to react to critical scenarios.

ISO 27701 Clause 6.8.1.6 – Delivery and Loading Areas

References ISO 27002 Control 7.2

See ISO 27701 Clause 6.8.1.2 (above).

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

How do we help?

In order to achieve ISO 27701 you must build a Privacy Information Management System (PIMS). With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.

You can also accommodate the growing number of global, regional and sector-specific privacy regulations we support on the ISMS.online platform.

To achieve certification to ISO 27701 you must first achieve certification to ISO 27001. The good news is that our platform can help you do both.

Find out more by booking a hands on demo.