This clause in the Annex of ISO 27001 is all about how you manage the physical security of your business. This covers both the facilities you work in and the equipment that you use.
The first part of the clause revolves around the secure areas of your business. The objective here is to prevent any unauthorized physical access, damage and interference to your organisation’s information and information processing facilities.
So you need to review all the security measures you have on your facilities, any outsourced facilities and for your remote workers.
The standard makes this easy as it requires you to check the following:
Here at Mango we reviewed the physical building where we are housed and the buildings that some remote workers work from. We also reviewed the facility that hosts our Mango application. We checked and tested the controls we have in place. We recorded those physical items and the controls on our Plant/Equipment module in Mango. We have also implemented processes now to check those controls on a regular basis.
The second part of the clause looks at the security involved with your equipment. The objective here is prevent the loss, damage, theft or compromise of your assets and the interruption to your organisation’s operations.
So again you need to review all the equipment you use and its impact on information security.
The standard gives you great guidance around this. The standard requires you to check the following:
Here at Mango we spent a lot of time checking the controls for each of these activities. We listed all the equipment we use in our Plant/Equipment module in Mango. We then documented each control in the module. These get reviewed on a regular basis to ensure these controls are working effectively.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clause A5
Part 25 - ISO 27001 Information Security Management Standard: Clause A6
Part 26 - ISO 27001 Information Security Management Standard: Clause A7
Part 27 - ISO 27001 Information Security Management Standard: Clause A8
Part 28 - ISO 27001 Information Security Management Standard: Clause A9
Part 29 - ISO 27001 Information Security Management Standard: Clause A10