Physical security for information systems refers to the prevention methods put into place that aim to stop people entering a physical premises that will give them access to information. The most obvious example is having locks, alarms and perhaps security guards on premise at your organisation, meaning only authorised personnel can enter.
Environmental controls are mechanisms put in place that will ensure the protection of your organisations information and resources from any environmental impact.
This could include (but is not limited to) the threat of floods, earthquakes, fires, or extreme weather conditions.
Any of these threats could result in interruptions to your organisation and its information, such as power outages, blockages of communication or the lack of access to filtered water, and gas.
Physical controls are important because you do not want just anybody having access to your information. In order to implement effective physical controls, you must review the physical building your organisation is set up in, and any other buildings that employees may work from or information be held.
You may also need to review any hosts of your product or service (for example if you are a software company), ensure the host of your service is protected.
You then need to record this information down, and review it regularly to ensure it is always secure.
Environmental controls are important for information security because if there is a failure in environmental controls, there could be a threat of loss of important information or data.
For example, if an environmental force causes a power outage at the offices of your organisation, you may be at threat of losing information that is not backed up or secure.