Physical Security Design Standards
ISO/IEC 27001 Toolkit: Version 10 ©CertiKit
Physical Security Design Standards [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out standards for the design of secure areas.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: •
A.11 Physical and environmental security o A.11.1 Secure areas ▪ A.11.1.1 Physical security perimeter ▪ A.11.1.2 Physical entry controls ▪ A.11.1.3 Securing offices, rooms and facilities ▪ A.11.1.4 Protecting against external and environmental threats ▪ A.11.1.6 Delivery and loading areas o A.11.2 Equipment ▪ A.11.2.1 Equipment siting and protection ▪ A.11.2.2 Supporting utilities ▪ A.11.2.3 Cabling security
General guidance The physical layout of secure areas will obviously vary widely so this document will need to be tailored according to your specific circumstances. It is important that the correct design criteria are applied to the creation of the secure area in terms of location, perimeter, physical entry and office security controls.
Review frequency We would recommend that this document is reviewed annually and upon significant change to the organization.
Version 1
Page 2 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
Physical Security Design Standards
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
ISMS-DOC-A11-2
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 16
DATE
[Insert date]
Physical Security Design Standards [Insert classification]
Contents 1
Introduction.............................................................................................................. 8
2
Physical security design standards ............................................................................. 9 2.1
Principles of secure areas ............................................................................................. 9
2.2
Physical security perimeter .......................................................................................... 9
2.2.1 2.2.2 2.2.3 2.2.4 2.2.5
2.3 2.3.1 2.3.2 2.3.3 2.3.4
2.4 2.4.1 2.4.2 2.4.3 2.4.4
Physical entry controls ............................................................................................... 10 Visitors .......................................................................................................................................... 10 Access controls ............................................................................................................................. 10 Audit trail ...................................................................................................................................... 11 Visible identification ..................................................................................................................... 11
Securing offices, rooms and facilities .......................................................................... 11 Additional security ........................................................................................................................ 11 Recording equipment ................................................................................................................... 11 Vacant areas ................................................................................................................................. 11 Directories..................................................................................................................................... 12
2.5
Protecting against external and environmental threats ............................................... 12
2.6
Public access, delivery and loading areas .................................................................... 12
2.6.1 2.6.2 2.6.3
2.7 2.7.1 2.7.2 2.7.3 2.7.4 2.7.5
2.8 2.8.1 2.8.2 2.8.3 2.8.4
2.9 2.9.1 2.9.2 2.9.3
3
Perimeter definition ....................................................................................................................... 9 Reception area .............................................................................................................................. 10 Physical barriers ............................................................................................................................ 10 Fire doors ...................................................................................................................................... 10 Intruder detection systems ........................................................................................................... 10
Access ........................................................................................................................................... 12 Incoming deliveries ....................................................................................................................... 12 Separation of incoming and outgoing goods ................................................................................ 12
Equipment siting and protection ................................................................................ 13 Siting ............................................................................................................................................. 13 Protection ..................................................................................................................................... 13 Eating, drinking and smoking ........................................................................................................ 13 Environmental .............................................................................................................................. 13 Lightning protection ..................................................................................................................... 13
Supporting utilities .................................................................................................... 13 Capacity ........................................................................................................................................ 14 Inspection and testing .................................................................................................................. 14 Alarms ........................................................................................................................................... 14 Redundancy .................................................................................................................................. 14
Cabling security ......................................................................................................... 14 Cable routing................................................................................................................................. 14 Shielding ....................................................................................................................................... 14 Access control ............................................................................................................................... 15
Conclusion .............................................................................................................. 16
Version 1
Page 7 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
1 Introduction Secure areas are necessary in order to protect the physical and information assets of the organization from a loss of confidentiality, integrity or availability. This document sets out standards to be used in creating a secure area and details how to ensure that it remains secure whilst not obstructing the business carried out within it. This control applies to all areas within the organization which are categorised as secure. The following policies and procedures are relevant to this document: • • • •
Physical Security Policy Information Classification Procedure Information Labelling Procedure Procedure for Working in Secure Areas
Version 1
Page 8 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
2 Physical security design standards 2.1 Principles of secure areas The design of secure areas is a complex business that requires that the designer undertake a full and comprehensive assessment of the risks associated with each specific facility, second-guessing the most likely methods of unauthorised access and addressing them one by one. The level of security applied to any given site should be appropriate to the classification of the information processed within it. As with all security design the measures put in place must remain appropriate so that the users of the facility are not unreasonably hampered by them and are able to carry out the task for which the facility was created. In line with the ISO/IEC 27001 information security standard there are several topics that need to be addressed when designing a secure area. These standards should be used both in the design of new areas and the review of existing ones to identify improvements.
2.2 Physical security perimeter 2.2.1 Perimeter definition The first consideration is to define the location and perimeter of the secure area. In general, secure areas should be sited to avoid access or visibility to the public or unauthorised people and measures taken to avoid drawing attention to them. If possible, they should be physically separate from public areas and not shared with any third parties. All entry points around the physical security perimeter must be risk assessed including lift shafts, ceilings and walls to ensure they offer a good degree of protection with no weak points. External doors should be secure with a level of additional protection appropriate to the required security level (e.g. bars, chains, alarms and multiple locks) with due consideration of applicable fire safety regulations. External windows around the perimeter should be locked and those on the ground floor secured with bars where possible (subject to relevant regulations).
Version 1
Page 9 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
2.2.2 Reception area A defined reception area should be created through which all access is controlled. This should be adequately manned when the site is open and only authorised personnel admitted.
2.2.3 Physical barriers Where appropriate, physical barriers should be installed to prevent access without the correct level of authorisation. These should prevent tailgating i.e. an unauthorised person following an authorised person through the barrier.
2.2.4 Fire doors Fire doors should meet legal requirements and be tested on a regular basis. As standard these should be alarmed and monitored from reception.
2.2.5 Intruder detection systems Where justified by the level of security required, intruder alarms and Closed-Circuit Television (CCTV) should be installed to protect entry points and warn of security breaches.
2.3 Physical entry controls 2.3.1 Visitors A procedure must be put in place to sign all visitors in at reception and record details of their identity and date/time of entry and departure. Third-party visitor access to the secure area will usually need to be requested in advance and such visitors must always be supervised by an authorised member of staff.
2.3.2 Access controls Appropriate access controls should be used at all points where the level of security changes. Server room or other similar facilities should have their own access control. Two factor authentication such as a swipe or proximity card and a Personal Identification Number (PIN)
Version 1
Page 10 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
must be used where information classified as confidential is stored or processed. A regular review of access rights should be undertaken to ensure that they remain current.
2.3.3 Audit trail An audit trail of access to secure areas must be maintained either via manual completion of a signing in book or via electronic means.
2.3.4 Visible identification All users of secure areas (including visitors) will be required to wear a visible and current ID badge.
2.4 Securing offices, rooms and facilities 2.4.1 Additional security Individual rooms within the secure area may also be protected by additional security. Such rooms will typically include server rooms, communications rooms, Human Resources, directors’ offices and plant rooms (such as power and air conditioning). Depending on the type of facility, users of such individual rooms may need to have specific access and be required to sign in and out.
2.4.2 Recording equipment Cameras or other video or audio recording equipment will not be allowed in secure areas without explicit prior permission.
2.4.3 Vacant areas Vacant areas within the secure perimeter will be locked and regularly checked for signs of unauthorised entry or use. Where possible they should be alarmed.
Version 1
Page 11 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
2.4.4 Directories Phone directories or other information regarding secure areas should not be made generally available.
2.5 Protecting against external and environmental threats In addition to being covered by the organization’s business continuity plans, secure areas may require further consideration to ensure that any external events such as fire, flood or earthquake will not expose the confidentiality, integrity or availability of the contents. This may affect the siting of secure locations and the procedures used for reacting to events such as fires, subject to health and safety considerations.
2.6 Public access, delivery and loading areas 2.6.1 Access Where a secure area includes the need to provide access to the public and /or to accept deliveries this should be segregated as far as possible with a controlled interface with the secure perimeter. This should allow for two sets of doors, only one of which should be opened at a time i.e. an airlock type arrangement.
2.6.2 Incoming deliveries A separate delivery or holding area should be used so that deliveries may be inspected prior to them being accepted into the secure area. Such inspection should happen as soon as possible after the delivery and be comprehensive enough to assess the likelihood of any threats being present. Delivery staff should not have access to the secure area.
2.6.3 Separation of incoming and outgoing goods Areas should be designed such that deliveries and outgoing items are not stored or processed in the same place.
Version 1
Page 12 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
2.7 Equipment siting and protection 2.7.1 Siting The secure area should be designed such that equipment such as server farms cannot be viewed from public areas. Screens that may display sensitive information must be sited away from positions where unauthorised people might view them.
2.7.2 Protection Where appropriate, additional protection against threats such as dust, vibration, electrical interference and chemicals should be designed into the secure area. This should be based on a comprehensive risk assessment.
2.7.3 Eating, drinking and smoking Eating, drinking and smoking will generally not be allowed in secure areas and provision for them should not be made in the design.
2.7.4 Environmental Appropriate environmental controls such as air conditioning must be provided and its health capable of being monitored on an ongoing basis.
2.7.5 Lightning protection Appropriate protection from lightning damage to equipment must be designed into the secure area.
2.8 Supporting utilities Care must be taken to ensure the correct design of supporting utilities such as: • • • •
Gas and electricity Water Ventilation Network communications
Version 1
Page 13 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
2.8.1 Capacity A capacity assessment must be undertaken by a qualified individual when considering the requirements of the secure area and its contents for supporting utilities. This should allow for estimated usage plus adequate room for growth.
2.8.2 Inspection and testing Plans should be put in place for initial and repeated inspection and testing of supporting utilities to ensure they continue to operate within manufacturer’s recommended parameters.
2.8.3 Alarms Alarms will be installed to detect circumstances where supporting utilities are operating or are about to operate outside of normal levels.
2.8.4 Redundancy Appropriate redundancy of supporting utilities should be designed in e.g. diverse routing for network communications and excess capacity for air conditioning.
2.9 Cabling security 2.9.1 Cable routing Where possible, cabling should be routed underground and away from any potential sources of interference.
2.9.2 Shielding Additional shielding against electromagnetic interference should be implemented where required. Power cables should not be routed with data cables.
Version 1
Page 14 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
2.9.3 Access control Access to patch panels and cabling termination points should be controlled via the use of locked access panels and cabinets. Cabling should not be routed via public areas.
Version 1
Page 15 of 16
[Insert date]
Physical Security Design Standards [Insert classification]
3 Conclusion Designing a secure area is an involved task which needs to have a clear set of requirements to meet. The intention of these standards is to set out a baseline for such requirements that complies with the ISO/IEC 27001 international standard for information security. The overall and ongoing security of the area in question will of course depend upon several factors including the procedural controls put in place and how well they are complied with. However, without adequate thought being put into the design from the start it will be much more difficult to keep our information assets secure.
Version 1
Page 16 of 16
[Insert date]