7. Physical and Environmental Security

This category focuses on protecting the organization's physical facilities and environment to prevent unauthorized access, damage, and interference to information and information processing facilities. It includes secure areas, equipment security, and environmental controls.

Controls (A.11):

  • A.11.1.1: Physical Security Perimeter

  • A.11.1.2: Physical Entry Controls

  • A.11.1.3: Securing Offices, Rooms, and Facilities

  • A.11.1.4: Protecting Against External and Environmental Threats

  • A.11.1.5: Working in Secure Areas

  • A.11.1.6: Delivery and Loading Areas

  • A.11.2.1: Equipment Siting and Protection

  • A.11.2.2: Supporting Utilities

  • A.11.2.3: Cabling Security

  • A.11.2.4: Equipment Maintenance

  • A.11.2.5: Secure Disposal or Reuse of Equipment

  • A.11.2.6: Removal of Assets

Control A.11.1.1: Physical Security Perimeter

Audit Questions:

  • Are physical security perimeters defined and implemented?

  • How are these perimeters monitored and controlled?

Common Non-Conformities (NC):

  • Lack of defined physical security perimeters.

  • Inadequate monitoring and control of perimeters.

Control A.11.1.2: Physical Entry Controls

Audit Questions:

  • Are there controls to manage physical entry to secure areas?

  • How is access to these areas tracked and monitored?

Common Non-Conformities (NC):

  • No physical entry controls in place.

  • Lack of tracking and monitoring of access to secure areas.

Control A.11.1.3: Securing Offices, Rooms, and Facilities

Audit Questions:

  • How are offices, rooms, and facilities secured against unauthorized access?

  • What measures are in place to detect and prevent unauthorized access?

Common Non-Conformities (NC):

  • Inadequate security measures for offices, rooms, and facilities.

  • Insufficient detection and prevention of unauthorized access.

Control A.11.1.4: Protecting Against External and Environmental Threats

Audit Questions:

  • What measures are in place to protect against external and environmental threats?

  • How are these measures maintained and tested?

Common Non-Conformities (NC):

  • Lack of measures to protect against external and environmental threats.

  • Inadequate maintenance and testing of protective measures.

Control A.11.1.5: Working in Secure Areas

Audit Questions:

  • Are there procedures for working in secure areas?

  • How are these procedures communicated and enforced?

Common Non-Conformities (NC):

  • No procedures for working in secure areas.

  • Poor communication and enforcement of procedures.

Control A.11.1.6: Delivery and Loading Areas

Audit Questions:

  • How are delivery and loading areas secured?

  • What controls are in place to prevent unauthorized access through these areas?

Common Non-Conformities (NC):

  • Inadequate security of delivery and loading areas.

  • Lack of controls to prevent unauthorized access through these areas.

Control A.11.2.1: Equipment Siting and Protection

Audit Questions:

  • How is equipment sited and protected to reduce risks from environmental threats and hazards?

  • Are there controls in place to secure equipment?

Common Non-Conformities (NC):

  • Poor siting and protection of equipment.

  • Lack of controls to secure equipment against environmental threats and hazards.

Control A.11.2.2: Supporting Utilities

Audit Questions:

  • Are supporting utilities (e.g., power, water, HVAC) protected against interruptions?

  • How are utilities monitored and maintained?

Common Non-Conformities (NC):

  • No protection for supporting utilities.

  • Inadequate monitoring and maintenance of utilities.

Control A.11.2.3: Cabling Security

Audit Questions:

  • How is cabling infrastructure protected against damage and interference?

  • Are there measures to secure cabling?

Common Non-Conformities (NC):

  • Inadequate protection for cabling infrastructure.

  • Lack of measures to secure cabling.

Control A.11.2.4: Equipment Maintenance

Audit Questions:

  • Are there procedures for maintaining equipment?

  • How is maintenance documented and monitored?

Common Non-Conformities (NC):

  • No procedures for equipment maintenance.

  • Poor documentation and monitoring of maintenance activities.

Control A.11.2.5: Secure Disposal or Reuse of Equipment

Audit Questions:

  • What procedures are in place for the secure disposal or reuse of equipment?

  • How is data securely erased from equipment before disposal or reuse?

Common Non-Conformities (NC):

  • No procedures for secure disposal or reuse of equipment.

  • Data not securely erased from equipment before disposal or reuse.

Control A.11.2.6: Removal of Assets

Audit Questions:

  • How is the removal of assets from premises controlled and authorized?

  • Are there records of assets removed?

Common Non-Conformities (NC):

  • Lack of controls and authorization for asset removal.

  • No records of removed assets.

Previous6. Cryptographic ControlsNext8: Operational Security

Last updated