How to implement equipment physical protection according to ISO 27001 A.11.2

Most of the companies today have physical equipment protection methods and controls to protect themselves from malicious software (viruses, trojans, etc.), to prevent employees from accessing malicious sites (filtering addresses through proxy servers), or to encrypt information when it is sent/received through email. However, I often find companies that neglect the physical protection of equipment, perhaps because many companies think that security issues are handled if they buy a good anti-virus, proxy, or any other good software solution.

Regarding physical protection of equipment, I like to differentiate between two types of measures: those that directly affect the equipment (for example: maintenance of equipment, reuse of equipment, etc.), and those that indirectly affect the equipment (such as supporting utilities, cabling security, etc.).

By the way, this article about physical security might be interesting for you: Physical security in ISO 27001: How to protect the secure areas.

In this article, first, I will give you some suggestions and best practices on measures that indirectly affect the equipment, and in the second part I will provide explanation of the protection of physical equipment that will help your organization to keep your company’s information secure. For these tips, I will follow the subsection A.11.2 of Annex A of ISO 27001:2013, which focuses on the physical security of the equipment.

Some of the key controls for equipment physical protection to be implemented according to ISO 27001:
  • Supporting utilities (control A.11.2.2)
  • Clear desk and clear screen policy (control A.11.2.9)
  • Equipment siting and protection (control A.11.2.1)
  • Equipment maintenance (control A.11.2.4)
  • Removal of assets (control A.11.2.5)

So, let’s start first with controls that indirectly affect the equipment.


Supporting utilities (control A.11.2.2)

It seems obvious that the equipment must be connected to a power outlet, and in many cases there is a UPS and/or a generator that can provide power if the main energy supplier fails. But, often I find companies that have never tried their alternative energy supply, or do not know the capacity, i.e., the time that the business can work with this alternative energy. Therefore, it is not only important to establish an alternative, but it is also important to define a maintenance plan and define the tasks that will be performed. And, it is highly recommended that you generate a report with results (conclusions, failures, duration of the tests, etc.).

I have also found companies that work in a shared facility, and they have a generator that is managed by a third party. Well, it shouldn’t be a problem – you can request from your service provider a maintenance plan and tests (and my recommendation is that this should be defined in an agreement).

Cabling security (control A.11.2.3)

In this case, it also seems obvious that today’s technologies are not possible without cables (network cables, power supply cables, cables for telephones, etc.), and it is very common that nobody bothers ordering the wiring in a structured way. But, to avoid mistakes (someone can disconnect a cable by mistake, or even break it):

  • wiring must not be loose or untagged
  • it must be collected and channeled through ways prepared to lay the cable (by the wall, along the racks of servers, etc.)
  • cabinet racks, electrical panels, or any other material to protect and canalize cables should be used, and they should be locked

In this case, I have also found companies that have a robust and impressive rack protected with a padlock, but with the key left in the lock; please, do not do this! This is no better than not having a rack at all.

Clear desk and clear screen policy (control A.11.2.9)

Generally, today’s users are aware and know that they should not write their password on a sticky note and stick it on the screen of their computer, or on their desktop. However, this issue should not be neglected, nor should you think that users are aware of clear desk/clear screen practices. So, you must set policies that remind users that they should not leave any sensitive information lying around in their workspaces (passwords, users, settings, data from clients, suppliers, etc.).

This article will explain the details: Clear desk and clear screen policy – What does ISO 27001 require?

ISO 27001 A.11.2 – How to implement equipment physical protection

Software is not the solution for everything

I’m sure you know that software is not a solution for everything related to the information security of your business, because hackers can attack your equipment in many different ways. The point is that there are many threats related to physical security and protection of physical equipment, and because the attackers know that – equipment is a weak point in many companies.

In this second part of the article you will learn more about physical equipment protection methods and measures that you can use to directly protect the equipment (meaning that the measures directly affect the equipment, for example, maintenance of equipment, reuse of equipment, etc.) of your organization. We will again follow the structure of Annex A of ISO 27001 and the suggestion of the best practices of ISO 27002.

Equipment siting and protection (control A.11.2.1)

The equipment should be located in a safe location where conditions are met for proper operation (humidity, temperature, etc.). Therefore, it is important to set humidity and temperature sensors, and to control conditions in order to allow the equipment to operate properly. When talking about working conditions – remember that the equipment is prepared to work under certain conditions, and many computers (especially servers) are prepared to shut down automatically at the moment that these conditions are not met (for example, high temperatures). They do this mainly to prevent damage to the equipment, which consequently, implies an interruption to your business.

Here it is also important that the equipment be sited in a safe location to minimize unnecessary access, and for this, you can use different work areas, protecting them with physical access control. And, it is also important that the information processing facilities handling sensitive data be positioned carefully.

When it comes to the protection of physical equipment, on the other hand, to maintain an adequate environment, it also tends to be a good practice to establish a norm that employees do not eat, smoke, or drink in the vicinity of the equipment.

Equipment maintenance (control A.11.2.4)

This is another point that companies often neglect, which has significant improvement potential. Since all equipment has a life cycle – you must make periodic checks of its status, i.e., general health. In this case, companies typically hire a maintenance service for the equipment (especially for servers and desktops), particularly if the company does not have its own IT Department with specialist knowledge. (Remember: Today’s data centers can be very complex and expensive. You should only allow experts to open your racks and deal with hardware issues.) In any case, a clear plan for review should be established (with respective responsibilities) at least annually. The status of the organization’s equipment should be checked, generating a report indicating the reviewed equipment and its condition (e.g., working properly, HW (state which one) needs maintenance/replacement, etc.).

Removal of assets (control A.11.2.5)

The equipment should not leave the facilities of the organization without permission (this is also applicable to the information and the software). Although that may seem obvious, quite often I find that, e.g., an employee takes a corporate laptop home when, in the majority of cases, that hasn’t been approved formally.  And, this is fundamental: establish control of equipment that leaves the company’s facilities by defining, e.g., what is the reason, who is in charge of the equipment, how much time it will be out, where it will be, etc. We should not forget that this is the equipment of the organization, and the organization has the right to know the details of what goes outside its facilities.

If the company is very small (fewer than 10 employees), and they usually work with the equipment outside the office, it is also recommended that the CEO write a circular letter with clear rules for taking equipment out of the office.

One more thing: Although the name of this control implies asset removal, the control itself explains what to do, i.e., how to behave when taking assets off-site. Regarding the assets, this article can help you to handle the asset register: How to handle Asset register (Asset inventory) according to ISO 27001.

Security of equipment and assets off-premises (control A.11.2.6)

When equipment goes off the premises, it is not only important to establish that its content is encrypted – the employees who take equipment out of the facility must also ensure its physical safety at all times, with special attention in public places, and take care not to let it become damaged. These same measures should also apply if the employee works from home.

Secure disposal or reuse of equipment (control A.11.2.7)

As you know, all equipment has a life cycle, after which it is necessary to get rid of it. Be careful with this point: remember that your organization’s information is stored on computers/servers, and it can remain there even if you believe you have removed it. Therefore, to avoid possible leakage of information in computers that are reused or eliminated, you should safely dispose of the information (through software), or physically destroy the hard drive that contains the information. If you want to add an additional layer of security, you can encrypt the information before destroying it – in this way, in the hypothetical case that someone could recover the information through some mechanism, they would then have to decrypt it.

By the way, this article might be interesting for you: Secure equipment and media disposal according to ISO 27001.

Unattended user equipment (control A.11.2.8)

As you know, users have to be trained to protect the equipment that they are using. For example, say an employee needs to go to the bathroom, or goes outside to talk on the phone or to smoke. It happens, many times, that they leave an open session on their systems; i.e., access to the computer is not locked. In real life, many companies control such situations through a centralized server, forcing the system to log out the user automatically if he does not interact with the system after a certain time. But, regardless of this, it is also recommended to raise awareness, giving information about the risks of unattended user equipment, which will also create a culture of information security.

The organization not only works with hardware, software, or digital data – it works with people

These physical equipment protection methods and measures help to directly protect the equipment in your organization, and in this case it is important to emphasize that it is crucial to educate and raise awareness among the staff of the organization. A security software solution (firewall, anti-virus, etc.) does not solve all the problems; we need to implement additional security controls that are not related to the software – they are related to the awareness of people, who need to apply adequate security controls related directly to the equipment they use.

To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Antonio Jose Segovia
Author
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.