Background ---------- ISO/IEC 27002:2022 clause 7.1 indicates that "Security perimeters should be defined and used to protect areas that contain information and other associated assets [in order] to prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets." Policy statements ----------------- 1. The physical security controls for facilities housing substantial quantities of IT equipment should be based on a structured assessment of physical risks. 2. Business-critical IT equipment should ideally be housed in purpose-built, physically-secure IT facilities. 3. Location managers should regularly review and enhance physical security controls in collaboration with the Information Security Manager/CISO. 4. Physical access to corporate sites, especially areas with valuable IT equipment and data, should be restricted to authorised personnel. 5. Everyone on site should display valid photo identification badges (clearly identifying them as employees, contractors or visitors). 6. Visitors, particularly in critical areas, should be escorted during their stay on the premises. Unescorted visitors should be challenged. 7. Physical access to sensitive areas should be strictly controlled, with regular updates and reviews of access rights. 8. Business-critical IT systems should be in areas with intruder alarms or regular security patrols, with shared hardware secured in locked rooms or cabinets. 9. Business-critical or sensitive IT equipment should be protected against vulnerabilities such as ground-floor windows and water/sewage pipes. 10. Portable computers and media should be securely locked away when not in use. 11. Sensitive corporate or personal information must be securely stored when not in use, with adequate storage facilities and clear desk/clear screen procedures enforced. 12. Critical data should be stored on network servers and network-attached storage in a physically secured data center, rather than on individual desktops or laptops. Notes ----- This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation. Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.