The ISO 27001 Physical Security Policy sets out how you manage the physical security of your premises, buildings and offices to protect the confidentiality, integrity and availability of data.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Physical Security Policy Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to implement it
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Physical Security Policy Example
- ISO 27001 Physical Security Policy FAQ
What is it?
An ISO 27001 Physical Security Policy is your company’s rulebook for keeping your office, equipment, and data safe from physical threats. Think of it as a guide to protect your stuff from things like break-ins, fires, floods, and even unauthorised visitors. It’s a key part of your overall security plan.
Applicability to Small Businesses, Tech Startups, and AI Companies
This policy is useful for any size company, no matter how big or small you are. Here’s how it applies:
- Small Businesses: It helps you formalise simple things like locking the office door at night and keeping a visitor log.
- Tech Startups: It’s crucial for protecting your valuable server room, development equipment, and intellectual property from theft.
- AI Companies: It’s essential for securing the physical location of your servers and the sensitive data used to train your AI models.
ISO 27001 Physical Security Policy Template
The ISO 27001:2022 Physical Security Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why you need it
You need this policy because your digital information isn’t the only thing at risk. Your servers, laptops, and hard drives are all physical objects that need protection. This policy helps you make sure your building is secure, your equipment is locked down, and only the right people can access sensitive areas. It shows that you’re serious about security in the real world, not just online.
When you need it
You need this policy from the moment you start setting up your business. It’s a foundational document. You’ll use it every day to make sure your office is locked up at night, to manage who gets a key card, and to handle any physical security incidents. It’s a plan you’ll rely on constantly.
Who needs it?
Everyone in your company needs to be aware of and follow this policy. This includes employees, contractors, and even visitors. While a manager or the security team might write it, everyone has a part to play, like making sure doors are locked and not sharing access cards.
Where you need it
This policy applies to all your physical locations where you handle sensitive information. This includes your main office, any data centers, and even the home offices of your remote workers. It’s about protecting your physical assets wherever they are.
How to write it
Writing a good policy is all about keeping it simple and clear. You should cover things like how to control access to your building, who can get a key or key card, and what to do in an emergency. Use straightforward language and even a few diagrams or photos to make it easy for everyone to understand.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Physical Security Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Physical Security Policy contents page
Document Contents Page
Physical and Environmental Security Policy
Purpose
Scope
Principle
Physical Security Perimeter
Secure Areas
Employee Access
Visitor Access
Delivery and Loading Areas
Network Access Control
Cabling Security
Equipment Siting and Protection - Write the ISO 27001 Physical Security Policy purpose
The purpose of the policy is to prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities.
- Write the ISO 27001 Physical Security Policy principle
Physical and environmental security policy is built on the principle of exceeding Health and Safety regulation whilst protecting the most sensitive physical assets based on risk.
- Write the ISO 27001 Physical Security Policy scope
All company owned or leased premises or locations deemed in scope by the ISO 27001 scope statement. Our of scope is third party and supplier physical and environmental security.
All employees and third-party users. - Describe physical security perimeter controls
The physical perimeter of the building or site containing information processing facilities is physically sound. The exterior roof, walls and flooring of the site are of solid construction and all external doors are suitably protected against unauthorised access with control mechanisms (list them – for example: bars, alarms, locks, enter-cards).
Doors and windows are locked when unattended and external protection in the form of bars is in place for windows, particularly at ground level.
Access to sites and buildings is restricted to authorised personnel.
A crewed reception area grants access to the building and maintains a record of access.
All fire doors on a security perimeter are alarmed, monitored, and tested in conjunction with the walls to establish the required level of resistance in accordance with suitable regional, national, and international standards. They should operate in accordance with the local fire code in a failsafe manner.
Suitable intruder detection systems are installed to national, regional, or international standards.
Information processing facilities managed by the organisation are physically separated from those managed by external parties. - Document secure areas controls
Access rights to secure areas are regularly reviewed and updated and revoked when necessary.
Access to secure areas defaults to deny.
Access to areas where confidential information is processed or stored is restricted to authorised individuals only by implementing appropriate access controls, (list them – example: by implementing a two-factor authentication mechanism such as an access card and secret PIN).
Logs of access are held and maintained for a minimum of 3 months.
External third-party support service personnel are granted restricted access to secure areas or confidential information processing facilities only when required and always accompanied; this access is authorised and monitored.
Photographic, video, audio, or other recording equipment, such as cameras in mobile devices is not permitted in secure areas unless authorised. - Explain employee access
Employee access is based on least privilege providing access based on role.
Access control tokens, badges, are allocated to identify the employee or personnel and must be always worn.
Access control tokens, badges, are not shared, transferred, or loaned.
Access is revoked immediately upon termination and all physical access tokens are disabled and must be returned. - Explain visitor access
Visitors are allowed unfettered access to the public areas.
Visitors are issued with instructions on the security requirements of the area and on emergency procedures.
Visitors are recorded in the visitor logbook and the information maintained for a minimum of 3 months.
Visitors are allocated a visitor pass that clearly identifies the visitor status, denies access to secure areas, and expires at the end of the business day on which issued.
Visitor access to secure areas requires verification of identity and presenting photographic identification.
Visitors are always escorted, except in the use of public areas and bathrooms. - Describe delivery and loading area controls
Access to a delivery and loading area from outside of the building should be restricted to identified and authorised personnel.
The delivery and loading area should be designed so that supplies can be loaded and unloaded without delivery personnel gaining access to other parts of the building.
The external doors of a delivery and loading area should be secured when the internal doors are opened,
Incoming material should be inspected and examined for explosives, chemicals, or other hazardous materials, before it is moved from a delivery and loading area.
Incoming material should be registered in accordance with asset management procedures on entry to the site.
Incoming and outgoing shipments should be physically segregated, where possible.
Incoming material should be inspected for evidence of tampering on route. If such tampering is discovered, it should be immediately reported to security personnel. - Document network access control
Physical access to networking equipment is restricted which includes wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
Network jacks / points in public areas do not allow access to the company internal network.
Network jacks / points that allow access to the company internal network are secured by physical access control for entry and exit.
Visitors are prohibited from connecting devices to network jacks / points that allow access to the company internal network unless explicitly authorised to do so and are always escorted in areas with active network jacks / points. - Explain cabling security
Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference, or damage.
Power and telecommunication lines into processing facilities are underground.
Power cables are segregated from communication cables to prevent interference.
Physical access to network cables is restricted where possible.
Access to cable rooms and patch panels is restricted by physical access control. - Explain equipment siting and protection
Equipment should be sited to minimise unnecessary access into work areas.
Information processing facilities handling sensitive data should be positioned carefully to reduce the risk of information being viewed by unauthorised persons during their use.
Storage facilities should be secured to avoid unauthorised access.
Items requiring special protection should be safeguarded to reduce the general level of protection required.
Controls should be adopted to minimsze the risk of potential physical and environmental threats, e.g., theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism.
Guidelines for eating, drinking, and smoking in proximity to information processing facilities should be established.
Environmental conditions, such as temperature and humidity, should be monitored for conditions which could adversely affect the operation of information processing facilities.
Lightning protection should be applied to all buildings and lightning protection filters should be fitted to all incoming power and communications lines.
The use of special protection methods, such as keyboard membranes, should be considered for equipment in industrial environments.
Equipment processing confidential information should be protected to minimise the risk of information leakage due to electromagnetic emanation.
How to implement it
Putting the policy into action means more than just having it on paper. You’ll need to train your team on the rules, install physical security measures like locks and alarms, and create a system for tracking visitors. Regularly check your security measures to make sure they’re working as they should.
Examples of using it for small businesses
A small accounting firm’s policy might state that all filing cabinets with client information must be locked at the end of the day. It could also require that all visitors sign in at the front desk and be escorted by an employee.
Examples of using it for tech startups
A startup’s policy might focus on securing its server room. It would specify that only authorised IT personnel can enter and that the room has a security camera and a fire suppression system.
Examples of using it for AI companies
An AI company’s policy might include rules for securing the physical servers where their data models are stored. This could involve biometric access controls and a strict “no phone” policy in those server rooms to prevent photos of sensitive data.
How the ISO 27001 toolkit can help
An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
Information security standards that need it
This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has several controls that relate to physical security:
- ISO 27001:2022 Annex A 7.1 Physical security perimeter
- ISO 27001:2022 Annex A 7.2 Physical entry controls
- ISO 27001:2022 Annex A 7.3 Securing offices, rooms and facilities
- ISO 27001:2022 Annex A 7.4 Physical security monitoring
- ISO 27001:2022 Annex A 7.5 Protecting against physical and environmental threats
- ISO 27001:2022 Annex A 7.6 Working in secure areas
- ISO 27001:2022 Annex A 7.8 Equipment siting and protection
- ISO 27001:2022 Annex A 7.12 Cabling Security
ISO 27001 Physical Security Policy Example
An example ISO 27001 Physical Security Policy:
ISO 27001 Physical Security Policy FAQ
To protect your physical assets and information from real-world threats.
No, it’s for any company, no matter how small.
One policy can cover all your offices, but you might need different rules for each one.
You should review it at least once a year.
The policy should include a plan for what to do in that situation.
Yes, it should have rules for how remote workers protect their equipment at home.
Physical security protects physical assets, while digital security protects digital data.
A manager or security officer should enforce it, but everyone is responsible for following it.
It reduces the risk of theft and damage, and it builds trust with customers.
Not necessarily. The policy can outline other measures like alarms and cameras.
The policy should include rules for how to securely dispose of old hardware.
Yes, having a plan for physical security is a key requirement.
The policy should cover how to manage and use employee badges for access.
Identify all your physical assets that need protection.
