Physical and Environmental Security Policy
History Log
Version
Date
Author
1.1 1
st
November 2018 Information Dynamics
1.2
29
th
December 2019
Information Dynamics
1.3
24
th
December 2020
Saravanan & Sureshkutty
1.4
24
th
December 2021
Saravanan & Sureshkutty
Physical & Environmental Security Policy Information Dynamics
1. Purpose
The purpose of this policy is to create a set of security controls to secure the physical
boundary of the firm. This includes employee and visitors physical access, management
of entry points and working in secure environments.
ISO 27001:2013 domain reference: A.11 – Physical and Environmental Security
ISO 27001:2013 Reference
A.11.1.1 Physical security perimeter
A.11.1.2 Physical entry controls
A.11.1.3 Securing offices, rooms and facilities
A.11.1.4 Protecting against external and environmental threats
A.11.1.5 Working in secure areas
A.11.1.6 Delivery and loading areas
A.11.2.1 Equipment siting and protection
A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
A.11.2.4 Equipment maintenance
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment and assets off-premises
A.11.2.7 Secure disposal or reuse of equipment
A.11.2.8 Unattended user equipment
2. Scope
The scope of the policy will be applicable to all activities under the scope statement of
Information Dynamics.
3. Policy
3.1. Secure Areas Policy
3.1.1. Physical Security Perimeter
Physical premises shall be classified (zoning of premises) based on
the sensitivity of information processing environment as critical,
dedicated, restricted and public areas.
Security perimeter shall be defined to protect these areas.
3.1.2. Physical Entry Controls
Internal 2 of 5
Physical & Environmental Security Policy Information Dynamics
A secure area shall have a preventive mechanism to ensure that
unauthorized individuals do not enter and a detective mechanism to
ensure that all personnel movement into the area is logged.
Access to the secure shall be granted for specific, authorized
purposes and shall be issued with instructions on the security
requirements of the area.
All employees, contractors and third party users and all visitors shall
wear visible identification.
3.1.3. Securing Offices, Rooms and Facilities
The following shall be considered to secure offices, rooms and facilities:
Key facilities shall be sited to avoid access by the public;
Where applicable, buildings shall be unobtrusive and give minimum
indication of their purpose, with no obvious signs, outside or inside
the building; and
Rooms available for information processing shall be lockable and
shall have lockable cabinets & fire proof safes wherever required.
3.1.4. Protecting against external and environmental threats
Physical protection against damage from fire, flood, explosion, civil
unrest, and other forms of natural or man-made disaster shall be
designed and applied;
Hazardous or combustible materials shall be stored at a safe distance
from a secure area;
Proper working of fire prevention/detection/fighting, lightning
conductor and testing of electricity safety measures shall be ensured;
and
Back-up media shall be sited at a safe distance to avoid damage from a
disaster affecting the main site
3.1.5. Working in Secure Areas
Physical protection in secure areas shall be designed and applied. Following
controls shall be enforced:
Information processing facilities like network and server rooms will
be adequately secured using electronic access control system and
access will be restricted to only authorized personnel;
Internal 3 of 5
Physical & Environmental Security Policy Information Dynamics
Vacant secure areas shall be physically locked and periodically
checked;
Accesses by third party personnel to information processing facilities
shall be monitored.
3.1.6. Public Access, delivery and loading areas
Access points for delivery and loading areas and other points where
unauthorized persons may enter the premises shall be controlled and
isolated to avoid unauthorized access.
3.2. Equipment Security
3.2.1. Equipment sitting and protection
Environmental conditions shall be monitored to ensure that they do
not have adverse effects on the operation of information processing
facilities
All storage media having non-public information shall be physically
protected.
All equipments shall be maintained regularly as per the
manufacturers recommended service intervals and specifications.
3.2.2. Supporting Utilities
Equipment shall be protected from power failures and other
disruptions caused by failures in supporting utilities.
Suitable power supply controlled through UPS shall be provided for
all equipment as per the manufacturers’ specifications.
All supporting utilities, such as electricity, water supply, sewage,
heating/ventilation, and air conditioning shall be adequate for the
systems they are supporting.
Support utilities shall be regularly inspected and as appropriate tested
to ensure their proper functioning and to reduce any risk from their
malfunction or failure.
3.2.3. Cabling Security
Following shall be considered for cabling security:
Power and telecommunications lines into information processing
facilities shall be underground, wherever possible; and
Power cables shall be segregated from communications cables to
prevent interference.
Internal 4 of 5
Physical & Environmental Security Policy Information Dynamics
3.2.4. Equipment Maintenance
Equipment shall be regularly maintained to ensure its continued availability
and integrity. Following shall be considered for equipment security:
Equipment maintenance shall be carried as per the schedule provided
by the vendor for service intervals;
Maintenance of equipment shall be performed only by authorized
personnel;
Records shall be kept of all suspected or actual faults, and all
preventive and corrective maintenance; and
All requirements imposed by insurance policies shall be complied
with.
3.2.5. Security of Equipment Off-Premises
The equipment or media taken off-premises shall be taken after
proper authorization and shall not be left unattended.
Adequate insurance cover shall be provided to protect the equipment
off-site.
3.2.6. Secure Disposal or Reuse of Equipment
The owners of information assets will authorize disposal or re-use of
the assets.
Adequate controls will be followed during the disposal of the
equipments to prevent compromise of the information.
Items of equipment containing storage media shall be checked to
ensure that no sensitive data and licensed software has been removed
or securely overwritten prior to disposal.
3.2.7. Removal of Property
Movement of information processing equipment, information,
storage media or software to off-site location or for maintenance
activities shall be carried out after obtaining appropriate
authorization
4. Associated Documentation
1. End user guidelines
2. Admin guidelines
3. Asset Management procedure – (Secure disposal)
Internal 5 of 5