ISO 27001 controls: What is Annex A:11?

Annex A:11 of the ISO 27001 Controls focuses on physical and environmental security programs. It defines various controls to protect organisations from loss of information caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure, and power failures.

Physical security measures should be sufficient to deal with foreseeable threats and should be tested periodically for their effectiveness and functionality. This increases the rate of risk-based thinking and planning regarding information security.

Best practices and ISO standards can assist with evaluating physical security controls, such as ISO/IEC 27002:2013, to ensure your organisation remains protected.

A:11 Physical and environmental security

Annex A:11 is all about the physical and environmental security of your office and related areas. It helps understand how to maintain a secure environment around your organisation’s workspace.

A:11 Secure areas

To prevent unauthorised physical access, damage, and interference with the organisation’s information and information processing facilities.

A:11.1.1 Physical security perimeters

Security perimeters should be established based on the security requirements of the assets inside the perimeter and the results of the risk assessment. This includes office premises, corridors, and facilities.

A physical security perimeter is defined as “any transition boundary between two areas of differing security protection requirements.”

Examples include:

• Data centres hosting information assets
• Head office
• Employees working from home
• Employees travelling, using hotels and other facilities

The organisation must establish secure areas to protect valuable information and information assets that only authorised people can access.

A:11.1.2 Physical entry controls

This clause covers building security. For ISO 27001 certification, the information secured area must be protected from unauthorised entry.

• Building or facility perimeters should be physically secure with no gaps for break-ins.
• External doors should be properly locked with key entries.
• Multi-floor buildings need extra surveillance and protection, with a manned reception at the main entry.
• Doors and windows should always be closed.

A:11.1.3 Securing offices, rooms, and facilities

This clause addresses the security of the organisation’s electronic assets, such as computers, laptops, servers, and other physical equipment. For ISO 27001 certification, information should be stored and retained securely.

Things to remember:

• Never give access to unauthorised personnel.
• Protect information with strong passwords.
• Lock screens when away from desks.
• Maintain a surveillance system around information storage areas.

A:11.1.4 Protecting against external and environmental threats

This clause focuses on protecting against inevitable attacks on the organisation, whether environmental or cyber threats. Natural disasters like floods, earthquakes, and fires require organisations to have procedures and policies to deal with these threats.

Identify the risks around your business areas and understand your location and immediate vicinity to recognise potential threats. Physical and environmental threats must be recognised and controlled by the organisation.

A:11.1.5 Working in secure areas

This clause deals with the safety of the organisation’s personnel. Procedures for working in secure areas should be designed and applied, including:

• Restricted awareness of the location and function of secure areas
• Restrictions on the use of electronic recording devices within secure areas
• Restriction on unsupervised working within secure areas
• In and out monitoring and logging

A:11.1.6 Delivery and loading areas

Complete control of all access points is necessary. Information stored within the building should be secured and considered a legal responsibility. The Statement of Applicability (SOA) will assess delivery and pick-up points for monitored and valid key entry.

Digital or virtual workplaces might not need policies or controls around delivery and loading areas and can exclude this from the SOA.

Examples of controls include:

• Docks away from the main office building
• Security guards
• CCTV monitoring and recording
• Procedures to prevent external and internal access

For more guidance and support on achieving ISO 27001 certification and understanding Annex A:11, contact Citation Certification today. We provide comprehensive support and training to help your organisation meet all necessary requirements and achieve compliance with ISO 27001 standards.