Not all information is digital

Not so long ago a colleague went for a meeting with a company who were implementing an information security management system.  They were very enthusiastic about what they’d done so far and were keen to discuss how to move forward to getting their system certified.

My colleague entered the building.  She didn’t have to ring the bell because someone from one of the other firms in the building very politely held the door open for her. 

Entering the lobby, she noticed that the post had been delivered for the whole building.  Most of it was still on the floor, although some post was still in open pigeon-holes for her client.  Being a helpful sort, she picked it up and took it upstairs with her.

Her client’s door was unlocked, and there was no reception, so she walked into the main office area and announced herself.  One of the staff directed her to a meeting room where she waited for her host.  Looking around she noticed that the whiteboard in the meeting room still had notes and diagrams from a recent meeting on it.  It made interesting reading…

Information Security > Cyber Security

When businesses are looking at information security, there’s a temptation to focus on cyber-security.  After all, it’s the thing that we hear about most often in the media, and it’s undoubtedly a huge priority.  That doesn’t mean we don’t need to pay attention to physical security, too.

  • How do you prevent unauthorised access to your premises?
  • How do you manage who has access to which rooms and areas within your premises?
  • How do you protect against external and environmental threats?
  • How should people work in your secure areas?
  • How do you control delivery and loading areas?

As well as securing your physical location, you also need to give consideration to the physical equipment and assets including documents and post.

  • How do you locate and protect your equipment?
  • Is your power supply clean and reliable?
  • How do you protect your power and data cabling?
  • What routine equipment maintenance arrangements are in place?
  • How do you protect off-site assets ?
  • How do you securely dispose of or re-use equipment at end of life?
  • How do you protect unattended equipment and assets?

If a lot of this seems like common sense, that’s because it is.  However common-sense is subjective.  Customers and regulators need to know that you understand your information risks and have taken steps to control them.

The information security controls of the ISO 27001 standard are listed in Annex A of the standard.   

Annex A, ISO 27002, and ISO 27799
The controls that you can apply to manage information security threats and vulnerabilities, including physical security management are listed in Annex A of ISO 27001.  The application of these controls is described in greater depth in ISO 27002.  Additional standards and controls for healthcare settings are described in ISO 27799.

For clarity, you don’t certify against ISO 27002 or 27799; they’re there to advise you on best practice, and to help you to understand and implement the right controls for your situation in your business.

The risk you can’t imagine is the one that kills you

When we run risk management workshops, we encourage a completely open agenda.  No-one should consider anything too ridiculous to be suggested, and all vulnerabilities and threats should be considered and assessed.  It’s not just about cyber-security; your premises, your people, your infrastructure, and your equipment all merit equal consideration. Any vulnerability and any threat that you can imagine should be assessed.

We can address Physical & Environmental Security as a discrete exercise and report as part of your ISMS project, or as part of a broader certification programme.  If you’d like to discuss these in more depth, complete the contact form, and we’ll call you back.