ISO 27001

ISO 27001 Physical & Environmental Security Checklist

For: Admin Department ?? Objective: To prevent unauthorized physical access, damage, and interference to information and information processing facilities.

1. Physical Security Controls

1.1 Perimeter Security

? Security Fencing & Barriers

• ? Perimeter walls or fencing are installed around the facility.
• ? Security barriers (bollards, gates) protect key access points.
• ? Signage is in place to indicate restricted areas.

? Access Points & Entry Control

• ? Only authorized personnel can access premises through controlled entry points.
• ? Security guards monitor all entry/exit points.
• ? Visitor access is recorded, and visitors wear identifiable badges.
• ? Emergency exits are secured but accessible in emergencies.

? Surveillance & Monitoring

• ? CCTV cameras cover all entry points, critical areas, and perimeter fencing.
• ? Surveillance footage is retained as per company policy (e.g., 30–90 days).
• ? Motion detectors or alarm systems are installed and functional.

2. Building Access Control

? Employee Access Management

• ? Access control systems (ID badges, biometric scanners, PIN codes) are implemented.
• ? Employees are assigned different access levels based on job roles.
• ? Access logs are maintained and reviewed periodically.

? Visitor Management

• ? Visitors register upon arrival and provide identification.
• ? Visitors are escorted at all times.
• ? Visitor badges are issued and returned before exit.

? Contractor & Third-Party Access

• ? Contractors are given limited access to necessary areas only.
• ? NDA or security agreements are signed before granting access.
• ? Temporary access credentials are revoked after use.

? Revocation of Access

• ? Employee access is revoked immediately upon resignation, termination, or role change.
• ? Deactivated ID cards are returned and destroyed.
• ? A formal offboarding checklist ensures all credentials are removed.

3. Workplace Security

? Secure Areas & Workstations

• ? Server rooms and data centers are locked at all times.
• ? Only authorized personnel can access critical infrastructure areas.
• ? Employees follow a Clean Desk Policy (no sensitive information left unattended).

? Portable Devices & Media

• ? Laptops and USB drives are securely stored when not in use.
• ? Data is encrypted before transferring it via removable media.
• ? Unauthorized use of personal devices (BYOD) is restricted.

? Document Handling & Disposal

• ? Sensitive documents are stored in locked cabinets.
• ? Printed materials are shredded or securely disposed of after use.
• ? Digital data is wiped before disposing of old hardware.

4. Environmental Security Controls

4.1 Fire Protection & Safety

? Fire Prevention

• ? Fire alarms and smoke detectors are installed and tested.
• ? Fire extinguishers are placed at key locations (server rooms, offices, entry points).
• ? Employees are trained on fire evacuation procedures.

? Fire Suppression

• ? Fire suppression systems (e.g., FM-200, CO?) protect critical IT infrastructure.
• ? Sprinkler systems are tested regularly.
• ? Emergency response teams are designated.

? Emergency Exits & Evacuation

• ? Emergency exits are clearly marked and unobstructed.
• ? Fire evacuation plans are displayed at key locations.
• ? Regular fire drills are conducted.

4.2 Power & Equipment Protection

? Uninterrupted Power Supply (UPS)

• ? UPS systems are installed for critical IT equipment.
• ? Power backup systems (generators) are operational and tested regularly.
• ? Surge protectors are in place to prevent power fluctuations.

? Environmental Monitoring

• ? Temperature & humidity are monitored in server rooms (ideal: 18–22°C, 40–60% humidity).
• ? Air conditioning and ventilation systems are maintained.
• ? Leak detection systems are installed to prevent water damage.

5. Asset & Data Protection

5.1 Secure Storage & Disposal

? Asset Protection

• ? IT assets (servers, hard drives, network devices) are stored securely.
• ? An inventory of all physical assets is maintained.

? Secure Disposal

• ? Hard drives are degaussed or physically destroyed before disposal.
• ? Old employee ID cards, visitor badges, and keys are disposed of securely.

? Locker & Safe Usage

• ? Employees use lockers or safes to store sensitive documents.
• ? Safe combinations and keys are restricted to authorized personnel.

6. Incident Management & Security Awareness

? Incident Reporting

• ? A process exists for reporting security incidents (unauthorized access, theft, damage).
• ? Incident logs are reviewed and analyzed for trends.
• ? Corrective actions are taken based on security breaches.

? Security Awareness Training

• ? Employees are trained on physical security policies.
• ? Drills and simulations are conducted to test security awareness.
• ? New hires undergo security training during onboarding.

? Regular Audits & Compliance Checks

• ? Physical security audits are conducted at least annually.
• ? Compliance with ISO 27001 Annex A.11 is reviewed periodically.
• ? Non-compliance issues are addressed with corrective actions.

Final Notes

?? Admin Department Responsibilities:

• Maintain and enforce physical security policies.
• Regularly update security access control lists.
• Conduct routine checks and audits to identify vulnerabilities.

?? Review & Update Schedule:

• This checklist should be reviewed quarterly and updated as needed.