Skip to contentCYBERINFO
|

Control 7.1 : Physical Security Perimeters

Summary

Physical security perimeters should be defined and used to protect areas that contain information and other associated assets. This involves creating distinct barriers, such as walls, gates, or badge-restricted doors, to prevent unauthorized physical access to the organization's facilities.

Applicability

In-Scope: Mandatory for protecting office spaces, server rooms, and wiring closets. It is a fundamental requirement for establishing a secure environment and meeting regulatory standards for physical data protection.

Out-of-Scope: Only partially reducible for organizations that are 100% remote with no physical office presence, though the security of home office environments would then fall under remote working policies.

Implementation Guidance

Microsoft 365 / Entra ID

  • Access Integration: Utilize Entra ID Verified ID or integrated physical access control systems (PACS) that sync with Entra ID to automatically disable physical badge access when a user account is disabled.

  • Monitoring: Host digital floor plans and perimeter maps within a restricted SharePoint library to ensure the security and facilities teams have a single source of truth for zone definitions.

  • Visitor Logs: Implement Microsoft Forms or a Power App at reception points to digitally log visitors, ensuring entry data is stored securely in the Microsoft cloud and is easily auditable.

Evidence Checklist

  • Physical Security Policy: A document defining the different security zones (e.g., Public, Restricted, Highly Confidential).

  • Site Map: A diagram showing the physical perimeters, entry points, and restricted zones.

  • Access Logs: Digital or physical records showing entry and exit events for restricted areas.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does the organization ensure that the physical barriers are sufficient to prevent unauthorized or forced entry?

  • What is the formal process for granting temporary physical access to delivery personnel or maintenance contractors?

  • Can you demonstrate how physical access is revoked for an employee or contractor immediately upon their termination?

  • During a walkthrough, are restricted area signs clearly visible and are all perimeter doors verified to be locked and alarmed?