Skip to contentCYBERINFO
|

Control 7.5 : Protecting Against Physical and Environmental Threats

Summary

Protection against natural disasters, malicious attacks, or accidents should be designed and implemented. This covers fire, flood, earthquake, civil unrest, and other environmental factors that could cause loss or damage to organizational assets.

Applicability

In-Scope: Mandatory for maintaining the availability of the organization's services. It ensures that the technical infrastructure can survive external environmental pressures and accidents.

Out-of-Scope: Never out-of-scope, though the specific threats addressed will vary based on geographic location.

Implementation Guidance

Microsoft 365 / Entra ID

  • Cloud Advantage: Leverage the Microsoft Azure global data center footprint to ensure data is replicated to a different geographic region, protecting against localized natural disasters.

  • Alerting: Configure Azure Service Health alerts to receive immediate notification of environmental issues or outages affecting the Microsoft data centers where your data resides.

  • Documentation: Host the Business Continuity Plan (BCP) and environmental risk assessments in a geo-redundant SharePoint site to ensure access during a local office crisis.

Evidence Checklist

  • Environmental Risk Assessment: A document identifying geographic and environmental threats specific to each office location (e.g., flood zone mapping or seismic risk).

  • Fire Suppression Records: Evidence of regular inspections for fire extinguishers, smoke detectors, and specialized suppression systems in server rooms.

  • Disaster Recovery Plan: A formal plan detailing the specific technical and procedural responses to various environmental crises.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What is the process for protecting hardware from water damage if a pipe bursts or the office environment experiences a flood?

  • How does the organization ensure that its critical ICT equipment is on a dedicated power circuit with surge protection and backup capabilities?

  • Are the fire detection and suppression systems in the server room appropriate for electronic equipment (e.g., inert gas vs. water)?

  • How often is the emergency power system, such as a UPS or generator, tested under a full load to verify its runtime?