Organisations should determine the level of threat to their assets from different sources (eg. terrorism, espionage, criminal activity, protests, etc.).
Physical security is described as controls that are intended to:
• protect individuals from violence;
• prevent unauthorised access to sites and/or protectively marked material (and other valuable assets); and
• reduce the risk of a range of physical threats and mitigate their impact to a level that is acceptable to the organisation.
Ideally, security should be incorporated into the initial stages of planning, selecting, designing or modifying any building or facility, using appropriate methodologies, putting in place integrated and proportionate control measures to prevent, deter, detect and/or delay attempted physical attacks and to trigger an appropriate and proportionate response.
Each site within an organisation should be categorised as high, moderate or low risk according to the likelihood of being either the target of a terrorist attack or in close proximity to an attack.
Physical security measures should complement other technical, personnel and procedural controls as part of a layered approach to security that effectively balances prevention, detection, protection and response. For example, perimeter fencing and access control measures may deter an attack because of the difficulties of gaining access; CCTV or intruder alarms might detect an attack in progress and trigger interception; vehicle stand-off, blast resistant glazing and postal screening can minimise the consequences of an attack.
Organisations should also undertake regular security risk assessments for all establishments in their estate remembering to include any sites that sustain core business eg. data centres.
A risk assessment should be conducted and a set of controls selected that are comparable with the level of identified risk. These controls should be documented in a statement of applicability or similar document and ratified by the senior security representatives in the organisation. A programme of regular audits to ensure compliance should be conducted in line with the requirements described in ISO 27001.
Critical business processes need to be protected from the effects of major failures or disasters/incidents. Any organisation should have a business continuity management strategy in place covering the following generic area:
• Documented plans and procedures available to all staff
• Documented procedures held off-site by key members of staff
• A nominated individual responsible for managing the business continuity process
• Management commitment to the business continuity process
• Regular business impact analysis carried out to identify the events that could cause interruption to business
• Business recovery strategies
• Regular programme of testing elements of the business continuity plan
All businesses need to ensure that they operate in compliance with all relevant criminal and civil law, statutory, regulatory or contractual obligations. Organisations should nominate an individual or individuals to be responsible for maintaining knowledge of all applicable legislation, including copyright, data protection and software licensing.
Companies accredited to ISO 27001 should have this type of plan in place. If you are not accredited to this standard, you should review its recommendations and align your processes where possible.