ISO 27001 Controls: What is Annex A:11?

low angle photo of four high rise curtain wall buildings under white clouds and blue sky

The set of ISO 27001 controls Annex A:11 focuses on physical and environmental security programs. It defines the various controls that protect organizations from loss of information caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure, and power failures.

Physical security measures should be sufficient enough to deal with foreseeable threats and should be tested periodically for their effectiveness and functionality, as well as increasing the rate of risk-based thinking and planning when it comes to risks surrounding information security.

Best practices and ISO standards can assist with evaluating physical security controls, such as ISO/IEC 27002:2013 to ensure your organisation remains protected online.

  • Environmental Controls
  • Natural Disaster Controls
  • Supporting Utility Controls
  • Physical Protection and Access Controls
  • System Reliability
  • Physical Security Awareness and Training
  • Contingency Plans

iso 27001 certification by best practice

A:11 Physical and Environmental Security

Annex A Controls: 11 is all about the physical and environmental security of your office and related areas. Furthermore, it helps to understand how to maintain a good environment around your organization’s workspace.

Below are the controls that are covered explained by Annex: 11.

A:11 Secure Areas:

To prevent unauthorized physical access, damage, and interference to the organization’s information and information processing facilities.

A:11.1.1 Physical Security Perimeters:

Security perimeters should be established, as well as the location and intensity of each parameter. It should depend on the security requirements of the assets inside the perimeter and on the results of the risk assessment. It refers to the office premises, corridors, facilities.

A physical security perimeter is defined as “any transition boundary between two areas of differing security protection requirements”.

Good illustrations to these perimeters are; At the outer boundary of the site and outdoor and indoor spaces; Between outside a building and inside it; Between a corridor and office or between the outside of a storage cabinet and inside it.

Examples of the types of property and premises the organisation that should be taken into consideration include:

  1. The Data centres that host information assets;
  2. Head office;
  3. Employees working from home and
  4. Employees who are travelling, like using hotels and other facilities etc.

In simple terms, the organization must establish secure areas that protect the valuable information and information assets that only authorized people can access.

Get Your Free ISO 27001 Gap Analysis Checklist

door green closed lock

A:11.1.2 Physical entry Controls:

Here the clause is talking about building security; where the work premises are. It is highly recommended if you are looking for the ISO 27001 certification, the information secured area must be protected from unauthorized entry.

  1. The building or facility perimeters should be physically secure. There should be no gaps, where the break-in can occur.
  2. The premises’ exterior and interior buildings, walls, and floors should be securely built. All external doors should be properly locked and must-have key entries.
  3. Multi-floor buildings need extra surveillance and protection, Main entry should be manned with a receptionist.
  4. Doors and windows should always be closed at all times.

A:11.1.3 Securing Offices, rooms and facilities:

This clause helps to maintain the organization’s electronic asset security. For exmaple, every organization has computers, laptops, servers, and much more physical equipment that we need to secure properly. If you are looking to achieve ISO 27001 certifications, the standard says the information should be stored and retained securely. What are the perimeters for this physical security, Are you making your electronic asset restricted-access only? We have previously discussed this clause in Annex A:7 regarding information security.

Things to remember:

  1. Never give access to unauthorized personnel in your organization.
  2. Protect your information with strong passwords.
  3. Lock the screens, if away from the working desks.
  4. Maintain a surveillance system around the area where the information is stored.
street buildings graffiti building

A:11.1.4 Protecting against external and environmental threats:

This clause centers on protecting the inevitable attacks on the organizations. These attacks can be environmental, or a cyber threat that steals your information, or the private data on your customers and/or suppliers. Natural disasters like floods, earthquakes, and fires are inevitable events. Organizations must include procedures and policies to deal with these threats. This pandemic has made organizations aware of the fact they need to proceed with remote working; some may work where the risk is high, and this needs to be identified by the management team.

This could be addressed by identifying the risk around the business areas. Understanding your location and what is in the immediate vicinity is critical to identifying potential risks. It is required under this standard, physical and environmental threats are recognized and controlled by the organization well.

A:11.1.5 Working in Secure areas:

This clause under Annex 11 deals with the safety of the people of the organization and their safety. It defines how to establish the procedures for working in secure areas shall be designed and applied.

  1. A restricted awareness of the location and function of secure areas;
  2. Restrictions on the use of electronic recording devices within secure areas;
  3. Restriction on unsupervised working within secure areas wherever possible;
  4. In and out monitoring and logging.
shallow focus photography of black ship

A:11.1.6 Delivery and Loading areas:

There should be complete control of all the access points where necessary. The information stored within the building should be secured and consider as a legal responsibility. SOA will look into the delivery and pick up points should have monitored and valid key entry.

Digital or virtual workplaces might not have any need for a policy or control around delivery and loading areas can exclude from the Statement of Applicability (SOA).

Examples of these controls may include;

  1. Docks away from the main office building;
  2. Security Guards; CCTV monitoring & recording; and
  3. procedures to prevent external and internal access.

Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover