This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.7.5 Protecting against physical and environmental threats.
ISO 27001: 2022 Control Description
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.
Purpose
To prevent or mitigate the consequences of events arising from physical and environmental threats.
Guidance on implementation
Risk assessments to identify the potential consequences of physical and environmental threats should be conducted prior to commencing critical operations at a physical site and at regular intervals thereafter.
Necessary safeguards should be implemented, and changes to threats should be continuously monitored. Specialist advice should be sought on how to manage risks associated with physical and environmental threats such as fire, flood, earthquake, explosion, civil unrest, toxic waste, environmental emissions, and other natural or human-made disasters.
The location and construction of physical premises should take into account:
a) Local topography, including appropriate elevation, proximity to bodies of water, and tectonic fault lines;
b) Urban threats, such as sites with a high likelihood of political unrest, criminal activity, or terrorist attacks.
Based on the results of risk assessments, relevant physical and environmental threats should be identified, and appropriate controls considered in the following contexts as examples:
a) Fire: Installing and configuring systems capable of detecting fires at an early stage to send alarms or trigger fire suppression systems, thereby preventing fire damage to storage media and related information processing systems. Fire suppression should use the most suitable substance for the surrounding environment (e.g. gas in confined spaces);
b) Flooding: Installing systems capable of detecting flooding at an early stage beneath the floors of areas containing storage media or information processing systems. Water pumps or equivalent measures should be readily available in case flooding occurs;
c) Electrical surges: Adopting systems to protect both server and client information systems against electrical surges or similar events to minimise the consequences of such incidents;
d) Explosives and weapons: Conducting random inspections for the presence of explosives or weapons on personnel, vehicles, or goods entering sensitive information processing facilities.
Other Information
Safes or other secure storage facilities can protect the information stored within them from disasters such as fire, earthquake, flood, or explosion.
Organisations can consider the principles of crime prevention through environmental design when implementing controls to secure their environment. Measures such as bollards, statues, or water features can serve as both aesthetic features and physical barriers to reduce urban threats.