This article provides an overview of the requirements for physical and office security as part of  ISO 27002 compliance.

The objective of secure areas is to prevent unauthorized physical access, damage and interference to the organisation’s information and information processing facilities.

The objective of equipment security is to prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.
Secure areas:

  1. Physical security perimeter – security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.
  2. Physical entry controls – secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
  3. Securing offices, rooms and facilities – physical security for offices, rooms and facilities should be designed and applied
  4. Protecting against external and environmental threats – physical protection against natural disasters, malicious attack or accidents should be designed and applied
  5. Working in secure areas – procedures for working in secure areas should be designed and applied.
  6. Delivery and loading areas – access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.


  1. Equipment siting and protection – equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access
  2. Supporting utilities – equipment should be protected from power failures and other disruptions caused by failures in supporting utilities
  3. Cabling security – power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage
  4. Equipment maintenance – equipment should be correctly maintained to ensure its continued availability and integrity.
  5. Removal of assets – equipment, information or software should not be taken off-site without prior authorization
  6. Security of equipment and assets off-premises – security should be applied to off-site assets taking into account the different risks of working outside the organisation’s premises
  7. Secure disposal or re-use of equipment – all items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use
  8. Unattended user equipment – users should ensure that unattended equipment has appropriate protection.
  9. Clear desk and clear screen policy –  a clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. The clear desk and clear screen policy should take into account the information classifications, legal and contractual requirements and the corresponding risks and cultural aspects of the organisation.

For more information please contact Morland-Austin at