ISO 27001 is the international standard for information security management systems (ISMS). It defines requirements for the implementation and maintenance of an ISMS to protect the confidentiality, integrity, and availability of information.

To ensure that information in organisations is properly protected, a comprehensive information security management system (ISMS) should be implemented. An ISMS consists of a set of measures that help to ensure the security of information.

Physical controls are an essential part of an ISMS. This control set helps you to protect yourself from physical and environmental threats such as theft, natural disasters, and intentional destruction.

ISO 27001: New physical controls

ISO 27001:2022 includes a new physical measure that responds to the current information security challenges. That is:

7.4: Physical security monitoring: Organisations should constantly monitor their physical premises to prevent unauthorised access.

What physical controls are there?

Physical controls are a key part of a comprehensive information security strategy, which is particularly focused on the appropriate securing of premises, access, and storage of information. The area includes 14 measures that you can implement.

We have created a list with a comprehensive overview of all physical controls from Annex A of ISO 27001:

How are physical controls implemented?

The implementation of physical controls should be based on a risk assessment. The organisation should identify the potential threats to its information and information systems and then implement the appropriate controls to mitigate them.

The process of implementing physical controls can be divided into the following steps:

Risk assessment

The first phase identifies the potential threats to the organisation's information and information systems. The following factors can be considered:

• External threats: theft, sabotage, natural disasters
• Internal threats: employee errors, fraud, espionage

Control selection

After the risk assessment, the organisation can select the appropriate controls to mitigate the identified threats. It is important to weigh the costs and benefits of the controls.

Control design

In the third phase, the design of the controls is determined. This includes specifying the technical and organisational measures required to implement the controls.

Control implementation

In the fourth phase, the controls are implemented. This includes procuring and installing the necessary hardware and software, as well as training employees.

Control monitoring

The controls must be regularly monitored to ensure that they function properly and achieve the desired results. This includes regular audits and tests of the controls.

Physical controls to strengthen your information security

Physical controls play a vital role in ISMS by safeguarding information and information systems from physical threats such as theft, destruction, and damage.

The ISO 27001:2022 version considers the current challenges of information security and offers opportunities to establish an appropriate approach to current conditions.

To find the right controls for your organization, you can use our ISO 27001 checklist to learn about the measures you need to implement to implement ISO 27001.