If you do not know the difference between physical and environmental security, don’t worry, this article will help you to understand the difference between the two concepts.
Before talking about the difference between the Physical and environmental security, we have to talk about the ISO270001, which is the international standard for information security.
The annex 11 of the ISO27001 emphases on physical and environmental security. It outlines the numerous controls that protect organisations from loss of information caused by fire, flood, mechanical equipment failure, power failures, theft or unintentional damage. The goals is to secure information by implementing protection against external and environmental threats.
Now that you understand the importance of physical and environmental security in ISO27001, let go through the two concepts.
Physical security refers to the measures taken to prevent unauthorised persons from entering restricted area that would grant them access to sensitive information. For example: installing locks on doors, set up alarms system, and eventually have security guards controlling access.
Physical controls are necessary since you do not want anyone to have access to your data. This is why you must review the physical building of your organisation, and any other facilities from where workers may have access to information.
For example, the covid pandemic has forced organisation to allow workers to work from home. When employees are working at the office, the area is secured. But when they are working from home, are they working in a dedicated working area where no one can hear their phone calls or look on their screen?
Physical control is also applicable to your service/product provider. For example if you outsource the manufacturing or your products, make sure that the provider’s physical security is up to the level. You don’t want a competitor to have access to your products details.
Physical security is a prerequisite for good information security.
Environmental security are measures put in place to safeguard information and resources from any environmental hazard. For example, disaster recovery plan in case of of earthquakes, fires, floods, or dangerous weather conditions.
The calamities mentioned above could lead to interruptions of activities and its information system by causing barriers to communication, block access to gas or filtered water, and eventually cause power outages.
Environmental controls are critical for information security since a breakdown in environmental controls could result in the loss of critical data or information. For example, if a natural disaster knocks out electricity at your company's headquarters, you may be at risk of losing data that is not backed up or secure.
This is why physical security and environmental security are essential elements to consider in a proper information security policy. If you want to learn more about information security click on the link below. A guideline to set up an information security policy (ascentrixconsulting.com)
If you feel that your organisation need to review its information security policy, do not hesitate to contact us. At Ascentrix Consulting, we are certified ISO27001 auditors and we have more than 15 years experience in the field