T2.2.1 - PHYSICAL SECURITY PERIMETER Implementation Guidance
The entity shall use security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) to protect areas that contain information and information systems.
Back to T2.2.1 - P2 - PHYSICAL SECURITY PERIMETER
The following guidelines should be considered and implemented where appropriate for physical security perimeters:
- A. Security perimeters should be clearly defined, and the siting and strength of each of the perimeters should depend on the security requirements of the assets within the perimeter and the results of a risk assessment
- B. Perimeters of a building or site containing information systems should be physically sound (i.e. there should be no gaps in the perimeter or areas where a break-in could easily occur); the external walls of the site should be of solid construction and all external doors should be suitably protected against unauthorized access with control mechanisms, e.g. bars, alarms, locks etc.; doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level
- C. A manned reception area or other means to control physical access to the site or building should be in place; access to sites and buildings should be restricted to authorized personnel only
- D. Physical barriers should, where applicable, be built to prevent unauthorized physical access and environmental contamination
- E. All fire doors on a security perimeter should be alarmed, monitored, and tested in conjunction with the walls to establish the required level of resistance in accordance to suitable regional, national, and international standards; they should operate in accordance with local fire code in a failsafe manner
- F. Suitable intruder detection systems should be installed to national, regional or international standards and regularly tested to cover all external doors and accessible windows; unoccupied areas should be alarmed at all times; cover should also be provided for other areas, e.g. computer room or communications rooms
- G. Information systems managed by the entity should be physically separated from those managed by third parties
