A.7 Physical Controls (14 Controls)

A.7.1 Physical security perimeters

Security perimeters shall be defined and used to protect areas that contain information and other associated assets.

A.7.2 Physical entry

Secure areas shall be protected by appropriate entry controls and access points.

A.7.3 Securing offices, rooms and facilities

Physical security for offices, rooms and facilities shall be designed and implemented.

A.7.4 Physical security monitoring

Premises shall be continuously monitored for unauthorized physical access.

A.7.5 Protecting against physical and environmental threats

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.

A.7.6 Working in secure areas

Security measures for working in secure areas shall be designed and implemented.

A.7.7 Clear desk and clear screen

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.

A.7.8 Equipment siting and protection

Equipment shall be sited securely and protected.

A.7.9 Security of assets off-premises

Off-site assets shall be protected.

A.7.10 Storage media

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

A.7.11 Supporting utilities

Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

A.7.12 Cabling security

Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.

A.7.13 Equipment maintenance

Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.

A.7.14 Secure disposal or re-use of equipment

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.