Physical Security Policy

Document ID: ISMS-POL-008 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager

Purpose and Scope

This policy establishes the physical and environmental security controls required to protect [Organisation Name]‘s information assets, personnel, and facilities from physical threats, in accordance with ISO/IEC 27001:2022 Annex A controls 7.1–7.14.

It applies to all physical locations occupied by the organisation (offices, server rooms, storage areas), all personnel and visitors accessing those locations, and all equipment owned or operated by the organisation, including equipment used off-premises by remote workers.

1. Secure Area Definitions and Controls

The organisation defines four physical security zones. Each zone has defined access controls and monitoring requirements. Access to higher-security zones does not grant access to lower-security zones outside the staff member’s assigned areas.

2. Visitor Management Procedure

Unmanaged visitors in organisational premises are a significant physical security risk. The following procedure applies to all external visitors including clients, suppliers, auditors, contractors, and maintenance personnel.

Procedure:

1. All visitors must be pre-registered in the visitor management system by their host at least 2 hours before arrival (for planned visits).
2. On arrival, visitors must sign in at reception and present valid government-issued photo identification (passport, driver’s licence) which is verified by the receptionist.
3. The host is notified of the visitor’s arrival and must personally collect the visitor from reception — visitors must not be sent unescorted to meeting rooms or office areas.
4. A visitor badge is issued that is visually distinct from staff badges (different colour or clearly marked “VISITOR”). Visitor badges must be worn visibly at all times.
5. Visitor Wi-Fi credentials are provided on request via the reception terminal; this network is isolated from the corporate network.
6. The host must escort the visitor at all times within the General Office and at all times without exception in the Restricted Zone; visitors must not be left unattended.
7. On departure, the visitor returns their badge and signs out; the host confirms departure in the visitor management system.
8. Visitor logs (name, company, host, time in/out, purpose) are retained for a minimum of 12 months and made available to the ISM on request.
9. Any unescorted visitor found in restricted areas must be challenged by any staff member and the incident reported to the ISM immediately.

3. Clear Desk and Clear Screen Policy

Information left visible on desks or screens presents a simple but effective opportunity for unauthorised disclosure. This policy applies during and outside working hours.

Clear Desk Requirements:

• All papers, notebooks, printed documents, and removable media (USB drives, backup tapes) must be cleared from desks when the desk is unattended for more than 10 minutes or at the end of each working day, whichever comes first.
• Classified documents (Internal and above) must be placed in a locked drawer or secure cabinet when not in active use — they must not remain on the desk while the user is away from their workstation.
• No passwords, network credentials, or authentication information may be written on paper and left on desks, stuck to monitors, or placed under keyboards at any time.
• Printers and photocopiers must be cleared immediately after use; no documents may be left in output trays.
• Whiteboards in meeting rooms containing Confidential or Restricted information must be erased before the room is vacated and before the next meeting.
• All paper waste containing Internal classification or above must be disposed of in the cross-cut shredder, not in general waste bins.

Clear Screen Requirements:

• Workstations must be locked whenever the user leaves their seat (Windows: Win+L; macOS: Cmd+Ctrl+Q or Ctrl+Shift+Power).
• Automatic screen lock must be configured on all devices: screen locks after 5 minutes of inactivity (workstations) and 2 minutes of inactivity (mobile devices).
• Screens displaying Confidential or Restricted information must not be positioned where they are visible to passing visitors or colleagues without need-to-know.
• Privacy screen filters must be used on laptops when working in public spaces (airports, cafes, trains) on Confidential or Restricted information.

4. Equipment Security

4.1 On-Premises Equipment

4.2 Off-Premises and Remote Equipment

• Laptops used by remote workers must comply with all the same requirements as office equipment.
• Laptops must never be left unattended in vehicles (even in locked boot); if temporarily unavoidable, the device must be secured out of sight and the risk reported to the ISM.
• Laptops must never be stored in checked luggage when travelling; carry-on only.
• Lost or stolen equipment must be reported to the IT Manager and ISM within 1 hour of discovery so that remote wipe and access revocation can be initiated.
• Equipment taken to client sites must not be connected to the client’s network without prior authorisation and appropriate network isolation.

5. Protection Against Environmental Threats

5.1 Temperature and Humidity

• Server room temperature must be maintained between 18°C and 27°C (64°F – 80°F).
• Relative humidity must be maintained between 40% and 60% to prevent static discharge and condensation.
• Automated temperature and humidity monitoring with alerting to the IT Manager and Facilities Manager is mandatory; alerts must be responded to within 1 hour.
• Air conditioning units in the server room must have at least N+1 redundancy.

5.2 Fire

• Smoke detectors installed in server room and office areas; tested in accordance with local fire safety regulations (minimum annually).
• Server room fire suppression: clean agent suppression system (FM-200, Novec 1230, or inert gas) preferred over water-based sprinklers to prevent equipment damage.
• Office areas: standard wet-pipe sprinkler system acceptable.
• Fire evacuation plan posted at all exits; fire drills conducted annually.

5.3 Power

• All servers and network equipment in the server room must be connected to a UPS providing a minimum of 30 minutes of runtime at full load.
• Generator or secondary power source required for extended outages affecting Tier 1 services; generator tested monthly under load.
• Power Distribution Units (PDUs) provide redundant power feeds to critical servers where technically feasible.
• Servers shut down gracefully on UPS battery low signal — no abrupt power cuts.

5.4 Water

• Server room must be located above ground floor where possible; ground-floor installations require raised flooring.
• No water pipes (plumbing, HVAC drainage) should run directly above server room equipment; where unavoidable, drip trays and leak detection sensors are mandatory.
• Leak detection sensors installed; alerts sent to IT Manager and Facilities Manager.

5.5 Cabling

• Power cabling and data cabling must be separated and run in separate cable trays to prevent electromagnetic interference.
• All cables in the server room must be labelled at both ends; cable labels reviewed and updated annually.
• Patch panels labelled; cable management maintained to allow air flow and safe access for maintenance.
• Exterior-facing cabling runs through conduit; underground cabling preferred for high-risk environments.

6. Secure Disposal of Equipment and Media

Disposal of any asset that has stored Confidential or Restricted data must follow the approved procedure. No asset may be donated, resold, or sent to general recycling without first completing the appropriate disposal process. The IT Manager is responsible for all disposal actions.

7. Review History