1 · Purpose
This policy establishes the requirements for people and physical security policy within the CAO-400 Cybersecurity. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.
2 · Scope
This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.
3 · Policy statements
3.x · CAO-490 Policy Controls
The organisation shall establish, implement and maintain a coherent and effective approach to people and physical security, giving effect to the organisational control objectives set out below.
3.1 · CAO-491 Human Resources Security
The organisation shall establish, implement and maintain effective Human Resources Security, giving effect to the organisational controls set out below.
3.1.x · CAO-491 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.2 · CAO-492 Security Awareness and Training
The organisation shall establish, implement and maintain effective Security Awareness and Training, giving effect to the organisational controls set out below.
3.2.x · CAO-492 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.3 · CAO-493 Physical Security Perimeter and Entry
The organisation shall establish, implement and maintain effective Physical Security Perimeter and Entry, giving effect to the organisational controls set out below.
3.3.x · CAO-493 Organisational Controls
3.4 · CAO-494 Physical Monitoring and Protection
The organisation shall establish, implement and maintain effective Physical Monitoring and Protection, giving effect to the organisational controls set out below.
3.4.x · CAO-494 Organisational Controls
3.5 · CAO-495 Equipment and Media Security
The organisation shall establish, implement and maintain effective Equipment and Media Security, giving effect to the organisational controls set out below.
3.5.x · CAO-495 Organisational Controls
4 · Roles & responsibilities
- Governing body — approves this policy and oversees its effectiveness.
- Executive management — allocates resources and assigns control ownership.
- Control owners — implement, operate and evidence the controls in their area.
- All personnel & third parties — comply with this policy within their role.
5 · Compliance, monitoring & review
Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.
