People and Physical Security Policy

CIAO ESSENTIAL — POLICY
C-AO/POL/CAO-490:2026 PUBLIC
People and Physical Security Policy
CAO-400 Cybersecurity sub-policy (CAO-490) — auto-drafted, pending panel review
Date Issued  22 June 2026
Review Date  22 June 2027
Cite as: CIAO Standard. (2026). People and Physical Security Policy. v1.1.3.7. C-AO/POL/CAO-490:2026. www.c-ao.com

1 · Purpose

This policy establishes the requirements for people and physical security policy within the CAO-400 Cybersecurity. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.

2 · Scope

This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.

3 · Policy statements

3.x · CAO-490 Policy Controls

outlinesatisfies·solidpartial·greyinforms

The organisation shall establish, implement and maintain a coherent and effective approach to people and physical security, giving effect to the organisational control objectives set out below.

COBIT 2019COSO ERMHIPAAISAE 3402 Type IIISO 22301ISO 28000ISO 9001ISO/IEC 27001ISO/IEC 27002ISO/IEC 27017ISO/IEC 27036-2ISO/IEC 42001ITIL 4NIS2NIST CSF 2.0NIST SP 800-161r1NIST SP 800-53PCI-DSS v4.0.1

3.1 · CAO-491 Human Resources Security

The organisation shall establish, implement and maintain effective Human Resources Security, giving effect to the organisational controls set out below.

COBIT 2019COSO ERMISAE 3402 Type IIISO 22301ISO 9001ISO/IEC 27001ISO/IEC 27002ISO/IEC 27036-2ISO/IEC 42001ITIL 4NIS2NIST SP 800-161r1NIST SP 800-53PCI-DSS v4.0.1

3.1.x · CAO-491 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.2 · CAO-492 Security Awareness and Training

The organisation shall establish, implement and maintain effective Security Awareness and Training, giving effect to the organisational controls set out below.

ISO 22301ISO 28000ISO/IEC 27001ISO/IEC 27002ISO/IEC 27017ISO/IEC 42001NIST CSF 2.0NIST SP 800-161r1NIST SP 800-53

3.2.x · CAO-492 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.3 · CAO-493 Physical Security Perimeter and Entry

The organisation shall establish, implement and maintain effective Physical Security Perimeter and Entry, giving effect to the organisational controls set out below.

HIPAAISO/IEC 27001ISO/IEC 27002NIST SP 800-161r1NIST SP 800-53PCI-DSS v4.0.1

3.3.x · CAO-493 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.4 · CAO-494 Physical Monitoring and Protection

The organisation shall establish, implement and maintain effective Physical Monitoring and Protection, giving effect to the organisational controls set out below.

ISO/IEC 27001ISO/IEC 27002NIST SP 800-53

3.4.x · CAO-494 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.5 · CAO-495 Equipment and Media Security

The organisation shall establish, implement and maintain effective Equipment and Media Security, giving effect to the organisational controls set out below.

ISO/IEC 27001ISO/IEC 27002NIST SP 800-161r1NIST SP 800-53PCI-DSS v4.0.1

3.5.x · CAO-495 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

4 · Roles & responsibilities

5 · Compliance, monitoring & review

Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.

● LIVE CONTENT  ·  Verified 11 July 2026 at 17:38 UTC  ·  Version 1.1.3.7  ·  Always current at c-ao.com  ·  © CIAO Standard Secretariat 2026

Cite this page (APA)