Physical Security Policy

1. Purpose and Scope

This policy defines how the organisation protects facilities, assets, and personnel from unauthorised physical access, damage, or interference. It applies to all employees, contractors, suppliers, and partners who access organisational premises or handle physical assets.

Policy Statements:

• Physical security controls are documented and enforced, consistent with ISO/IEC 27001:2022 Annex A.11.1 (Physical Security and Environmental Controls).
• Facility protection aligns with NIST CSF v2.0 PR.PT (Protective Technology).
• Vendor and partner physical security obligations are integrated into contracts (PCI DSS v4.0 Req. 9, HIPAA Security Rule §164.310 Facility Access Controls).
• Governance oversight is provided by the board, consistent with ISO/IEC 38500:2015 Clause 5.1–5.6 and, where applicable to the organisation’s jurisdiction, instruments such as US SOX Section 404 and equivalent national governance codes.

2. Governance and Accountability

Physical security responsibilities are clearly defined and enforced.

Policy Statements:

• The board demonstrates leadership and commitment to physical security governance (ISO 27001 Clause 5.1).
• A formally appointed Facilities Security Manager is accountable for physical security standards (Clause 5.3).
• Department heads ensure compliance within their teams.
• Quarterly physical security performance reports are presented to the Audit & Risk Committee in the form required by applicable governance instruments; representative reference points include US SOX Section 404, South Africa King IV Principle 12, and equivalent national codes.
• Collaborative physical security responsibilities with suppliers and partners are documented and reviewed annually (ISO 44001 Clause 5.2).
• Physical security governance aligns with the COSO Internal Control — Integrated Framework (Principle 1: Governance & Culture) or equivalent internal-control framework adopted by the organisation.

3. Risk Management

Physical security risks are identified, assessed, and treated systematically.

Policy Statements:

• Risk assessments include physical security risks quarterly (ISO 27001 Clause 6.1.2).
• Risk treatment plans are documented and approved (Clause 6.1.3).
• Facility resilience risks are integrated into enterprise risk registers (ISO 22301 Clause 8.2).
• Shared risk registers with strategic partners include physical security risks (ISO 44001 Clause 6.3).
• Physical security risk assessments are embedded into the organisation’s enterprise risk management framework — COSO ERM (Principle 6: Risk Identification & Assessment), ISO 31000:2018, or equivalent ERM framework adopted by the organisation.

4. Physical Access Controls

Access to facilities is restricted, monitored, and reviewed regularly.

Policy Statements:

• Facility access controls include badges, biometrics, and visitor logs (ISO 27001 Annex A.11.1.1).
• Secure areas and restricted zones are defined and enforced (Annex A.11.1.2).
• Environmental controls protect against fire, flood, and power failure (Annex A.11.2.1).
• PCI DSS v4.0 requires physical access restrictions to cardholder data environments (Req. 9.1–9.4).
• HIPAA mandates facility access controls for electronic protected health information (§164.310(a)(1)).

5. Monitoring and Oversight

Physical security compliance is monitored continuously.

Policy Statements:

• CCTV and alarm systems are deployed in all critical facilities (ISO 27001 Annex A.11.1.4).
• Visitor logs are retained for 12 months and reviewed weekly.
• Vendor compliance is monitored through audits (SOC 2 CC6 Physical Security Criteria).
• Corrective actions are tracked and verified (ISO 9001 continual improvement).
• Monitoring aligns with NIST CSF DE.CM (Detection & Monitoring).

6. Incident Response and Continuity

Physical security integrates with incident response and continuity planning.

Policy Statements:

• Physical breaches trigger incident response procedures (ISO 27001 Annex A.16.1).
• Breach notifications include facility access details under applicable data protection law; representative references include EU GDPR Articles 33–34 and POPIA Section 22.
• Vendor physical breaches are escalated through contractual obligations (ISO 44001 Clause 7.4).
• Physical incidents integrate with enterprise risk reporting channels (COSO Principle 17, or equivalent).
• Continuity plans validate facility resilience during recovery (ISO 22301 Clause 8.4).

7. Training and Awareness

Employees and partners are trained to comply with physical security standards.

Policy Statements:

• Annual physical security training is mandatory (ISO 27001 Annex A.7.2.2, PCI DSS Req. 12.6).
• Role‑specific training is provided to facilities staff and security guards.
• Awareness campaigns reinforce physical security culture.
• Vendors must provide evidence of physical security training for their staff (SOC 2 CC6.3).

8. Compliance Obligations

Physical security complies with applicable laws and standards.

Policy Statements:

• Obligations under applicable data protection and health-data law are integrated into facility access standards; representative regimes include EU GDPR, POPIA, HIPAA, and California CCPA/CPRA.
• Cross-border facility obligations follows the lawful transfer mechanisms of applicable data protection law in each operating jurisdiction; representative references include EU GDPR Chapter V and Mauritius DPA Section 36.
• The organisation maintains a living register of data protection obligations applicable to its jurisdictions of operation; representative reference points include Singapore PDPA, India DPDP Act, and Brazil LGPD.
• Physical security obligations under the AU Convention on Cybersecurity (2014) are observed where the organisation operates in signatory states.

9. Audit and Assurance

Independent audits validate physical security effectiveness.

Policy Statements:

• Internal audits of physical security are conducted annually (ISO 27001 Clause 9.2).
• Management reviews physical security performance quarterly (Clause 9.3).
• External audits validate compliance with recognised assurance frameworks applicable to the organisation’s market context; representative reference: the cited SOC 2 criterion and equivalents under other accepted assurance frameworks.
• Corrective actions are tracked and verified (ISO 9001 continual improvement).

10. Appendices

• Appendix A: Facility Access Control Checklist.
• Appendix B: Visitor Log Template.
• Appendix C: Physical Security Incident Escalation Flowchart.
• Appendix D: Environmental Control Standards (Fire, Flood, Power).
• Appendix E: Vendor Physical Security Agreement template.
• Appendix F: Physical Security Training Curriculum.
• Appendix G: Physical Security Audit Schedule.

Enterprise and Conglomerate implementation content will be added here.