ISO 45001 tends to focus on the physical workplace and the activities conducted there. ISO 27001 focuses on the hazards to the security of information, which includes physical hazards, but only insofar as they may impact on information. Management of the risk to the individual and the business from physical access to the workplace or to the employee by external negative forces is less well specified, but the same principles apply.
- There are a number of aspects to the management of physical security, including the following:
- Understanding the security environment, requirements, hazards and risks
- Organisation structure and Responsibilities, Accountabilities, Consultation and Information (RACI)
- Competence of human resources (general workforce and security professionals)
- Training, communication, information and consultation processes
- Planning, documenting and recording required controls, e.g.
- Access control to premises, property and people
- Physical protection of people (at work, in transit, at home as required)
- Protection of cash and valuables
- Key management
- Control of incoming mail and deliveries
- Employee and contractor behaviours
- Dealing with aggressive or uncooperative people
- Dealing with incidents and emergencies
- Monitoring performance
- Reviewing performance
- Reporting of hazards, incidents and accidents and responding effectively
- Identifying and implementing system improvement opportunities
The overall structure of a management system for physical security could be modeled on, and integrated with your environment, information security, safety or quality system. ISO 27001 includes some aspects of physical security which are relevant.
2. As with all management systems, the baseline of requirements, internal and external forces, interested parties, and the associated risks must be defined in order to understand the overall deliverables of the system. In this case the deliverables must provide security from physical encroachment on the people and resources of the organisation.
Consider:
- Who and what are to be protected?
- How can they be put at risk?
- Where and when are they at risk?
- Who potentially poses the risk?
- What is the level of risk from these factors?
- Which of these factors are relevant in defining the required controls?
- A risk matrix will assist in identifying and quantifying the relevant hazards and risks. The required controls should be identified as appropriate to the level and scope of risk. The organisational structure of the business should be reviewed to identify personnel with the skills and capability to support the controls at various levels, e.g.
- Accountability and Management
- Implementation
- Communication
- Checking and Reviewing
- Resourcing improvements
- Training for security professionals will be in accordance with specific industry requirements and the PSA requirements. This will include training on identifying, addressing, and reporting, as appropriate –
- Overall threat level
- Insider threats
- Security incidents
- Threats from delivered items or materials
- Threats from external infiltration
- Threats to personnel/Duress threats
- Kidnapping
- Tiger kidnapping
- Use of personnel access privileges
- Armed threats to personnel
- Threats of physical violence
- Risk levels and changes
- Performance of the Security Management System
- The system should include documented processes for the system elements outlined under point 1. above.
- The system should include documented processes for identifying and monitoring key performance indicators, internal audits and management reviews
- The system should include documented processes for identifying and tracking all non-conformities, security incidents and emergencies, security complaints and opportunities for improvement, and the actions required for immediate and long-term resolution
- The prioritised security risks, incidents, non-conformities and opportunities should be used to identify specific and measurable objectives, linked to timelines and with defined ownership and resources.
The overall aim of the Security Management System is to ensure a considered, consistent and comprehensive set of processes are in place to manage the physical security requirements and risks of the organisation, while identifying and implementing priority system improvements.
References:
ISO 27001: 2022 Annex A.1 Section 7 Physical Controls (includes security perimeters, entry control, monitoring of entry points and other physical requirements).
ISO 45001:2018 Clause 6 Actions to Address Risks and Opportunities.
Security Standard – Physical and Electronic Security UK Department for Work and Pensions November 2022.
Secured by Design is the official security initiative of the UK police service, that works to improve the security of buildings and their immediate surroundings to provide safe places to live, work, shop and visit.
Irish/Euro Norm Product standards:
Intruder resistance I.S. EN 1627
Glazing I.S. EN 356
Ballistic protection I.S. EN 1063, 1523, 1522 and 16935
Intruder alarms I.S. EN 50131
CCTV monitoring systems I.S. EN 50132