Recently, I have been asked by one of my clients to produce a Building Maintenance Report for ISO 27001 Certification. Given that apart from being an ISO Consultant, I am a Mechanical Engineer I am competent and authorised to created such reports.
Through this blog post, I wanted to share with you the salient elements that must be included within the Building Maintenance Report for ISO 27001 Certification.
Introduction to ISO 27001
First off, let’s start with the basics, shall we? ISO 27001 is an information security management system, whereby the main aim is to ensure that the information within an organisation is handled safely, and thereby protecting the interests of all interested parties.
Clauses within the Standard
Effectively, all the standards within the ISO family carry the same requirements, by following the same 10 clauses – and yet each standard has its own unique point of view for each of the clauses. This ensures that we look at the same topic from different perspectives when implementing more than one standard.
As with any ISO management system – the use of a ‘Risk Management’ approach prevails. The ISMS is intended to help the organisation to identify, mitigate and control risks and security control systematically, and on an ongoing basis.
Annex A and it’s 114 controls
Having said that, Annex A within the standard delves deeper into the considerations that must be given for an effective ISMS (Information Security Management System). Annex A of the standard is split into 14 categories and identifies a total of 114 controls that must be taken into account during a world-class ISO 27001 certification process.
For the scope of this post, whereby we are discussing the building maintenance report – which is to say – the controls on the physical part of the organisation – we are to take into consideration the following categories within Annex A.
Annex A.9 – Access Control
The Annex delves deeper into all level of controls that must be taken into consideration. Basically, the idea is to ensure that information is only shared with people who need this information.
In terms of the building maintenance report, for this section, we only need to determine whether one can easily roam in the office – from one room to the next. And what type of physical restrictions exist to control the accessibility of unauthorised personnel within the offices of the organization.
Annex A.11 – Physical and Environmental Security
By far, the most extensive section within Annex, the Physical and Environmental Security controls are split into 14. Here we will be highlighting the salient ones.
Protecting against external & environmental threats
There are two types of threats:
- Environmental threats – floods, lightning, and other naturally-occurring events
- Man-made – water leakage from facilities, civil unrest
Adequate effort must be done to ensure that the potential threats have been identified, and that necessary mitigation facators have been implemented.
Protecting equipment and supporting utilities
It is extremely important to ensure that any IT equipment, storage media, computer facilities, paper files, and any other location which could possibly store information, is adequately protected. Depending on the nature of the medium for storing the information, care must be given on the type of safety that is required. As a basic first step, site maps, and photos must be taken to confirm the location of such equipment. Moreover, the following is required:
- stored within adequately secure areas – barriers, locals, safes etc
- have high-grade utilities – for example, air conditioners, dehumidifiers, extractor fans
- with the required controls – for example, intruder or fire alarms, CCTV, UPS
Moreover, it must be made sure that any routine procedures regarding the above, and any certificates (for example the expiry date on the fire extinguisher) are regularly updated.
Building Maintenance Report for ISO 27001 Certification – Conclusion
I honestly hope that that the information within thist post was useful to you as it was to my client. If there are any questions relating to this topic, feel free to comment below or to get in touch with me personally. If you are seeking ISO 27001 Certification – I encourage you to get in touch with me now. I’d love to help you.