A.11 Physical and environmental security

A.11 Physical and environmental security

Version: 3.0

Valid until: 2025-04-10

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-23

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.11 Physical and environmental security from B10 Physical access.

2022-10-17

2.0Edward RobinsonAdditions/changes as part of the annual review.

No changes were made.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

No changes were made.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the physical and environmental security policy of anDREa and the associated controls, checks and administrations. It is noteworthy that anDREa is a remote-first organisation and therefore has no physical location. Therefore, several annex controls are considered non-applicable.


Annex controls that are considered not-applicable are:


  • A.11.1.1 Physical security perimeter

  • A.11.1.2 Physical entry controls

  • A.11.1.3 Securing offices, rooms and facilities

  • A.11.1.4 Protecting against external and environmental threats

  • A.11.1.5 Working in secure areas

  • A.11.1.6 Delivery and loading areas

  • A.11.2.1 Equipment siting and protection

  • A.11.2.2 Supporting utilities

  • A.11.2.3 Cabling security


The remaining annex controls (A.11.2.4 - A.11.2.9) are considered applicable and detailed below. This policy has a direct relationship with the A.6.2 Mobile devices and teleworking policy. Therefore, the annex controls below will have a brief description and will refer to A.6.2 Mobile devices and teleworking for more detailed information.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objective of this control is:


  • To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations (A.11.2).

Scope


The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.11.2 Equipment

A.11.2.4 Equipment maintenance

“Equipment shall be correctly maintained to ensure its continued availability and integrity.”


The maintenance of equipment is described in A.6.2 Mobile devices and teleworking.

A.11.2.5 Removal of assets & A.11.2.6 Security of equipment and assets off-premises

“Equipment, information or software shall not be taken off-site without prior authorization.”

“Security shall be applied to off-site assets taking into account the different risks of working outside the organisation’s premises”.


As anDREa is a remote-first organisation.  Equipment, information, and software cannot be used on-site. Therefore, anDREa considers that by default all equipment, information, and software is used off-site. The procedure for taking work abroad (while travelling) is described in A.6.2 Mobile devices and teleworking. Requests will be registered by the Security Officer.

A.11.2.7 Secure disposal or re-use of equipment

“All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.”


Secure disposal is described in A.6.2 Mobile devices and teleworking.

A.11.2.8 Unattended user equipment

“Users shall ensure that unattended equipment has appropriate protection.”


The procedure on how to secure unattended equipment is described in A.6.2 Mobile devices and teleworking.

A.11.2.9 Clear desk and clear screen policy

“A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.”


The clear desk and clear screen policy is described in A.6.2 Mobile devices and teleworking.

Administrations


    • Related Articles

    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...

    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.

    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...

    • Security Manifesto

      First version: 2021-04-15 Last updated: 2024-01-24 Last change: Replacing 'Azure DRE' with 'myDRE' ; replaced 'Owner' with 'Accountable or Privileged Member' Introduction anDREa is committed to protecting the security of its business information in ...