Access to physical areas housing IT equipment or sensitive data must be logged and checked at least monthly for deviating situations.
Procedures for working in secure areas are in place and adherence to them monitored. The procedures include at a minimum rules regarding:
- how and when access can be obtained by whom
- work should be supervised or checked
- no recordings can be made in secure areas
- how guests and contractors can perform their work activities
- rules regarding consumption of food
- emergency protocols and how any out-of-ordinary situations can be reported.
Specification
Access to technical areas is limited to authorised personnel according to the NIST Special Publication 800-53: https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_1/home?element=PE-03
The keys (or alternative authentication schemes) for access to restricted areas must be strictly managed.
There is a phyiscal response plan for intruder alerts.
ISO 27001 & 27002:2022
A7.2,
A7.6,
A7.8,
A7.9
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
PH.02 Physical access rights management