Find Resources & Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

You must be logged in to join this group.

DS12.2 - Physical Security Measures

This topic is intended to enable collaboration and sharing of information to facilitate a better understanding and approach to implementing this COBIT control objective based on the risk, value and guidance provided by its corresponding control practices.

COBIT Control Objective DS12.2 - Physical Security Measures is contained within Process Popup Manage the Physical Environment.

Learn more about COBIT and related publications.

Click “Join This Community” to be able to actively participate in discussions and contribute content. You must be an ISACA member to join this topic. Join ISACA now.

This Topic Has:
29 Members
0 Online
4853 Visits

Community Leader

Knowledge Center Manager

Knowledge Center Manager

Title: Become a Topic Leader!

Badge: Energizer

Physical Security Measures

Define and implement physical security measures in line with business requirements to secure the location and the physical assets. Physical security measures must be capable of effectively preventing, detecting and mitigating risks relating to theft, temperature, fire, smoke, water, vibration, terror, vandalism, power outages, chemicals or explosives.

View value and Risk Drivers  help

Hide value and Risk Drivers help

Value Drivers

  • Protection of critical IT systems from physical threats
  • Effective deployment of physical security measures
  • Promotion of awareness amongst staff and management of the organisation’s requirements for physical security
  Risk Drivers
  • Threats to physical security not identified
  • Hardware stolen by unauthorised people
  • Physical attack on the IT site
  • Devices reconfigured without authorisation
  • Confidential information being accessed by devices configured to read the radiation emitted by the computers

View Control Practices  help

Hide Control Practices  help

  1. Define and implement a policy for the physical security and access control measures to be followed for IT sites. Regularly review the policy to ensure that it remains relevant and up to date.
  2. Limit the access to information about sensitive IT sites and the design plans. Ensure that external signs and other identification of sensitive IT sites are discreet and do not obviously identify the site from outside. Confirm that organisational directories/site maps do not identify the location of the IT site.
  3. Design physical security measures to take into account the risk associated with the business and operation. Physical security measures include alarm systems, building hardening, armoured cabling protection and secure partitioning.
  4. Periodically test and document the preventive, detective and corrective physical security measures to verify design, implementation and effectiveness.
  5. Ensure that the site design takes into account the physical cabling of telecommunication and the piping of water, power and sewer. The installation must be concealed, so it is not directly visible. The piping of water and sewer must also be redirected away from the server rooms.
  6. Define a process for the secure removal of IT equipment, supported by the appropriate authorisation.
  7. Safeguard receiving and shipping areas of IT equipment in the same manner and scope as normal IT sites and IT operations.
  8. Define and implement a policy and process to transport and store equipment securely.
  9. Define a process to ensure that storage devices containing sensitive information are physically destroyed or sanitised.
  10. Define a process for recording, monitoring, managing, reporting and resolving physical security incidents, in line with the overall IT incident management process.
  11. Ensure that particularly sensitive sites are checked frequently (including weekends and holidays).

Discussions: 1 total

Must be a Topic member to contribute
I am shortly commencing a physical security assessment of a series of healthcare facilities in the same network. I'm seeking any guidance from peers related to relevant frameworks, standards, and best practices. I do have a good ASIS publication and would...
Nick908 | 2/18/2018 8:33:48 PM | COMMENTS(0)

Documents & Publications: 63 total

Must be a Topic member to contribute
View All »
Posted by ISACA 909 days ago
Posted by ISACA 979 days ago
Posted by ISACA 1256 days ago

Events & Online Learning: 11 total

Journal Articles: 160 total

Volume 6, 2015
by Ed Gelbstein, Ph.D.
An auditor will sooner or later be faced with two kinds of conflicts: conflict of interest and interpersonal conflict.
Volume 5, 2107
by Marianne Bradford, Ph.D., and Dave Henderson, Ph.D.
Although generalized audit software (GAS) has been shown to significantly improve the efficiency and effectiveness of audits, many auditors do not use this technology.
Volume 4, 2018
by Steven J. Ross, CISA, CISSP, MBCP
I submit that changing the definition of work necessitates a corresponding redefinition of security over the information with which we work.
Volume 4, 2018
by Robin Lyons, CISA, CIA
There are two phases of the audit process where IS auditors can leverage tools to make their work align to and support the organization’s strategic objectives.
Volume 4, 2018
by ISACA Member and Certification Holder Compliance
An up-to-date listing of the current IT Audit and Assurance Standards, Guidelines, and Tools and Techniques
Volume 3, 2018
by Charles Hale, CCNA, CISSP, MCSE
With the aggressive pace at which data have grown and the need for constant real-time access becoming the norm, paying increased attention to securing networks and data has become critical.

Wikis: 2 total

Blog Posts: 20 total

Have you experienced ransomware attack so far and, if yes, what did you do to resolve? I set up Twitter poll here: It lasts for seven days. Thank you for taking part in the poll.
Posted By : Dragan Pleskonjic | 5 comments
My personal thoughts after listening to C-level executives at the CxO Roundtable Series sponsored by Intel, IBM, HyTrust & ReedSmith. For an invite, please reach out to me. Data Protection under the GDPR For past few months, I’ve been helping to org...
Posted By : Thomas152 | 1 comments
Information Security and Privacy is hot issue at present time. Number of security breaches is rapidly increasing.  In case of late detection, costs of breaches are skyrocketing. In the same time Artificial Intelligence (AI), Machine Learning (ML) are fast...
Posted By : Dragan Pleskonjic | 0 comments
My previous blog under name "Dragan on Security" was at location: It was active from August 28, 2005 to October 3, 2012. By beginning of 2017 it is moved to new location With possibility to...
Posted By : Dragan Pleskonjic | 0 comments
Senior Manager           ultimate responsibility Information security Officer          functional responsibility Security Analyst           Strategic, develops policies and guidelines Owner         - Responsible for asset         - Determine level of clas...
Posted By : Muhammad554 | 0 comments
“Enterprise architecture is now a strategic componentof every forward-thinking organization around the world.”Source: Related Article: Common Perspective on Enterprise Architecture: http://feapo....
Posted By : SA | 1 comments