R

ISO/IEC 27002:2022(E) e
s
7.2 Physical entry t
Control type Information Cybersecurity r Operational capabilities Security
security concepts i domains
properties c
#Preventive #Confidentiality #Protect t #Physical_security #Protection
#Integrity e #Identity_and_Access_Management
#Availability d
Control
Secure areas should be protected by appropriate entry controls and access points.

Purpose
To ensure only authorized physical access to the organization’s information and other associated assets
occurs.

Guidance
General
Access points such as delivery and loading areas and other points where unauthorized persons can
enter the premises should be controlled and, if possible, isolated from information processing facilities
to avoid unauthorized access.

The following guidelines should be considered:

a) restricting access to sites and buildings to authorized personnel only. The process for the
management of access rights to physical areas should include the provision, periodical review,
update and revocation of authorizations (see 5.18);
b) securely maintaining and monitoring a physical logbook or electronic audit trail of all access and
protecting all logs (see 5.33) and sensitive authentication information;
c) establishing and implementing a process and technical mechanisms for the management of access
to areas where information is processed or stored. Authentication mechanisms include the use of
access cards, biometrics or two-factor authentication such as an access card and secret PIN. Double
security doors should be considered for access to sensitive areas;
d) setting up a reception area monitored by personnel, or other means to control physical access to
the site or building;
e) inspecting and examining personal belongings of personnel and interested parties upon entry and
exit;
NOTE Local legislation and regulations can exist regarding the possibility of inspecting personal
belongings.

f) requiring all personnel and interested parties to wear some form of visible identification and to
immediately notify security personnel if they encounter unescorted visitors and anyone not
wearing visible identification. Easily distinguishable badges should be considered to better identify
permanent employees, suppliers and visitors;
g) granting supplier personnel restricted access to secure areas or information processing facilities
only when required. This access should be authorized and monitored;
h) giving special attention to physical access security in the case of buildings holding assets for
multiple organizations;
i) designing physical security measures so that they can be strengthened when the likelihood of
physical incidents increases;
j) securing other entry points such as emergency exits from unauthorized access;
 R
ISO/IEC 27002:2022(E) e
k) setting up a key management process to ensure the s management of the physical keys or
t locks to offices, rooms and facilities such
authentication information (e.g. lock codes, combination
r audit and that access to physical keys or
as key cabinets) and to ensure a log book or annual key
authentication information is controlled (see 5.17i for further guidance on authentication
information). c
t
Visitors e
d
The following guidelines should be considered:
a) authenticating the identity of visitors by an appropriate means;
b) recording the date and time of entry and departure of visitors;
c) only granting access for visitors for specific, authorized purposes and with instructions on the
security requirements of the area and on emergency procedures;
d) supervising all visitors, unless an explicit exception is granted.

Delivery and loading areas and incoming material The

following guidelines should be considered:
a) restricting access to delivery and loading areas from outside of the building to identified and
authorized personnel;
b) designing the delivery and loading areas so that deliveries can be loaded and unloaded without
delivery personnel gaining unauthorized access to other parts of the building;
c) securing the external doors of delivery and loading areas when doors to restricted areas are
opened;
d) inspecting and examining incoming deliveries for explosives, chemicals or other hazardous
materials before they are moved from delivery and loading areas;
e) registering incoming deliveries in accordance with asset management procedures (see 5.9 and
7.10) on entry to the site;
f) physically segregating incoming and outgoing shipments, where possible;
g) inspecting incoming deliveries for evidence of tampering on the way. If tampering is discovered, it
should be immediately reported to security personnel.

Other information
No other information.
 R
ISO/IEC 27002:2022(E) e
s
8.13 Information backup t
Control type Information Cybersecurity
r Operational Security domains
security properties concepts
i capabilities
#Corrective #Integrity #Recover c #Continuity #Protection
#Availability t
e
Control
d
Backup copies of information, software and systems should be maintained and regularly tested in
accordance with the agreed topic-specific policy on backup.

Purpose
To enable recovery from loss of data or systems.

Guidance
A topic-specific policy on backup should be established to address the organization’s data retention and
information security requirements.
Adequate backup facilities should be provided to ensure that all essential information and software can
be recovered following an incident or failure or loss of storage media.
Plans should be developed and implemented for how the organization will back up information,
software and systems, to address the topic-specific policy on backup.
When designing a backup plan, the following items should be taken into consideration:
a) producing accurate and complete records of the backup copies and documented restoration
procedures;
b) reflecting the business requirements of the organization (e.g. the recovery point objective, see
5.30), the security requirements of the information involved and the criticality of the information to
the continued operation of the organization in the extent (e.g. full or differential backup) and
frequency of backups;
c) storing the backups in a safe and secure remote location, at a sufficient distance to escape any
damage from a disaster at the main site;
d) giving backup information an appropriate level of physical and environmental protection (see
Clause 7 and 8.1) consistent with the standards applied at the main site;
e) regularly testing backup media to ensure that they can be relied on for emergency use when
necessary. Testing the ability to restore backed-up data onto a test system, not by overwriting the
original storage media in case the backup or restoration process fails and causes irreparable data
damage or loss;
f) protecting backups by means of encryption according to the identified risks (e.g. in situations
where confidentiality is of importance);
g) taking care to ensure that inadvertent data loss is detected before backup is taken.
Operational procedures should monitor the execution of backups and address failures of scheduled
backups to ensure completeness of backups according to the topic-specific policy on backups.
Backup measures for individual systems and services should be regularly tested to ensure that they
meet the objectives of incident response and business continuity plans (see 5.30). This should be
combined with a test of the restoration procedures and checked against the restoration time required
by the business continuity plan. In the case of critical systems and services, backup measures should
cover all systems information, applications and data necessary to recover the complete system in the
event of a disaster.
When the organization uses a cloud service, backup copies of the organization’s information,
applications and systems in the cloud service environment should be taken. The organization should
 R
ISO/IEC 27002:2022(E) e
determine if and how requirements for backup are fulfilledswhen using the information backup service
provided as part of the cloud service. t
r
The retention period for essential business information should
i be determined, taking into account any
requirement for retention of archive copies. The organization
c should consider the deletion of
information (see 8.10) in storage media used for backup t once the information’s retention period
expires and should take into consideration legislation and regulations.
e
d
Other information
For further information on storage security including retention consideration, see ISO/IEC 27040.