One often overlooked aspect of an overall robust, well architected, mature security program is the physical security posture of the organization. In fact, physical security is often an easy target for Hackers and Pentesters and for Auditors seeking assurance that an organization is taking reasonable precautions to protect the Confidentiality, Integrity, and Availability of its Information Assets.

One of the main components of most auditing standards be it NIST, Centers for Internet Security and others is physical security. For the category of physical access to assets is managed and protected look at the standards referring to this:

·       COBIT 5 DSS01.04, DSS05.05
·       ISA 62443-2-1:2009,
·       ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3
·       NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9


Not complying with basic physical security standards can make you fail an audit or have a qualified opinion in an audit finding. This is a major issue for a large company but even a much smaller organization looking to lure future prospects or larger clients and grow their business will find it hard to expand and grow revenue if they don’t have enough safeguards to get accredited.


Not having strong physical security can be a revenue buster for a company.

It should go without saying as well, that with a weak physical security posture, it will make robbery and theft of equipment and merchandise and money even, much easier. If an event occurs during working hours and any issues occur to any employees or customers you’re risk and liability for major litigation could be huge.


Furthermore, if you don’t have a strong physical security program in place you can say good bye to the insurance company policy reimbursing you for damages, they probably won’t’ cover you if you’re not adequately protecting yourself in the first place. For a small company of under 1000 users for example, a major lawsuit arising out of gross negligence for not providing a secure workplace for its employees or customers could literally put you out of business. This off course is an extreme example but one worth considering.

As stated above having strong physical security in in of itself is a strong deterrent.