Physical Security

Physical security protects an organisation’s premises, IT equipment and personnel against unauthorised access, theft and environmental threats. It is the foundation on which all technical security is built, because physical access to systems can bypass even the strongest digital defences.

Back to Dictionary

What is physical security?

Physical security encompasses the measures that protect an organisation’s buildings, rooms, equipment and people against physical threats. It covers everything from access control at the main entrance to climate control in the server room and security cameras in the car park.

Many organisations focus on digital security and overlook the physical aspect. But an attacker with physical access to a server room can plug in a USB device, copy data from a hard drive or install hardware keyloggers. No amount of encryption, firewalls or endpoint security protects against a person who physically removes a server.

Physical security is closely connected to access control (who has access to what), identity management (how identity is verified) and monitoring (how unauthorised access is detected).

Layered security

Physical security is organised in concentric zones with increasing security levels:

Perimeter: Fences, gates, lighting and surveillance of the building’s exterior. The purpose is deterrence and early detection.
Building access: Access control systems at entrances, receptionist, visitor registration and security guards.
Controlled zones: Office areas with access cards that restrict access to employees and approved guests.
Secure zones: Server rooms, data centres and archives with strong access control such as multi-factor authentication (card reader plus PIN or biometrics).

This layered approach follows the principle of defence in depth. An attacker must pass multiple barriers, and each layer provides an opportunity for detection and response.

Specific measures

Physical security encompasses several types of measures:

Access control: Card readers, PIN codes, biometric authentication and key systems. Server rooms should require multi-factor access. Log all access attempts and review them regularly.

Surveillance: Cameras, alarm systems and motion sensors. Recordings should be retained for a period that permits investigation of incidents. Combine with digital monitoring for a unified view.

Environmental protection: Fire alarms, suppression systems, climate control (temperature and humidity) and water detectors in server rooms. Power supply with UPS and emergency generators ensures availability during power failures.

Equipment protection: Securing laptops with cable locks, screen filters that prevent shoulder-surfing, and secure disposal of media and equipment. Related to data deletion upon decommissioning.

Staff training: Security awareness includes physical aspects: always lock the screen, do not hold doors open for unknown persons, report suspicious behaviour.

Regulations and standards

ISO 27001 has an entire section in Annex A (A.7) dedicated to physical controls: secure areas, physical access control, protection against environmental threats, working in secure areas, and secure disposal of equipment. An ISMS must address physical security.

NIS2 requires organisations to protect their critical infrastructure, which includes physical security of IT systems. DORA imposes similar requirements on financial institutions’ physical ICT security.

CIS 18 addresses physical security indirectly through Control 1 (inventory management) and Control 4 (secure configuration). Under GDPR, physical security is part of technical and organisational measures for protecting personal data.

Frequently Asked Questions about Physical Security

Why is physical security important for IT security?

If an attacker gains physical access to servers, network equipment or workstations, they can bypass many digital security measures. Physical security is the foundation on which technical security is built.

What are security zones?

Security zones are areas with different security levels. Typically: public zone (reception), controlled zone (office), restrictive zone (server room) and high-security zone (data centre). Access requirements increase with each zone.

Must physical security be documented in an ISMS?

Yes. ISO 27001 Annex A has an entire section (A.7) dedicated to physical controls, including secure areas, access control, equipment protection and secure disposal. Physical security is a mandatory part of an ISMS.