I'm looking for actual specific standards that apply to physical access control for Information Security office space. Long story short, our building manager wants an open office concept, and in order to argue this, my boss wants some specific standards. We have to meet NIST and PCI requirements, but we also model our corporate policy from COBIT.
Asked
Active
Viewed 208 times
2 Answers
2
You probably want to have a look at the ISO 27001 standards.
https://www.itgovernance.co.uk/iso27001
Here are a couple of web pages specifically focusing on the physical aspects of offices for security:
https://www.churchillsecurity.co.uk/2017/03/08/iso-27001-protect-secure-areas/
Google the following terms to find many others:
iso27001 physical security of offices
JesseM
- 1,882
- 9
- 9
0
There is no fixed standard, but there are many recommended ('best') practices. The core tenet of ISO 27001 or similar frameworks, including COBIT, is that your organization implements, monitors, and improves your organizational policy. If your boss can set security policy and he or she declares open offices inappropriate for information security team workspace, then that could suffice. This is your shortest path from 'here' to 'there'.
In reality, this will depend on your organization's risk profile and the nature of your team's work. I've worked on some teams where an open office plan was absolutely out of the question, and others where it was not only not an issue, but nearly a requirement for that team to function in the organization. YMWV.
jth
- 726
- 6
- 10