Indicator

Risk description

Possible solutions

References

External boundaries of premises

Inadequate protection of the premises against external intrusion.

where appropriate secure perimeter fencing is in place with regular inspections to check integrity and damage and planned maintenance and repairs;

where appropriate controlled areas for authorised personnel only are adequately signed and controlled;

Irregular patrols of the security staff.

SAQ – 6.2

ISO 28001:2007, section A.3

ISPS Code

Gates and gateways

Existence of gates or gateways which are not monitored.

all gates or gateways in use should be secured by using of appropriate measures, i.e. CCTV and/or entry control system (lightening, beamers, etc.);

CCTV is only useful when the recordings are evaluable and can lead to contemporary reactions

if appropriate, implement procedures to ensure the protection of access points.

ISO 28001:2007, section A.3

ISPS Code

Locking devices

Inadequate locking devices for external and internal doors, windows, gates and fences.

instruction/procedure on use of keys is in place and available for staff concerned;

only authorised personnel have access to keys for locked buildings, sites, rooms, secure areas, filing cabinets, safes, vehicles, machinery and air cargo;

conducting periodic inventories of locks and keys;

log attempts of unauthorised access and check this information on a regular basis;

Windows and doors should be locked when nobody is working in the concerned room / office

SAQ - 6.2.4

ISO 28001:2007, section A.3

Lighting

Inadequate lighting for external and internal doors, windows, gates, fences and parking areas

adequate lighting inside and outside;

where appropriate the use of back-up generators or alternative power supplies to ensure constant lighting during any disruption to local power supplies;

plans in place to maintain and repair equipment.

SAQ - 6.2.4

Procedures for access to keys

Lack of adequate procedures for access to keys.

Unauthorised access to keys.

a key access control procedure should be implemented;

keys should be handed out only after registration and be given back immediately after usage. The return of the key has to be registered, too.

ISO 28001:2007, section A.3.3

Internal physical security measures

Inappropriate access to internal sections of the premises.

implement a process to distinguish the different categories of employees in the premises (i.e. jackets, badges);

access controlled and personalised according to employees’ position.

ISO 28001:2007, section A.3, A.4

ISPS Code

Parking of private vehicles

Lack of adequate procedures for parking of private vehicles.

Inadequate protection of the premises against external intrusion.

the number of vehicles with access to the premises should be as limited as possible;

specially designated car park areas for visitors and staff are remote from any cargo handling or storage areas;

identification of risks and threats of unauthorised entry of private vehicles to protected areas;

defined rules/procedure for entry of private vehicles in the applicant’s premises;

in case of non-separate parking area for visitors and employees, cars of the visitors should have an identification

Maintenance external boundaries and buildings

Inadequate protection of the premises against external intrusion as a result of inappropriate maintenance.

regular maintenance of the external boundaries of the premises and the buildings each time an anomaly is detected.

ISO 28001:2007, section A.3