Physical security

ICT systems are especially vulnerable to attack and misuse of information stored on them, so they require particular care. 

PHY059

This section sets out the mandatory requirements for the physical security of ICT systems.

Introduction to physical security for ICT systems

ICT systems are protected by a combination of physical and logical controls. Logical access controls are detailed in the New Zealand Information Security Manual.

Secure your ICT facilities

Protect your ICT facilities and the information held within them. ICT facilities that need physical securityYour organisation should have dedicated ICT facilities to house your ICT systems, components of your ICT systems, or ICT equipment.

Outsourced ICT facilities

Meet your obligations to protect information when you outsource ICT facilities. Your organisation must ensure that outsourced ICT facilities meet the physical security requirements for ICT systems. Preparing to use a data centreBefore you use a data centre, you must assess the aggregated (combined) value of the official information you plan to store in it.

Secure your ICT equipment

Physical security measures for ICT equipment help to ensure your organisation stays operational. ICT equipment is essential for processing, storing, and communicating your organisation’s information.

Secure your ICT system equipment

Protect your information lifelines. Which ICT system equipment needs physical securityAs well as the ICT equipment mentioned in Secure your ICT equipment, you need to have physical security in place for: servers, including dedicated devices and laptops used as servers other communication network devices — for example, PABX supporting network infrastructure — for example, cabling and patch panels gateway devices — for example, routers, and network access devices.

Prepare for disasters

Protect ICT systems and equipment from disasters. Including ICT in your business continuity plansYour organisation’s disaster recovery and business continuity plans should include availability requirements for information held in ICT equipment.