Physical Security¶
Digital controls don't help if someone can walk into an office, plug into the network, or take documents off a desk. This policy sets the basics for premises, server rooms, and clear-desk handling of confidential material. It's proportionate: an engineering office isn't a data centre, and controls scale to each site's risk.
1. Premises access¶
| Ref | Requirement |
|---|---|
| PHY.1 | Access to Holmes premises MUST be controlled proportionately to site risk, and after-hours access MUST require individual authentication, for example proximity card plus PIN. |
| PHY.2 | Areas holding RESTRICTED information or critical infrastructure MUST have additional access restriction. |
| PHY.3 | Visitors MUST be managed appropriately for the site: sign-in, and escort where warranted. |
2. Server rooms and network equipment¶
| Ref | Requirement |
|---|---|
| PHY.4 | Server rooms, comms rooms, and network and firewall equipment MUST be in locked areas accessible only to authorised people (07 NET.11). |
| PHY.5 | Physical network ports in accessible areas SHOULD be controlled to stop unauthorised devices gaining useful access (07 NET.4). |
| PHY.6 | Offices SHOULD have monitored alarms and, where warranted, access logging or CCTV, reviewed on a defined basis. |
3. Clear desk and documents¶
| Ref | Requirement |
|---|---|
| PHY.7 | CONFIDENTIAL and RESTRICTED physical documents MUST be secured when unattended and disposed of securely (02 IC.6, IC.7). |
| PHY.8 | Devices MUST be locked or secured when workstations are unattended (01, 06). |
4. Legal & jurisdictional notes¶
Physical safeguards are an explicit part of reasonable security safeguards (NZ IPP5), reasonable steps (AU APP 11), and appropriate technical measures (GDPR Art. 32). A purely digital control set is incomplete without them.
Sites handling US CUI or ITAR-controlled material (02, section 7) may face specific physical-access and US-person requirements, to be confirmed per engagement.
Related policies¶
00 Framework, 02 Information Classification, 06 Endpoint & Mobile, 07 Network & Infrastructure.