Skip to content

Physical Security

Digital controls don't help if someone can walk into an office, plug into the network, or take documents off a desk. This policy sets the basics for premises, server rooms, and clear-desk handling of confidential material. It's proportionate: an engineering office isn't a data centre, and controls scale to each site's risk.

1. Premises access

Ref Requirement
PHY.1 Access to Holmes premises MUST be controlled proportionately to site risk, and after-hours access MUST require individual authentication, for example proximity card plus PIN.
PHY.2 Areas holding RESTRICTED information or critical infrastructure MUST have additional access restriction.
PHY.3 Visitors MUST be managed appropriately for the site: sign-in, and escort where warranted.

2. Server rooms and network equipment

Ref Requirement
PHY.4 Server rooms, comms rooms, and network and firewall equipment MUST be in locked areas accessible only to authorised people (07 NET.11).
PHY.5 Physical network ports in accessible areas SHOULD be controlled to stop unauthorised devices gaining useful access (07 NET.4).
PHY.6 Offices SHOULD have monitored alarms and, where warranted, access logging or CCTV, reviewed on a defined basis.

3. Clear desk and documents

Ref Requirement
PHY.7 CONFIDENTIAL and RESTRICTED physical documents MUST be secured when unattended and disposed of securely (02 IC.6, IC.7).
PHY.8 Devices MUST be locked or secured when workstations are unattended (01, 06).

Physical safeguards are an explicit part of reasonable security safeguards (NZ IPP5), reasonable steps (AU APP 11), and appropriate technical measures (GDPR Art. 32). A purely digital control set is incomplete without them.

Sites handling US CUI or ITAR-controlled material (02, section 7) may face specific physical-access and US-person requirements, to be confirmed per engagement.

00 Framework, 02 Information Classification, 06 Endpoint & Mobile, 07 Network & Infrastructure.