Currently there is a lot of focus on cybercriminals infiltrating networks, and rightly so! However, there are risks to your data security in your offices too. If someone can access the area where your servers are, they can potentially take your data the old-fashioned way – walking out with it.

While you may not think it necessary to implement all the below in your business, it may give food for thought as to how you can better secure your data and systems against physical access to unauthorised individuals.

Physical Security Policy Template

1. Purpose
In order to ensure the continued protection of the personal, confidential and restricted information that Company holds and uses, and to comply with legislative requirements and information security best practice, access to Company information equipment and information must be protected.

2. Scope
This policy applies to all Company employees and affiliates.

3. Policy
Physical security must begin with the building itself and an assessment of perimeter vulnerability must be conducted. The building must have appropriate control mechanisms in place for the type of information and equipment that is stored there. These include, but are not restricted to, the following:

  • Alarms fitted and activated outside working hours
  • Window and door locks
  • Window bars on lower floor levels
  • Access control mechanisms fitted to all accessible doors
  • CCTV cameras with coverage of all entry and exit points plus secure areas
  • Staffed reception area.
  • Protection against damage – e.g. fire, flood, vandalism.

As an example, access to secure areas such as the data centre and IT equipment rooms must be adequately controlled and physical access to buildings should be restricted to authorised persons. Staff working in secure areas should challenge anyone not wearing a badge or tag. Each department must ensure that doors and windows are properly secured.

Data centre and network communications areas must be protected by two-factor authentication and restricted to approved and inducted individuals.

Identification and access tools/passes (e.g. badges, keys, entry codes etc.) must only be held by officers authorised to access those areas and should not be loaned/provided to anyone else.

Visitors to secure areas are required to sign in and out with arrival and departure times and are required to wear an identification badge. An employee must monitor all visitors accessing secure IT areas at all times.

Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally in the secure storage room. Keys are not stored near these secure areas or lockable cabinets.

In all cases where security processes are in place, instructions must be issued to address the event of a security breach. Where breaches do occur, or a member of staff leaves outside normal termination circumstances, all identification and access tools/passes (e.g. badges, keys etc.) should be recovered from the staff member and any door/access codes should be changed immediately.

Non-Electronic Information Security

Paper based (or similar non-electronic) information must be assigned an owner and classified. If it is classified as ‘protect’ or ‘restricted’, information security controls to protect it must be put in place. A risk assessment should identify the appropriate level of protection for the information being stored. Paper in an open office must be protected by the controls for the building and via appropriate measures that could include, but are not restricted to, the following:

  • Filing cabinets that are locked with the keys stored away from the cabinet.
  • Locked safes.
  • Stored in a Secure Area protected by access controls.

Equipment Security

All general computer equipment must be located in suitable physical locations that:

  • Limit the risks from environmental hazards – e.g. heat, fire, smoke, water, dust and vibration.
  • Limit the risk of theft – e.g. if necessary items such as laptops should be physically attached to the desk.
  • Allow workstations handling sensitive data to be positioned so as to eliminate the risk of the data being seen by unauthorised people.

Desktop PCs should not have data stored on the local hard drive. Data should be stored on the network file servers where appropriate. This ensures that information lost, stolen or damaged via unauthorised access can be restored with its integrity maintained.

All servers located outside of the data centre must be sited in a physically secure environment. Business critical systems should be protected by an Un-interrupted Power Supply (UPS) to reduce the operating system and data corruption risk from power failures. The equipment must not be moved or modified by anyone without authorisation from IT and CAB.

Cabling Security

A registered cabler must be used for all cabling. Cables that carry data or support key information services must be protected from interception or damage. Power cables should be separated from network cables to prevent interference. Network cables should be protected by conduit and where possible avoid routes through public areas.

Looking for more policy templates?

Here are some further policy templates you are free to copy and edit:



This page provides general information as a guide only, to be used at your sole risk. It does not constitute legal or other professional advice and you should seek such advice specific to your circumstances in implementing any workplace policies.