Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-14-1 – Cybersecurity requirements for physical protection of information and technology assets must be defined, documented and approved.
Understanding the Requirement
This control requires an organization to define, document and obtain executive approval for the cybersecurity rules that protect information and technology assets from unauthorized physical access and related risks. The policy should cover permitted and authorized access to critical areas, CCTV and surveillance record handling, secure disposal and reuse of physical media, and protection of devices both inside and outside facilities. This control is part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and must be backed by Executive Management sign-off so the requirements become formally enforced and resourced.
Technical Implementation
-
Create a documented Physical Security Policy.
Draft a concise policy that lists physical controls (badges, locks, visitor procedures), defines critical areas (data center, server rooms, storage of backups, records rooms), and states retention periods and handling rules for surveillance footage and access logs. Include explicit requirements for protecting devices outside the office (laptops, mobile devices, removable media).
-
Inventory and classify physical assets.
Maintain an asset register that tags information-bearing physical assets by sensitivity (e.g., public, internal, confidential). Use the register to decide which assets need stronger physical controls, secure storage, or tracked disposal procedures.
-
Implement access controls and monitoring.
Deploy badge access, mechanical locks, or keyed cabinets for critical areas. Configure CCTV placement to cover entry/exit points and critical assets; define camera retention and access-to-footage rules. Ensure access logs (badge and CCTV events) are centrally stored and reviewed periodically.
-
Define secure disposal and reuse procedures.
Establish step-by-step procedures for sanitizing, destroying, or repurposing storage media and devices that held classified information (e.g., verified overwrite, degaussing, physical destruction). Require chain-of-custody records and a final approval sign-off before asset re-use or disposal.
-
Assign roles, training, and vendor controls.
Designate a physical security owner and ensure executive-level approval documented. Train staff on visitor escorting, badge use, and device handling. For third-party vendors (cleaning, maintenance, disposal), require background checks, limited access windows, and contractual security obligations.
-
Review, test, and report to executives.
Schedule regular audits and tabletop tests of physical protections (e.g., badge deactivation test, CCTV access request process). Produce a short executive summary for the organization head or deputy showing findings and control effectiveness to maintain the required approval and support.
Example in a Small or Medium Business
A 60-person marketing firm decides to implement Control 2-14-1. They start by inventorying all laptops, external drives, printed records, and the small server closet, marking items that contain customer or financial data as confidential. The IT manager writes a physical security policy mapping the server closet and records locker as critical areas, and specifying badge access for employees and escorted visits for contractors. The company installs electronic locks on the server closet, positions a single CCTV to cover the main entrance and server door, and sets a 30-day retention for footage with restricted access to three managers. They contract a certified asset disposal provider with a documented chain-of-custody process for old drives and require IT sign-off before any device is repurposed. Executive leadership reviews and formally approves the policy, and quarterly checks are scheduled with short reports to the CEO to ensure continued support and budgeting for necessary upgrades.
Summary
Defining, documenting and obtaining executive approval for physical cybersecurity requirements turns informal practices into enforceable controls. By combining a clear policy, asset classification, access and monitoring controls, secure disposal procedures, assigned responsibilities and periodic review, SMBs can reduce the risk of unauthorized physical access and data exposure. Executive backing ensures resources and accountability so these measures remain effective and sustained over time.
