Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-14-2 – The cybersecurity requirements for physical protection of information and technology assets must be implemented.
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework requires organizations to implement and operationalize measures that prevent unauthorized physical access, loss, theft, or vandalism of information and technology assets. At a practical level it means defining and enforcing who can enter critical areas, protecting and retaining surveillance and access records, securing devices whether on-site or off-site, and ensuring secure destruction or reuse of media and equipment that store sensitive information.
Technical Implementation
-
Develop an action plan and governance: document a prioritized plan that identifies critical areas (server rooms, backup storage, asset storage), assigns owners, sets timelines, and maps risks to mitigations. Include periodic review and a budget line for physical security improvements.
-
Access control for critical areas: implement layered controls—door locks, electronic badge or keypad access for server rooms and archives, clear visitor procedures (escort policy, sign-in/sign-out logs), and managed key control with an auditable log of key issuance and returns.
-
CCTV and record protection: deploy CCTV to cover entrances, exits, and critical areas. Define retention periods and access rules for recordings, store footage securely (encrypted at rest), and restrict playback/export privileges to authorized personnel only.
-
Asset inventory and device security: maintain a tagged inventory of all devices that hold or access sensitive data. Apply endpoint controls (full disk encryption, MDM or remote wipe for laptops/phones), lockable cabinets for portable media, and clearly label devices that must not leave the premises without approval.
-
Secure disposal and reuse procedures: implement and document standardized disposal steps—data sanitization (industry-appropriate wiping or cryptographic erasure), physical destruction (shredding, degaussing, crushing) where required, and a chain-of-custody record for disposed assets. Require verification before re-issuing devices.
-
Policies, training and incident readiness: include these physical protection requirements in formal procedures provided to employees, contractors, and onsite third parties. Train staff on reporting lost/stolen devices, suspicious behavior, and the location of critical assets. Add physical-incident response steps into your overall incident response plan (containment, evidence preservation, notifying stakeholders).
Example in a Small or Medium Business
A 35-person design agency centralizes servers and backup drives in a small locked room near reception. The owner creates an action plan that assigns the IT lead responsibility for access control and CCTV, buys electronic locks with badge access, and sets up a visitor sign-in procedure requiring badges and escorts. Laptops and external hard drives are tagged in an asset register; full disk encryption and an MDM profile are applied to all staff laptops so they can be wiped remotely if lost. CCTV cameras monitor the reception, server room door, and storage closet; footage is retained for 30 days and only HR and the IT lead can request exports when investigating an incident. For end-of-life devices the agency uses a two-step process: certified data wiping by IT followed by physical destruction for drives that contained client work, with disposal logged in a chain-of-custody record. Regular staff briefings and a short checklist for leaving devices in taxis or cafés reduce risky behavior, and the agency tests the lost-device process annually to ensure quick containment if a device goes missing.
Summary
Combining clear policies and an actionable technical program meets Control 2-14-2 by reducing opportunities for unauthorized access, loss, theft, and vandalism. A simple plan, controlled physical access, CCTV with protected records, an accurate asset inventory, secure disposal procedures, and staff training form a practical, cost-effective package for SMBs to protect information and technology assets. Regular reviews and incident readiness ensure these measures remain effective as the business grows.
