Nine basic controls that ISO27002 recommends should be considered

1. Key storage areas and keyed entrance areas should be sited to avoid access by unauthorized persons and by the public.

2. Buildings that contain information processing facilities should be unobtrusive and give as little indication as possible of their presence or purpose.

3. Office machinery, such as faxes and photocopiers, should be sited within the secure perimeter in such a way that access to more secure rooms is not required.

4. Doors and windows should be locked when the building or room is unattended. External protection, such as burglar bars, should be considered in the context of the risk assessment for ground-floor and any other accessible windows.

5. Information processing facilities managed by the organization should be physically separate from those managed by third parties, even if this means erecting a cage or some other form of physical security within a shared secure area.

6. Internal directories or telephone books or other guides that identify the location or telephone numbers of secure, sensitive areas should not be accessible by the public or unauthorized persons.

7. Hazardous or combustible material, particularly office stationery, should not be bulk-stored within a secure area.

8. Back-up equipment and media should not be stored with the equipment that they will back up, in order to ensure that the organization can actually restore operations if it loses or otherwise has compromised its front-line facilities (through, for example, fire in the server room or terrorist activity affecting the whole of the premises).

9. Keys should not be left in locks, irrespective of whether or not the access route has an automatic door closer.