Group : Access control

Exists

Control
13602 - Closed-circuit TV cameras (CCTV) should be installed both inside and
outside the areas providing access to the roof terrace.
2771 - A pair of synchronized doors should be used at the entrance of the
datacenter.
2773 - Guests and service providers' employees should be allowed to go in only
after being properly authorized.
2774 - The ways of access to critical areas of the facility should be monitored by
closed circuit TV.
2775 - Access to the datacenter should be determined by security perimeters.
2776 - An automatic closing device should be installed on doors providing
access to the datacenter.
2777 - Only people wearing their identification badges in a way that makes them
clearly visible should be allowed in the data center.
2779 - Authorized personnel should always accompany visitors and service
providers.
2780 - Devices should be installed to block entry into the datacenter through
areas which are not frequently used.
2781 - Datacenter's doors should be equipped with alarms programmed to go on
whenever they are opened.
2782 - The key cabinet must be placed somewhere protected against
unauthorized access.
2783 - Fireproof doors and windows should periodically be checked to see
whether they are properly closed.
2784 - Reinforced bars should be installed on easily accessible windows to
outside areas and on skylights.
2785 - The door installed on the terrace roof should provide only outward
access.
2786 - Opening of emergency exit doors should only be allowed from the inside
of the data center.
2787 - Entrance through parking areas or car entrances exclusive to the
datacenter building should be allowed only to previously authorized persons.
2788 - All vehicles going in or out of the data center building's parking garage
should be carefully checked.
2789 - The comings and goings of assets, and all sorts of materials, in the facility
should be controlled.
2790 - The way of access for vehicles, especially when inside the building main
structure, should be protected.
2791 - TV cameras should be used to monitor the building's parking lot and
garage.
2792 - Redundancy should be provided to the electrical power infrastructure that
supplies electricity to the access control systems.
2793 - A mechanism restricting access to authorized persons should be installed
on emergency, equipment and maintenance entrances.

2794 - An access control mechanism should be installed on the datacenter to

restrict access after work hours.
2795 - The Closed Circuit TV should be connected to an alarm system.
2826 - Security rounds should happen as often as possible, 7 x 24.
28262 - Access to the switchboards of the datacenter's telecommunication
facilities should be restricted to authorized users.
2864 - The maintenance and cleaning personnel should be rigorously monitored.
2865 - Cleaning and maintenance personnel should be treated as visitors when
in areas of maximum security.
2940 - Access authorization should be required for entry into the datacenter.
Group : Building infrastructure
17188 - The doors providing access to the data center should look like common
doors.
2827 - A reception area should be set as a clear zone in order to isolate the data
center from other facilities.
2828 - Materials which are resistant to break-in attempts, as well as to fire and
water should be installed on the doors, windows and walls of the datacenter.
2829 - The datacenter should be located away from risk areas.
2830 - The data center should be located in a building used exclusively by the
organization to which it belongs or by organizations belonging to the same
business group.
2831 - Data center windows should face areas of the building's interior.
2832 - The elevated floor should be laid at an adequate height from the
building's floor concrete structure.
2833 - Mechanisms for permanent lighting should be installed in the datacenter.
2834 - The data center should have the necessary number of ways of access.
2835 - Signs showing the location of the datacenter should be removed.
2837 - The empty space underneath the elevated floor should be walled to
prevent invaders from using it to break in, especially at the data center's outer
perimeter.
2839 - The data center should be situated above the ground level.
2841 - Physical barriers should be built along the external walls of the data
center, effectively leaving no gaps between the building's floors concrete
structures.
2842 - The data center environment should be situated where rescue and
emergency teams and equipment would be able to easily access it.
Group : Cabling

2737 - Switchboards and connection boxes used for communication cables

should be kept locked.
2738 - Cabling should be laid out in a way that prevents electromagnetic
interferences.
2739 - All cables existing in the environment should be marked and labeled.
2741 - Compliance of the voice and data cabling system with structured cable
standards and regulations should be checked.
2743 - Each type of network (such as the power distribution, telephone,
automation control, data, sound and signal networks), with its corresponding
wiring or cabling, should be installed separately.
2744 - Cables that are not being used should be removed from the data center.
28263 - Cables belonging to the datacenter telecommunication infrastructure
should be installed directly (end-to-end) without any seams and/or extensions.
Group : Climate control
2737 - Switchboards and connection boxes used for communication cables
should be kept locked.
2738 - Cabling should be laid out in a way that prevents electromagnetic
interferences.
2739 - All cables existing in the environment should be marked and labeled.
2741 - Compliance of the voice and data cabling system with structured cable
standards and regulations should be checked.
2743 - Each type of network (such as the power distribution, telephone,
automation control, data, sound and signal networks), with its corresponding
wiring or cabling, should be installed separately.
2744 - Cables that are not being used should be removed from the data center.
28263 - Cables belonging to the datacenter telecommunication infrastructure
should be installed directly (end-to-end) without any seams and/or extensions.
2753 - An extra air conditioning system for using during contingencies should be
specified and installed.
2754 - The datacenter's air conditioning system should be independent from the
other systems in the building, responding exclusively to the datacenter's
demand.
2755 - Protection mesh should be installed to guard external cooling equipment.
2756 - The cooling systems supplying the datacenter should be provided with
mechanisms for maintaining continuous power.
2757 - Preventive maintenance services performed on the air-conditioning
system should be recorded.
2758 - Air-conditioning systems should be installed in locked, covered
compartments.
2759 - The cold water circuit for the fan coils should be coated with heat
insulating material.
2760 - The water ducts of the air-conditioning system should be protected
against corrosion.

Group : Compliance
6524 - Corporate servers should be periodically checked to see whether their
configuration is in compliance with the established security standards and
requirements.
Group : Data/voice communication
2768 - Telephone lines should be protected against tapping.
2769 - The telephone lines should be frequently checked for tapping and
listening devices.
2770 - The telephone lines installed on the data center should not be allowed to
accept or make external calls.
Group : Electric circuits and power
17189 - The data center's power circuits should be divided according to the load
distribution.
2799 - Lightning rods should be installed to protect equipment and buildings.
2800 - Insulating material should be applied to the exposed areas of the data
center's electric installations.
2801 - Conductive installations and all types of conductive equipment that are
submitted to significant power levels should be electrically connected to the
ground.
2802 - Mechanisms to block access to electrical switchboards and control panels
should be installed in the datacenter.
2803 - Only the energy grid and control circuits belonging to the data center
should be located inside its facilities.
2805 - The circuits used for the datacenter should have a sufficient amount of
electric outlets.
2806 - Power outlets located on the floor should have a protective cover.
2808 - Emergency lights should be installed in the correct places inside the data
center facilities.
2809 - A redundant electric grid for the equipments should be in place and ready
for use.
2810 - The voltage at the entry point of the electrical distribution panels should
be monitored by a voltmeter that is capable of logging the readouts.
2811 - The amperage at the entry point of the electrical distribution panels should
be monitored by an ammeter that is capable of logging the readouts.
2813 - Up-to-date electric grid plans should be kept by the maintenance
personnel of the building's security team.
2814 - The IT hardware's supply electric power should be stabilized and fed by
exclusive non-shared wirings.
2815 - Electric generators and no-breaks should be installed in order to ensure
the continuous supply of power for the critical equipments.
2816 - Transformers, capacitors, stabilizers, central power generators and other
critical electric equipment should be well sheltered and protected.

2818 - Circuit breakers should be installed on the datacenter's electrical circuits.

3375 - The circuit breakers of the power distribution panels should be properly
labeled.
Group : Fire protection and treatment
2735 - Flammable material should be stored in well-ventilated environments.
2804 - Automatic fire extinguishing systems should be installed in the datacenter.
2846 - Emergency exits should be located so as to facilitate evacuation of the
environment.
2847 - Fire drills should be performed periodically involving the people that work
in the environment.
2848 - Portable fire extinguishers, compatible with the classes of fire to be
fought, should be installed in the environment.
2849 - The fire extinguishers should be placed in accessible locations.
2850 - An identification tag should be attached to all fire extinguishers.
2853 - A sufficiently large number of fire alarms should be installed on every floor
of the building.
2854 - The fire alarm sound should use distinct tone and pitch from the other
sound-generating devices present in the environment.
2855 - Smoke detectors should be installed in the facility as a way of detecting
fire.
2856 - A fire suppression system based on pressurized gas should be installed in
the environment.
2857 - Smoke detectors should be periodically tested.
2858 - The fire alarms should be tested periodically.
2859 - Fire and smoke detectors should be located under the raised floor.
2860 - Fire and smoke detectors should be located above the lowered ceiling.
2861 - Smoke detectors should be installed in the ventilating ducts of the air
conditioning system.
2862 - Fire extinguishers inspections should be recorded.
2863 - Inflammable material should be removed from the faciltiy or replaced with
fireproof equivalents.
Group : Hydraulics
2819 - Pipes with pressurized liquids should be repositioned outside the
datacenter.
2820 - Sewage drainage pipes that pass through the datacenter should be
removed.

2821 - Rainwater drainage pipes that pass through the datacenter should be
removed.
2822 - Pressurized gas pipes should be repositioned outside the datacenter
(except those used for firefighting purposes).
2836 - The rain drainage pipes should be cleaned regularly.
2838 - The terrace floor and building roof should be periodically waterproofed.
2840 - Water drainage gutters should be installed outside the building.
2851 - A gas suppression system should be used to fight fire in the datacenter.
Group : Identification and authentication
2772 - Employees and workers should always wear identification badges.
2778 - Badges with different colors and visual signs should be used to identify
individuals allowed in the environment.
Group : Information disposal
2796 - Trash pickups should be performed periodically.
2797 - Any material with sensitive information should be protected against nonauthorized access when being disposed of.
2798 - Specific-destined shredders should be used for disposing sensitive
information.
Group : Security incidents
2823 - Records of physical security incidents should be kept.
2824 - All images captured by the organizations' TV cameras should be recorded
and kept.
2825 - The images captured by the Closed Circuit TV should be often reviewed
and stored for any future need.
Group : Work environment
2844 - Any material that does not pertain to the data center operation should be
removed from its interior.
2845 - Warnings about the handling and storage of dangerous materials should
be affixed to places where they can be easily seen.
6120 - A list with the authorized types of dangerous material, accompanied by
their respective security procedures for storage, usage and transport, should be
released.