155 equipment security 11 ontrol A.9.2 of the standard deals with equipment security. It suggests that the organization take steps to prevent the loss, damage, theft or comprom- ise of its assets and the consequential interruption to its activities. It is broken down into seven sub-clauses, each of which deals with aspects of equipment security and disposal. C equipment siting and protection Control A.9.2.1 of the standard requires equipment to be sited, or protected, in such a way that risks from environmental threats and hazards, or unauthorized access, are reduced. ISO27002 identifies a number of controls to be considered, including the following: Equipment should be sited so as to minimize unnecessary, unauthorized access into work areas. For example, refreshment units or office machinery designed for use by visitors to premises should be sited within a designated and supervised public area; unauthorized personnel should not have to access secure offices in order to use these facilities. How visitors access toilets will need consideration. Clearly, if the only toilets are within a secure area, visitors will either have to be denied the use of them or will have to be escorted at all times! Doors to computer rooms should have, depending on the risk assessment, mechanisms for ensuring that they are kept shut and locked at all times, with any deviations notified on an alarm system. Information processing and storage facilities handling sensitive data should be positioned so as to reduce the risk of being seen by members of the public while in use. This applies, for instance, to workstation monitors in a ground-floor office, where passers-by could look through