Agencies have a responsibility to ensure their people, information and assets (resources) are protected from harm, including compromise. This policy ensures agencies take the necessary steps to minimise physical security risks to an agency’s resources, while also ensuring agencies incorporate protective security requirements into the planning, selection, design and modification of their facilities.

Core requirement 13

Implement physical security measures that minimise the risk of harm or compromise to people, information and physical assets

Supporting requirements

To ensure physical security measures minimise the risk of harm or compromise to people, information and physical assets, agencies* must:

  1. identify and categorise the agency’s resources that require a level of physical protection
  2. incorporate protective security in the process of planning, selecting, designing and modifying agency facilities
  3. implement physical security measures proportionate to the assessed business impact of harm or compromise to agency resources, including:
    1. zoning all work areas
    2. applying all required individual control elements
    3. ICT equipment and facilities
  4. certify and accredit all security zones
    1. ensuring areas where sensitive or security classified information is used, transmitted, stored or discussed are certified in accordance with the applicable ASIO Technical Notes**
  5. dispose of physical assets securely
  6. manage security risks associated with working away from the office.

PHYSEC1 Guidance (PDF, 1.2 MB)

Additional resources

Business Impact Levels – Storage requirements for electronic information in ICT facilities (PDF, 567.5 KB)

Business Impact Levels – Commercial safes and vaults (PDF, 420.0 KB)

Physical protections for security zones (PDF, 486.0 KB)

Physical security for specific types of ICT equipment (PDF, 490.7 KB)

Security zone descriptions and personnel security clearance requirements (PDF, 461.2 KB)

Summary of control measures and certification authority (PDF, 513.6 KB)

*This policy applies to all South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this policy as “Agencies”.

**ASIO Technical Notes are available via GovTeams. Users will be required to register and request access to the Protective Security Policy community.