The institution shall divide the area it manages into security zones based on risk assessment to ensure physical security.
The institution shall provide, limited by the scope of official duties, access to particular security zones. The principle of necessary access applies (need to have).
The institution shall limit unauthorized individuals' physical access to institutional systems, equipment, and the respective operating environments.
The institution shall provide employees in charge of systems and infrastructure with basic physical security training.
