ISMS Physical Security Policy

1. Purpose, Scope and User

This policy defines VSHN’s rules regarding physical access to VSHN’s premises.

All employees of VSHN AG must adhere to this policy.

2. Physical Security Perimeters

The office in Neugasse 10 in Zürich is considered a security perimeter.
Data centers of third party providers where VSHN’s hardware is running, are considered a security perimeter.

Not considered as security perimeter are the VSHNtower in Neugasse 6, Zürich, and the shared offices in VSHN Canada, 422 Richards St, Suite 170 Vancouver.

3. Access Rights

3.1. VSHN Office

All VSHNeers have access and have their own key.
VSHNeers can grant accompanied access to guests if a visitor log was filled.
People Operations controls who has an office key with the corresponding ticket ISMS-198.

3.2. Access to Hardware Servers

Access can be ordered via the management or the CISO. A ticket must exist in VSHN’s ticket system with the work to be done.

Access to VSHN servers at third party providers is only possible for VSHN employees after prior coordination. Access control is handled by the data center provider.

4. Visitor Logs

Each visitor must fill out one of the visitor log forms provided in the coffee room.

If visitors are working for a longer period with us, an NDA must be signed and the visitor log isn’t needed after that.

4.1. VSHNeers' Responsibility

VSHNeers inviting guests are responsible that:

Visitor log form is filled out.
Visitor does not walk around in the office unsupervised.
Visitor log is placed in the visitors log "mail box".

4.2. Back-Office Responsibility

PeopleOps checks visitor log forms regularly and files them in a physical ad-hoc folder.
Visitor logs older than a year are destroyed.
The CISO conducts regular spot checks.

4.3. Exceptions

Exceptions to this rule can be found in Annex - Exceptions Physical Security in our wiki.

5. Physical Security Monitoring

VSHN can monitor access to secure spaces using video surveillance and other technical appliances.

Exceptions of this rule can be found in Annex - Exceptions Physical Security in our wiki.

6. VSHNeers' Duties

Ensure the two entry doors on the first (European floor numbering system) floor leading to the coffee room and the one leading to the hallway are always closed.
Ensure visitors are never left alone.
Ensure all windows are closed when the work day is finished.
Ensure no confidential paper is lying around.
Regularly check the physical connections of your keyboard and mouse, ensuring they are directly connected to the docking station to prevent threats like keyloggers.
Keep VSHNtower clean; this means you are not allowed to leave sensitive data there or leave your devices unsupervised.

7. Events

Events can take place in VSHNtower as it is considered a public space.
Events should not take place in the VSHN office. If this is not possible, check with CISO and checklist on file server.

8. Reference Documents

ISO 27001:2022	ISO 27001:2013	Control
A.7.1	A.11.1.1	Physical security perimeters
A.7.2	A.11.1.2	Physical entry
A.7.3	A.11.1.3	Securing offices, rooms and facilities
A.7.4	N/A	Physical security monitoring
A.7.5	A.11.1.4	Protecting against physical and environmental threats
A.7.6	A.11.1.5	Working in secure areas

ISO 27001:2022

ISO 27001:2013

Control

A.7.1

A.11.1.1

Physical security perimeters

A.7.2

A.11.1.2

Physical entry

A.7.3

A.11.1.3

Securing offices, rooms and facilities

A.7.4

N/A

Physical security monitoring

A.7.5

A.11.1.4

Protecting against physical and environmental threats

A.7.6

A.11.1.5

Working in secure areas

This policy is tracked and approved by the CISO with ticket ISMS-557

Approval date	2023-07-10
Approved with	ISMS-1218 in MR 867 and MR 870
Last reviewed	2024-06-12 with ISMS-1519 and MR 1052
Classification	Public

Approval date

2023-07-10

Approved with

ISMS-1218 in MR 867 and MR 870

Last reviewed

2024-06-12 with ISMS-1519 and MR 1052

Classification

Public