| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
Physical & Environmental Controls
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series covers the physical and environmental side of protecting information assets. The session introduces at a topic level the environmental threats that put equipment at risk, the detection and suppression controls that address them, the physical access controls that keep unauthorized people out, and the special vulnerabilities of industrial control systems.
What this episode covers
- Power failure types and responses β blackout, brownout, sags and spikes, and electromagnetic interference, addressed by surge protectors, uninterruptible power supplies, and generators based on outage duration.
- Water and environmental detection β water detectors under raised floors, smoke detectors at multiple levels, and audible alarms connected to a monitored station on a separate circuit.
- Fire suppression systems β total flooding versus local application, wet-pipe versus dry-pipe versus clean chemical agents, and the auditorβs approach to verifying inspection records.
- Data center placement and building controls β preferred floor placement, fireproof walls, dual power feeds from separate substations, emergency power-off switch requirements, and environmental monitoring.
- Physical access controls β bolting, combination, and electronic locks; visitor logs; identification badges; CCTV; security guards; and perimeter lighting.
- Mantraps and entry point controls β two-door entry design, single staffed entry points, and keeping the computer room unidentifiable from outside.
- Industrial control system security β why legacy ICS carry serious weaknesses and the controls used to harden them, including network segmentation, least privilege, and supply chain security.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What types of power failure must an IS auditor know, and how are they addressed?
The four types are a blackout (total loss), a brownout (sustained voltage drop), sags and spikes (quick dips and jumps), and electromagnetic interference. The response depends on duration: surge protectors handle very short blips, an uninterruptible power supply bridges interruptions up to roughly half an hour, and a backup generator is needed for longer outages. Each can corrupt data or damage hardware if not addressed.
What fire suppression systems are commonly found in data centers?
Suppression systems apply their agent by total flooding, which fills an entire enclosed room, or local application, which sprays directly onto the fire. Common system types include wet-pipe sprinklers that always hold water in the pipes, dry-pipe systems that hold water back until an alarm triggers, and clean chemical agents often preferred around electronics because they do not damage equipment. As an auditor, you can confirm compliance by reviewing inspection records and verifying the system was tested within the last year.
Why are electronic locks considered the strongest form of physical access control?
Electronic locks are strongest because a card or token can be tied to one specific person, restricted by door or hour, and deactivated instantly without replacing any hardware. This contrasts with bolting locks where keys can be duplicated and combination locks where codes must be changed manually after each security concern. The electronic lock also creates an audit trail of who accessed which door and when.
What is a mantrap and what threat does it prevent?
A mantrap is a two-door entry where the first door must lock before the second opens, preventing piggybacking or tailgating where an unauthorized person slips in behind an authorized one. Using a single staffed entry point and sealing off unused doors supports the same goal. The computer room should also be kept invisible from outside, with no windows or signs pointing to it, to deter deliberate attack.
π Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Physical & Environmental Controls.