When to use this
Use this review where building management systems are in ISMS scope or can affect information processing facilities.
Related controls
Review table
| BMS/component | Utility/facility affected | Owner | Network exposure | Access control | Backup | Patch/vulnerability process | Logging/monitoring | Gap/action |
|---|---|---|---|---|---|---|---|---|
| TBD | HVAC/power/fire/environmental | TBD | Isolated/internal/vendor remote | TBD | TBD | TBD | TBD | TBD |
Review checklist
- BMS ownership is defined.
- Access rights are controlled and reviewed.
- Remote vendor access is controlled.
- Backups/configuration exports exist where needed.
- Malware/vulnerability/patching approach is defined.
- Logs or alarms are reviewed where relevant.
- BMS outage impact is considered in continuity planning.
- Template
- Iso27001
- Physical controls
- Supporting utilities
Note Metadata
Aliases: BMS Security Review
Source: 90 Templates/Building Management System Security Review.md
Related Notes
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.37 - Documented Operating Procedures
- ISO 27001 A.7.11 - Supporting Utilities
- A.7 Physical Controls MOC
- A.7.11 Audit Evidence Pack
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Implementation Audit Risk Mapping
- A.7.11 Audit Checklist
- Templates MOC