Environmental controls and the CISSP
It's easy to understand why environmental controls play a major role in protecting an enterprise's key resources and sensitive information. Environmental security covers protection from natural environmental threats like blizzards, floods, earthquakes, storms and tornadoes, fires and extreme temperatures, and supply system threats, including power distribution failures, communications interruptions and disruption of other critical resources such as water, gas and air filtration.
Failures in environmental controls can cause major damage to services and hardware and even put lives at risk. The interruption of critical services such as power, heating, ventilation, air-conditioning and air quality can lead to unpredictable and unfortunate results that may prevent businesses from operating.
A single control failure, like a malfunctioning smoke detector, can escalate into a total disaster that destroys key assets and, in a worst-case scenario, endangers the lives of employees or others in the affected area.
For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate.
Earn your CISSP, guaranteed!
The environmental controls and threats
Organizations must understand and implement various types of environmental controls to create effective protection against physical and environmental threats. A comprehensive environmental control strategy considers the controls and how they work together to address different types of threats. Let's examine the key categories of controls, their functions and the threats they protect against.
Categories of environmental controls
Environmental controls vary widely in complexity and variables. While it's important to know each type of control and the protection it provides, it's essential to understand what applies to the environment that needs protection.
- Management (Administrative) Controls: These include the policies, standards, processes, procedures and guidelines that will help create a clear set of rules on how to approach environmental control issues.
- Physical Controls: This category can include controls such as locks, doors and walls. While they seem to be more oriented toward enforcing access control, they should also provide protection against natural environmental threats. A great example is the use of fireproof doors and walls to protect data centers.
- Technical (Logical) Controls: These monitor environmental conditions and respond to incidents. Examples include:
- Moisture detection systems
- Fire/smoke detection systems
- Fire suppression systems
- Environmental control systems
- Uninterruptible power supply systems
- Wet or dry pipe sprinkler systems
- Motion and sound detectors
- And many other monitoring and response systems
Control types by function
These controls can also be organized by their function:
- Directive (administrative) controls: The primary objective of any form of administrative control is ensuring proper behavior. If we limit this to environmental protection, a good example is stating that no food/drink/smoking is allowed in restricted areas.
- Preventive controls: These include any sort of measure designed to prevent an environmental issue from happening. For example, controlling access and having security cameras in restricted areas can greatly reduce the chance of an environmental incident.
- Deterrent controls: A deterrent control aims to reduce the likelihood of a vulnerability being exploited without actually reducing the exposure. This type of control is used basically to discourage the violation of security policies, mostly by employing warnings of consequences for security violations.
- Detective controls: Detective controls are used to identify unwanted or unauthorized activities or situations. These can involve the use of practices, processes, and tools that identify and possibly react (become a corrective control) to specific triggers. For environmental controls, a simple example is using a data center temperature sensor or smoke detector.
- Corrective controls: This type of control acts once an unwanted or unauthorized activity or situation is detected. Using a previous example, once a detective control such as a smoke detector identifies the presence of smoke, it can trigger a corrective control such as an automated fire suppression system, which, depending on how it was designed, can use inert gases or other chemical agents to extinguish a fire.
- Recovery controls: Whenever an incident happens, implementing recovery controls is necessary to return to a normal operating state. For instance, the automated fire suppression system used in the previous example must be resupplied with inert gas. Also, action should be taken to understand why a fire started and work on a way of preventing it from happening again.
Environmental threats
Whenever selecting the categories or types of controls required to ensure a proper level of protection, the determining factor is the type of threats that may affect the protected physical environment. These may come in the following types:
- Natural / Environmental threats: These are the consequences of natural phenomena such as earthquakes, blizzards, floods, storms, hurricanes, fires, and snow/ice. In most cases, they are bound to the facility's geographic location. It is quite obvious that there is little to gain from using controls for specific situations (i.e., earthquakes, hurricanes) if the facility is not in a geographical location that has a record of such natural phenomena occurring. It is also important to pay attention to the facility's surroundings. For instance, if a neighboring company stores lots of fuel, it increases the chance of a fire affecting your environment.
- Man-made threats: There is no lack of man-made threats that can effectively affect environmental security, including:
- Disgruntled employees attempting to enter restricted areas
- Employee errors
- Industrial espionage
- Arson
- Acts of sabotage
- Hazardous/toxic spills
- Chemical contamination
- Vandalism
- Theft
- Use of explosives
- Acts of terrorism
A risk-based approach
Environmental security requires the same systematic risk management approach as other information security areas. Each control should align with the organization's business risk appetite.
Consider this example: From a technical perspective, using a fire suppression system that disperses inert gas when detecting a fire offers excellent protection for key resources and sensitive information. But should every company invest in this solution? The reality is more nuanced. Several factors influence this decision, including:
- Initial and ongoing costs
- Regulatory requirements
- Value of protected assets
- Business continuity needs
- Alternative protection methods
Many organizations find adequate protection using simpler solutions like fire extinguishers combined with robust backup processes that ensure off-site information storage and recovery capabilities.
The key lies in risk management:
- Identify environmental threats and vulnerabilities specific to your location and operations
- Calculate the likelihood of occurrence and potential impact
- Select controls that provide necessary protection levels according to the organization's risk appetite
- Monitor control effectiveness and adjust as needed
A good information security professional can clearly define which controls to implement based on this risk analysis process. The goal isn't to eliminate all risk - that's impossible. Instead, focus on managing risk to acceptable levels while considering cost, operational impact and business requirements.
Earn your CISSP, guaranteed!
Concluding thoughts
Environmental issues affect every business, regardless of size, industry or location. Each organization faces some form of environmental risk that needs addressing.
Ensuring environmental security presents significant challenges. Success requires:
- A comprehensive risk management approach
- Deep understanding of potential threats
- Knowledge of how different control types work together
- Clear processes for implementing and maintaining controls
- Regular testing and updates of environmental systems
Environmental security protects more than just business assets and information - it safeguards human life. A single oversight in environmental controls can lead to catastrophic consequences, including loss of life.
Ready to master all the CISSP domains? Check out these resources:
- Download the CISSP exam tips and tricks ebook to master proven strategies for exam success
- Visit our CISSP training hub for comprehensive preparation resources
- Explore the cybersecurity certifications roadmap to plan your certification journey
- Get expert-led training and our Exam Pass Guarantee with our CISSP Boot Camp
- See how CISSP certification can impact your earning potential with our cybersecurity salary guide
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- Environmental controls and the CISSP
- CISSP domains overview: Your complete preparation guide
- What is the ISC2 ISSMP (Information Systems Security Management Professional) certification?
- What is the ISC2 ISSEP (Information Systems Security Engineering Professional) certification?
- What is the ISC2 ISSAP (Information Systems Security Architecture Professional) certification?
- CISSP experience waiver: What you need to know
- CISSP concentrations: How ISSAP, ISSMP & ISSEP have changed
- Mitigating access control attacks in the CISSP exam
- CISSP DoD 8140: What changed from DoD 8570?
- CISSP jobs in 2025: Cybersecurity manager outlook and career opportunities
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring
- CISSP interview prep: 10 common questions and answers
- CISSP resources: Free books, videos, practice exams and other study tools
- CISSP certification cost and requirements (2025): Your complete preparation guide
- Perimeter defenses: What you need to know for the CISSP exam
- Understanding control frameworks and the CISSP
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- Due care vs. due diligence: What you need to know for the CISSP exam
- The ISC2 code of ethics: A binding requirement for certification
- Security governance principles: What you need to know for the CISSP exam
- Understanding access control: A CISSP certification guide
- Renewal requirements for the CISSP certification
- Secure communication channels: What you need to know for the CISSP exam
- Risk management concepts and the CISSP
- CISSP: Business continuity planning and exercises
- Data and system ownership in the CISSP exam
- Information and asset classification in the CISSP exam
- Incident management and the CISSP exam: What you need to know
- CISSP prep: Security policies, standards, procedures and guidelines
- Earning CPE credits to maintain the CISSP
- Data security controls and the CISSP exam
- CISSP: Disaster recovery processes and plans
- Vulnerability and patch management in the CISSP exam
- Secure system design principles: CISSP exam concepts and frameworks
- Certification and accreditation: What’s on the CISSP exam?
- Change management and the CISSP
- Threat modeling and the CISSP
- CISSP exam questions: 5 drag & drop and hotspot questions
- CISSP certification salary: A comprehensive 2025 salary guide
- 8 tips for CISSP exam success in 2025
