A physical control is a security measure designed to protect assets, facilities, and personnel from physical threats such as fire, theft, or unauthorized access. Fire detection and suppression equipment (e.g., fire alarms, sprinklers, extinguishers) directly protects physical assets, making it a clear example of a physical control.
(A) Providing fire detection and suppression equipment. ✅
Correct. This is a direct physical security control that helps mitigate fire risks by detecting and suppressing fires.
IIA GTAG "Physical Security and IT Asset Protection" identifies fire detection as an essential physical security measure.
(B) Establishing a physical security policy and promoting it throughout the organization. ❌
Incorrect. A policy is an administrative control, not a physical control. While important, it does not provide direct physical protection.
(C) Performing business continuity and disaster recovery planning. ❌
Incorrect. This is a procedural control, not a physical one. Planning for disasters does not physically secure assets but instead prepares an organization for recovery.
(D) Keeping an offsite backup of the organization's critical data. ❌
Incorrect. This is an IT security control, ensuring data availability rather than physically protecting assets.
IIA GTAG – "Physical Security and IT Asset Protection"
IIA Standard 2110 – Governance (Risk Management Controls)
COBIT Framework – Physical and Environmental Security Controls
Analysis of Answer Choices:IIA References:Thus, the correct answer is A, as fire detection and suppression equipment provides direct physical protection against fire-related risks.
