Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Understanding CSA ISO/IEC TS 22237-6-19: Security Requirements for Data Centre Facilities and Infrastructures
A comprehensive guide to the Canadian adoption of the International Technical Specification for data centre security
Scope of CSA ISO IEC TS 22237-6-19
CSA ISO IEC TS 22237-6-19 represents the Canadian adoption of the International Technical Specification ISO/IEC TS 22237-6:2019, which addresses security within data centre facilities and infrastructures. This standard forms part of the broader ISO/IEC TS 22237 series that provides a comprehensive framework for the design, construction, operation, and management of data centres. Specifically, Part 6 focuses on the security requirements necessary to protect data centre assets, including physical infrastructure, information, and personnel. The standard applies to all types of data centres, regardless of size, tier level, or classification, and is intended for use by owners, operators, designers, and security professionals involved in data centre projects.
The scope of CSA ISO IEC TS 22237-6-19 encompasses both physical and procedural security controls. It covers the identification and assessment of security risks, the definition of security classes, and the specification of security measures to mitigate identified threats. The standard aligns with the overarching principles of the ISO 27000 family for information security management, but is tailored to the unique environmental and operational characteristics of data centres. It is important to note that this technical specification is not a certification standard per se; rather, it provides a structured set of recommendations and guidelines that can be used as a basis for developing a data centre security program or for evaluating existing security postures.
Note: CSA ISO IEC TS 22237-6-19 is a Technical Specification (TS) published by the Canadian Standards Association (CSA Group) and is identical to ISO/IEC TS 22237-6:2019. As a TS, it represents a consensus of experts and is intended for interim use while further experience is gained, prior to possible advancement to an International Standard.
Technical Requirements for Data Centre Security
Security Classes and Threat Levels
The standard introduces a classification system for data centre security based on the criticality of the assets and the potential impact of security incidents. It defines three primary security classes — S1, S2, and S3 — each with increasing levels of protection. The selection of an appropriate class depends on factors such as the type of data handled, client requirements, regulatory obligations, and business risk appetite. For each class, the standard specifies a baseline set of security controls that must be implemented.
Threats addressed include unauthorised physical access, environmental disruptions (e.g., fire, flood, power interruption), sabotage, theft, and cyber‑physical attacks. The standard advocates a risk‑based approach, requiring operators to perform a security risk assessment that considers both the likelihood and consequence of each threat scenario.
| Security Class | Access Control Requirements | Surveillance Requirements | Intrusion Detection | Response & Contingency |
|---|---|---|---|---|
| S1 (Basic) | Physical barrier, single‑factor authentication (e.g., card reader) | Recording of entry/exit points | Alarm on forced entry | Security guard on call, basic incident response plan |
| S2 (Enhanced) | Two‑factor authentication, mantrap at main entrance, biometric verification for critical zones | Continuous CCTV coverage of all interior and exterior areas, PTZ cameras | Perimeter and interior volumetric sensors, vibration detection | On‑site security personnel 24/7, scheduled patrols, integrated incident management system |
| S3 (High) | Multi‑factor authentication, segmentation with separate access policies per zone, full visitor management with escort | High‑resolution IP cameras with central management, license plate recognition, facial recognition | Layered detection (dual‑tech sensors, thermal analytics, false‑alarm filtering) | Dedicated security operation centre (SOC), local police or private response force, automated lockdown capabilities |
Physical Security Controls
The standard provides detailed requirements for the physical security perimeter, including walls, doors, windows, and roofing. It specifies construction materials and their resistance to forced entry, ballistic attack, and environmental threats. For example, S2 and S3 classes require walls extending from the structural floor to the structural roof to prevent crawl‑space bypass. All openings must be protected by detection devices.
In addition, the standard addresses the security of supporting infrastructure such as power distribution and cooling systems, which can be vulnerable points of attack. Requirements include tamper‑evident enclosures for electrical panels, lockable valve cabinets for cooling circuits, and the segregation of utility entry points.
Implementation Highlights and Best Practices
Implementing CSA ISO IEC TS 22237-6-19 involves a systematic approach that begins with a thorough security risk assessment. Organisations should define their target security class based on the business impact analysis and then map existing controls against the standard’s requirements. The following best practices are recommended:
- Layered Defence (Defence‑in‑Depth): Combine multiple independent security mechanisms such that if one fails, others still provide protection. For instance, physical barriers should be complemented by electronic detection and human intervention.
- Integration with IT Security: Align physical security controls with information security policies (e.g., ISO/IEC 27001). The standard encourages a holistic view that includes network segmentation for building management systems and access control databases.
- Maintainability and Monitoring: All security systems must have documented maintenance schedules, event logging, and periodic testing. The standard emphasises that security is not a one‑time implementation but a continuous process.
- Personnel Security: Background checks, security awareness training, and access revocation procedures are covered as essential components.
- Environmental Resilience: For S2 and S3 classes, the standard requires backup power for security systems (e.g., CCTV, access controllers) with at least 4 hours of autonomy, and redundant communication paths for alarms.
Important Consideration: While CSA ISO IEC TS 22237-6-19 provides a robust guideline, it is not a “one‑size‑fits‑all” solution. Organisations must adapt the controls to their specific operational context, taking into account local regulations (e.g., privacy laws regarding video surveillance) and existing infrastructure constraints.
Compliance and Certification Notes
CSA ISO IEC TS 22237-6-19 is a Technical Specification and as such does not offer a formal certification scheme. However, organisations may use it as a benchmark for their security management systems or to demonstrate compliance with client or regulatory requirements. Some certification bodies may offer “gap analysis” or “conformity assessment” services against the standard, but there is no accredited certification to the TS itself.
For Canadian organisations, adopting this standard can help align with broader frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Cloud Security Alliance (CSA) controls, particularly when securing cloud and co‑location data centres. The standard also supports compliance with sector‑specific regulations like the Personal Information Protection and Electronic Documents Act (PIPEDA) or the Digital Charter Implementation Act in Canada.
It is important to note that the standard references other parts of the TS 22237 series, particularly Part 1 (General concepts) and Part 7 (Management and operational information). Users should obtain and review these complementary documents for a full understanding of the data centre lifecycle and management system interfaces.
Pro Tip: If your organisation is pursuing ISO/IEC 27001 certification for an information security management system (ISMS), implementing the security controls from CSA ISO IEC TS 22237-6-19 can significantly strengthen the physical security domain of the ISMS and support audit success.
Frequently Asked Questions
Q: What is the main difference between CSA ISO IEC TS 22237-6-19 and the ISO/IEC 27001 standard?
A: ISO/IEC 27001 is an information security management standard that focuses on processes, risk management, and controls for information assets. CSA ISO IEC TS 22237-6-19 is specifically about physical security for data centre facilities and infrastructures. While they complement each other, the TS provides much more detailed technical specifications for building‑level security controls such as barriers, access systems, and surveillance, which are not covered in depth by ISO 27001. Many organisations use both together to achieve comprehensive protection.
A: ISO/IEC 27001 is an information security management standard that focuses on processes, risk management, and controls for information assets. CSA ISO IEC TS 22237-6-19 is specifically about physical security for data centre facilities and infrastructures. While they complement each other, the TS provides much more detailed technical specifications for building‑level security controls such as barriers, access systems, and surveillance, which are not covered in depth by ISO 27001. Many organisations use both together to achieve comprehensive protection.
Q: Is CSA ISO IEC TS 22237-6-19 mandatory in Canada?
A: No, the standard is voluntary in Canada. However, it may be contractually required by clients (e.g., in government contracts or critical infrastructure projects). Some regulated sectors, such as finance and telecommunications, may reference this standard in their own compliance frameworks. It is always best to consult your specific regulatory or contractual obligations.
A: No, the standard is voluntary in Canada. However, it may be contractually required by clients (e.g., in government contracts or critical infrastructure projects). Some regulated sectors, such as finance and telecommunications, may reference this standard in their own compliance frameworks. It is always best to consult your specific regulatory or contractual obligations.
Q: Can I implement a security class lower than S1 or skip classification entirely?
A: The standard strongly recommends performing a risk assessment to determine the appropriate class. If your risk assessment shows that only basic measures are justified, you may implement controls equivalent to S1 or less. However, skipping classification altogether may leave your data centre vulnerable to credible threats. For organisations handling sensitive data, regulators may expect class S2 or S3.
A: The standard strongly recommends performing a risk assessment to determine the appropriate class. If your risk assessment shows that only basic measures are justified, you may implement controls equivalent to S1 or less. However, skipping classification altogether may leave your data centre vulnerable to credible threats. For organisations handling sensitive data, regulators may expect class S2 or S3.
Q: How often should security controls be reviewed or updated based on this standard?
A: The standard recommends a periodic review at least annually or whenever significant changes occur to the facility, threat landscape, or business operations. Additionally, all security incidents should trigger a re‑evaluation of the security class and the effectiveness of current controls. Continuous monitoring and improvement is a key principle.
A: The standard recommends a periodic review at least annually or whenever significant changes occur to the facility, threat landscape, or business operations. Additionally, all security incidents should trigger a re‑evaluation of the security class and the effectiveness of current controls. Continuous monitoring and improvement is a key principle.
Article prepared for informational use. For complete and authoritative text, refer to the official publication of CSA ISO IEC TS 22237-6-19, available from the CSA Group. © 2026