The physical risk to an information system is perhaps the most important to consider.  You MUST limit physical access to a system or any technical or administrative controls you implement are meaningless because they can be bypassed easily.  With direct physical access ANYONE can boot a server into a Kali Linux Live CD/USB or do a Password Recovery on your Cisco Router PWNAGE!!!!  If you can physically touch a system, then you can own it.

Additionally, you should have a contingency plan for the most likely avenue of physical disaster to a system.  This limits the potential of intentional and unintentional harm to the system.

To limit the physical risk to an information system the NIST SP 800-53/DIARMF prescribes “Physical and Environmental Protection” Controls:

• PE-1 Physical and Environmental Protection Policy and Procedures
• PE-2 Physical Access Authorizations
• PE-3 Physical Access Control
• PE-4 Access Control for Transmission Medium
• PE-5 Access Control for Output Devices
• PE-6 Monitoring Physical Access
• PE-7 Visitor Control
• PE-8 Access Records
• PE-9 Power Equipment and Power Cabling
• PE-10 Emergency Shutoff
• PE-11 Emergency Power
• PE-12 Emergency Lighting
• PE-13 Fire Protection
• PE-14 Temperature and Humidity Controls
• PE-15 Water Damage Protection
• PE-16 Delivery and Removal
• PE-17 Alternate Work Site
• PE-18 Location of Information System Components
• PE-19 Information Leakage