cc6-4 High priority Security / Logical and Physical Access

Physical access to facilities and systems is restricted

Logical access controls protect systems from remote compromise, but physical access bypasses all of them. Anyone who can walk up to a server, plug in a USB drive, or physically remove hardware has access that no firewall or MFA policy can stop. This criterion requires that data centers, server rooms, and any location where in-scope infrastructure is housed be protected with physical access controls that restrict entry to authorized personnel.

4h estimated effort

physical-access data-center facilities access-control

Complete first: cc6-1

Implementation steps

1

Restrict physical access to data centers and server rooms

Ensure that any facility housing in-scope infrastructure requires badge access, key fob, or equivalent credential to enter. Visitor access should require escort and be logged. Co-location or cloud providers handle this for hosted infrastructure; obtain their compliance documentation (SOC 2, ISO 27001) as evidence.

aws google-cloud azure equinix
2

Log and monitor physical access events

Access control systems should log every entry: who accessed, which area, at what time. Review these logs for anomalies periodically. Visitor and contractor access should be separately logged. For office environments, ensure server rooms and network closets are locked and access-logged.

notion google-sheets
3

Document physical access policy and revocation process

Write a physical access policy that covers who is authorized to enter restricted areas, how access is granted and revoked, and how visitor access is handled. Ensure access is revoked promptly when employees leave or change roles. If using a cloud provider, document reliance on their physical controls and maintain their compliance reports.

confluence notion