Flow

SOC2-CC6-PHYSICAL-ACCESS

Physical Access Controls

preventivemedium effectivenessMonthly

What this control does

Controls restricting physical access to offices, data centers, and server rooms to authorized personnel only.

Implementation guidance

Use keycard or badge access for server rooms and restricted areas. Log entry/exit. Review access logs monthly for anomalies. For co-located or cloud-only environments, obtain data center SOC 2 reports from your provider (AWS/GCP/Azure) annually as compensating evidence.

Requirements satisfied

CC6.4

Why it matters

Unauthorized physical access to data centers, server rooms, or offices can lead to theft, sabotage, malware installation, or data exfiltration without digital audit trails. Weak controls increase the risk of insider threats and compromise of infrastructure that digital access controls rely upon. A single unlocked server room or unmanned badge reader defeats layers of logical security controls.

Evidence to collect

  • Badge access system configuration report showing authorized cardholders and facility zones they can access
  • Monthly physical access log review (last 3 months) with documented anomaly findings and follow-up actions
  • Photographs or diagram of controlled entry points showing keycard readers or badge systems in place
  • SOC 2 Type II reports from cloud/colocation provider (AWS, GCP, Azure, or equivalent) dated within last 12 months covering Section CC physical access controls

Testing procedure

Auditor verifies badge system is active and logs entry/exit by requesting access logs for a sample week and cross-checking against employee roster for terminated staff. Physically inspect at least two restricted areas (server room, sensitive office) to confirm keycard/badge reader presence and operational status. Review the most recent monthly access log review workpaper to confirm documented procedure and any anomalies investigated. For cloud/colocation, validate SOC 2 report date is within 12 months and Section CC controls address physical access to your company's assets.

Common gotchas

Organizations often collect access logs but never review them—a monthly review procedure document with evidence of actual sign-offs is required. Co-located or cloud-only companies frequently skip this control entirely, not realizing the provider's SOC 2 report is compensating evidence, not a replacement; you must still have a process to request and review it annually.