Overview
Physical Access Control is the process used to restrict, monitor, and review physical entry to company facilities where systems and sensitive data are located. It ensures that only authorized individuals can access secured areas and that access is reviewed regularly to meet SOC 2 CC6.4 and CC6.5 requirements.
Step-by-Step Process
Identify secured facilities and areas
The Facilities Manager maintains a list of all offices, data rooms, and secured areas that require controlled physical access. This list is reviewed monthly and updated for new locations or layout changes. The output is an approved inventory of secured physical locations.
Role: Facilities Manager
Review authorized access list
The Facilities Manager reviews the list of individuals with physical access to each secured area, including employees, contractors, and vendors. Access lists are validated against current HR records and vendor agreements. The output is a confirmed or updated authorized access list.
Role: Facilities Manager
Validate access against role and need
Each individual’s physical access is evaluated to ensure it aligns with their job role and business need. Any excessive or inappropriate access is flagged for removal. The output is a list of access changes to be applied.
Role: Facilities Manager
Remove terminated or transferred access
Physical access for terminated employees or role-changed staff is revoked in the access control system. This step ensures access removal aligns with HR termination or transfer dates. The output is a system log showing access deactivation.
Role: Facilities Manager
Review physical access logs
The Facilities Manager reviews door access logs for unusual or unauthorized access attempts during the review period. Any anomalies are documented and investigated. The output is a completed access log review record.
Role: Facilities Manager
Document review and retain evidence
All review results, changes made, and approvals are documented and stored in the compliance evidence repository. Documentation is dated and includes reviewer name and review period. The output is a complete monthly physical access review record.
Role: Facilities Manager
What You Need Before Starting
- Current employee roster from HR system
- List of active contractors and vendors with facility access
- Access control system administrator credentials (Kisi, Brivo, or HID)
- Inventory of secured facilities and access points
Evidence Your Auditor Expects
- Monthly physical access review document dated with reviewer signature
- Screenshot of access control user list showing active users with timestamp
- Access removal log showing terminated user deactivation with date
- Door access log export for the review period with timestamps
How This Looks In Your Tools
Kisi
Log in to the Kisi Admin Dashboard and navigate to Users > All Users to review active users with physical access. Filter by location or group to match secured areas and export the user list using the Export button for review documentation.
Next, go to Places > Doors and select a door to review Access Logs. Use the date filter to cover the monthly review period and export logs as a CSV. For access removal, open the user profile, select Access, and remove the relevant place or group, ensuring the change is saved and reflected in the audit log.
Brivo
Access the Brivo Onair Admin Portal and navigate to Users to review all active credential holders. Use the Filters option to sort by access group or door to validate access appropriateness and export the list via Reports > User Report.
To review logs, go to Reports > Activity Log, set the date range for the monthly period, and generate the report. For removals, open the user record, disable credentials or remove them from access groups, and confirm changes are saved with the correct timestamp.
HID
Log in to the HID Access Control Manager and navigate to Personnel > Persons to review individuals with active badges. Cross-check access levels assigned under Access Levels and export the personnel report for evidence.
For log review, go to Monitoring > Event Logs and filter by door and date range for the monthly review. To revoke access, deactivate the badge or remove assigned access levels from the person record and save changes, ensuring the event is logged.
Common Audit Findings
- Terminated employees retain physical access
- This occurs when HR termination notifications are not promptly reflected in access systems. Prevent this by performing monthly access reviews and aligning them with HR offboarding reports.
- No documented access reviews
- Organizations often perform reviews informally without saving evidence. Always document the review, include dates and reviewer name, and retain it in the evidence repository.
- Excessive access privileges
- Access accumulates over time as roles change without reassessment. Prevent this by validating access against current job roles during each monthly review.
- Missing or incomplete access logs
- Logs may not be retained or exported consistently. Ensure monthly log exports are generated and stored with timestamps covering the full review period.