SOC 2 CC6.4: Physical Access Restriction
CC6.4 requires organizations to control who can physically access sensitive facilities and assets like data centers and backup storage. For SMBs managing compliance, this means implementing access controls that prevent unauthorized personnel from reaching critical infrastructure. Getting this right protects your data and demonstrates strong security posture to auditors.
What this means
Physical access restriction means limiting entry to facilities, server rooms, data centers, and storage locations where sensitive information and systems reside. Only authorized personnel should be able to reach these areas. This control ensures that unauthorized individuals cannot compromise, steal, or damage your data or infrastructure through physical means. It applies to all locations where you store protected information assets, including remote offices and backup media storage.
How to comply
- 1.Identify all physical locations containing sensitive data or systems (data centers, server rooms, network closets, backup storage areas)
- 2.Document which personnel require access to each location based on job role and responsibilities
- 3.Implement access controls such as badge readers, biometric systems, or key card entry systems
- 4.Maintain an access control list (ACL) that tracks who has authorization to each facility
- 5.Conduct regular access reviews to ensure only current, authorized employees retain access
- 6.Remove access immediately when employees are terminated or change roles
- 7.Monitor and log all physical access attempts to sensitive areas
- 8.Conduct periodic audits of physical security measures and access logs
- 9.Train employees on physical security policies and the importance of not sharing access credentials
Evidence auditors look for
- Access control system logs showing badge swipes and entry/exit records
- Physical access authorization forms signed by managers approving employee access
- Updated access control lists (ACLs) listing authorized personnel per facility
- Termination checklists documenting removal of physical access for departed employees
- Facility security policies describing physical access requirements
- Badge or key card inventory records
- Security camera footage from restricted areas
- Access review reports completed quarterly or annually
- Visitor log records showing who entered restricted areas and when
- Lock maintenance and repair records for physical security devices
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access review workflows and maintains audit-ready logs of your physical access authorizations, so you can demonstrate compliance to auditors without manual spreadsheet tracking.
See how GRCWatch handles this control automatically
Start free trial