Does a physical barrier fully enclose the physical space, preventing unauthorized physical contact with any of your devices?
Explanation
Physical containment is what reviewers want evidence of here: a barrier that fully encloses the space and blocks any unauthorized physical contact with your devices.
Why it matters: Physical security is a fundamental layer of information security. Even with the strongest digital security controls, if someone can physically access your servers or network equipment, they could potentially:
- Install malicious hardware devices
- Extract storage media containing sensitive data
- Tamper with hardware configurations
- Cause service disruptions through physical damage
- Bypass logical security controls entirely
In security assessments, this question helps evaluators understand if you've implemented basic physical security measures to protect your infrastructure from unauthorized access, theft, tampering, or damage. Physical security is often required by regulations like PCI DSS, HIPAA, and various ISO standards.
How to best answer:
- Describe the physical barriers in place (walls, access-controlled doors, security cages, etc.)
- Explain how these barriers completely enclose the equipment
- Mention any additional physical security controls that complement these barriers
- If using a third-party datacenter, reference their physical security measures and compliance certifications
Example Responses
Example Response 1
Yes, our production servers are housed in a dedicated datacenter facility with multiple layers of physical security The servers are contained within locked cabinets inside a secure server room that has floor-to-ceiling walls and requires both keycard and biometric authentication for entry The datacenter building itself has 24/7 security personnel, CCTV monitoring, and mantrap entry points No unauthorized personnel can physically contact any of our devices without passing through at least four separate physical access controls.
Example Response 2
Yes, we utilize Amazon Web Services (AWS) for our infrastructure, which maintains ISO 27001 certified datacenters According to AWS's security documentation, their facilities feature layered security measures including physical barriers that fully enclose computing equipment Their datacenters have security perimeters with professional security staff, video surveillance, intrusion detection, and multi-factor access controls As a cloud customer, we have no physical access to the underlying hardware, and AWS maintains complete physical separation between their equipment and unauthorized personnel.
Example Response 3
Partial Our primary servers are in a secure colocation facility with appropriate physical barriers, but we maintain a small development environment in our office While this development environment is in a dedicated server closet with a locked door, the walls do not extend fully to the ceiling due to building constraints, which technically means the physical barrier doesn't completely enclose the space We mitigate this risk by having the server closet within our access-controlled office space and by not storing any production or sensitive data on these development servers.
Context
- Tab
- Infrastructure
- Category
- Datacenter
Related questions
- Select your hosting option.
- Is a SOC 2 Type 2 report available for the hosting environment?
- Are you generally able to accommodate storing each institution's data within its geographic region?
- Are the data centers staffed 24 hours a day, seven days a week (i.e., 24 x 7 x 365)?
- Are your servers separated from other companies via a physical barrier, such as a cage or hard walls?
- Are your primary and secondary data centers geographically diverse?

