Does your organization implement physical security controls to monitor facilities and restrict unauthorized access?
Explanation
Physical security controls are essential for protecting sensitive assets, data, and personnel from unauthorized physical access. These controls typically include security guards, surveillance cameras, access control systems (key cards, biometric scanners), alarm systems, and locked entrances/exits to create layers of protection around your facilities.
Evidence of compliance could include a physical security policy document, photographs of implemented controls (without revealing security vulnerabilities), access control logs, security guard schedules, maintenance records for physical security systems, or a floor plan showing the placement of security cameras and other physical controls.
Implementation Example
Use security guards, security cameras, locked entrances, alarm systems, and other physical controls to monitor facilities and restrict access
ID: PR.AA-06.211
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Physical access to assets is managed, monitored, and enforced commensurate with risk
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

