Skip to content
AuditFront
CC6.4 SOC 2

SOC 2 CC6.4: Logical and Physical Access - Physical Access Restrictions

What This Control Requires

The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives.

In Plain Language

Someone with physical access to your server can bypass every firewall, encryption layer, and access policy you've built. That's why auditors still care about physical security even in a world of cloud infrastructure.

In practice, this means restricting who can walk into data centres, server rooms, network closets, backup storage areas, and any space where physical access could compromise your systems. Authorised personnel only, with logs and monitoring to prove it.

If you're fully cloud-hosted, the scope narrows but doesn't disappear. Your cloud provider's SOC 2 report covers their data centres, but you still own physical security for your offices, any on-premises equipment, and physical media. Auditors will want to see that you've verified your provider's controls - not just assumed they're adequate.

How to Implement

Start with a physical security assessment. Identify every location that houses or provides access to sensitive systems: data centres (owned or colocated), server rooms, network closets, offices where sensitive data is accessed, backup media storage, and any branch offices.

Match physical access controls to the risk level of each location. Data centres and server rooms need electronic access control (badge readers or biometric), visitor management, video surveillance, and environmental monitoring. Office spaces need badge access, visitor escort policies, and secure areas for sensitive work.

Maintain a clear list of who's authorised for each secure area. Get facility manager or security team approval based on job requirements. Review the list regularly, and revoke access immediately when someone leaves or no longer needs it.

Put monitoring in place for sensitive areas: CCTV at entry and exit points, access logs recording who entered and when, alarm systems for unauthorised access attempts, and regular review of both logs and footage.

For cloud-hosted environments, pull your provider's SOC 2 or equivalent report and confirm their physical security meets your requirements. Document the shared responsibility model clearly. Keep your own physical security tight for any on-premises components.

Set up visitor management for secure areas. Pre-approve visitors, sign them in and out, escort them in sensitive zones, and log every visit. Temporary badges should look visibly different from employee badges and be collected on departure.

Evidence Your Auditor Will Request

  • Physical security assessment documenting all sensitive locations and applied controls
  • Physical access authorization lists for data centers, server rooms, and sensitive areas
  • Access control system logs showing entry/exit records for secured areas
  • Video surveillance records and evidence of regular footage review
  • Visitor management procedures and visitor logs for sensitive facilities

Common Mistakes

  • Physical access lists include former employees or individuals who no longer need facility access
  • Server rooms or network closets lack electronic access control, relying on physical keys without audit trails
  • Visitor management procedures are not consistently followed, allowing unescorted access to sensitive areas
  • Video surveillance exists but footage is not retained long enough or reviewed regularly
  • Cloud provider physical security controls are assumed without verification through SOC reports or audits

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 ISO 27001 A.7.1 (equivalent mapping) Equivalent
ISO 27001 ISO 27001 A.7.2 (related mapping) Related
ISO 27001 ISO 27001 A.7.3 (related mapping) Related
nist-csf nist-csf PR.AA-02 (related mapping) Related

Frequently Asked Questions

We are fully cloud-based with no data centers. Does CC6.4 still apply?
Yes, but the scope is much smaller. You still need to cover physical security of your office spaces, any on-prem network equipment, and physical media storage. You also need to pull your cloud provider's SOC 2 report and confirm their physical security holds up. Document how you handle physical security in a cloud-first model and you'll be in good shape.
How long should we retain physical access logs?
Keep physical access logs for at least 90 days for operational review and a year for audit purposes - align this with your overall log retention policy. Some regulations may push for longer. Video surveillance footage is typically kept for 30-90 days, with the ability to preserve specific clips when you need them for investigations.
Do we need biometric access controls?
SOC 2 doesn't specifically require biometrics, but they do provide stronger authentication than badge-only systems. Consider them for your highest-security areas like data centre floors and server cages. For offices and less sensitive zones, badge-based access with a PIN requirement is generally sufficient.

Related Articles

The True Cost of Compliance: DIY vs Consultant vs Platform (2026)

A realistic comparison of three compliance approaches - DIY spreadsheets, hiring a consultant, or using a platform - with costs, timelines, and tradeoffs.

Read article →

ISO 27001 vs SOC 2: Which Do You Need?

A clear comparison of ISO 27001 and SOC 2 - key differences, when to choose which, where they overlap, and whether you should pursue both.

Read article →

SOC 2 for Startups: When You Need It and How to Get Started

A practical guide for startup founders and CTOs on SOC 2 compliance - when it's actually required, Type 1 vs Type 2, realistic costs, and a readiness checklist.

Read article →

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment