Home · Synthesis · cl-physical-access

Physical access controls — secure areas, entry monitoring, asset protection

ISO 27001 NIST CSF 2.0 PCI DSS RBI CSF RBI ITGRCA IRDAI 2026 NCIIPC NIST 800-53 SOC 2

Primary statement

Physical access operates as: (1) continuous monitoring of premises for unauthorised access (ISO A.7.4); (2) secure areas protected by entry controls and access points (ISO A.7.2); (3) physical and logical access rules per business and information security requirements (ISO A.5.15); (4) physical access managed, monitored, enforced commensurate with risk (NIST PR.AA-06); (5) integration with logical access permissions (NIST PR.AA-05). The physical layer underlies the logical — a compromised data centre defeats the strongest network controls.

Audit-fatigue payoff

A unified physical access programme — secure area zoning + entry control systems + continuous monitoring + visitor management + asset tracking — satisfies physical-security requirements across all 9 contributing frameworks. The continuous monitoring evidence is the audit-defensible anchor.

Strictness matrix

Scope

Scope: continuous monitoring of premises for unauthorised access. ALL premises in scope — data centres, offices, branches, secure storage areas. Continuous (not periodic) monitoring. Ceiling source: iso27001:A.7.4 Rationale: ISO 27001 A.7.4 continuous-monitoring scope is the strictest specification.

Threshold

Threshold for entry: secure areas protected by APPROPRIATE entry controls AND access points. Two-factor for high-sensitivity areas (badge + biometric or PIN). Tailgating prevention. Visitor escort for sensitive areas. Ceiling source: iso27001:A.7.2 Rationale: ISO 27001 A.7.2 entry control + access point requirement is the comprehensive threshold.

Method

Method: (1) physical access policy and zone classification (Public / Internal / Restricted / Secure); (2) entry controls per zone with strength commensurate with risk; (3) continuous CCTV monitoring with retention; (4) access logs centralised; (5) visitor management with escort for sensitive areas; (6) integration with HR JML — physical access revoked at termination same day as logical; (7) periodic access review. Ceiling source: nist_csf:PR.AA-06 Rationale: NIST CSF PR.AA-06 "managed, monitored, enforced commensurate with risk" is the audit-defensible method articulator.

Frequency

Monitoring: continuous (CCTV with active monitoring for high-sensitivity). Physical access review: annual + on role change (parallel with logical access review). Visitor management: per visit. CCTV retention review: per retention policy. Ceiling source: iso27001:A.7.4 Rationale: Continuous monitoring is the floor per ISO A.7.4.

Evidence

Required evidence: (1) physical access policy with zone classification; (2) entry control configuration per zone; (3) CCTV monitoring evidence + retention; (4) physical access logs centralised; (5) visitor management records; (6) sample physical access review with revocation evidence; (7) integration with HR JML evidence. Ceiling source: iso27001:A.7.4 Rationale: ISO 27001 A.7.4 evidence with CCTV monitoring is the audit-defensible specification.

Auditor test pattern

Step 1: Inspect the physical access policy with zone classification. Step 2: For one data centre / sensitive area, verify entry controls (badge + biometric or equivalent two-factor). Step 3: Verify CCTV monitoring continuous + retention. Step 4: Sample 3 visitor records; verify escort and identification. Step 5: For one recent termination, verify physical access revoked same day as logical. Step 6: Inspect physical access review (annual).

Common findings

Common 2024–26 findings: (1) Single-factor badge access to sensitive areas; (2) CCTV present but not actively monitored — recording only; (3) Visitor management informal; (4) Physical access not revoked at termination — badges remain active; (5) Physical access review absent or de-coupled from logical review.