Annual physical security review
Demonstrate that the organization conducts a comprehensive, documented review of physical security controls at least annually, identifies deficiencies, and remediates findings within defined timelines.
Description
What this control does
An annual physical security review is a scheduled, systematic assessment of all physical controls protecting facilities, data centers, server rooms, and network equipment against unauthorized physical access and environmental hazards. The review evaluates the effectiveness of access controls, surveillance systems, environmental controls, visitor management, badge systems, and incident response capabilities against current threat landscapes and business changes. This control ensures physical safeguards remain effective despite personnel turnover, facility modifications, evolving threats, and changes to asset locations or criticality.
Control objective
What auditing this proves
Demonstrate that the organization conducts a comprehensive, documented review of physical security controls at least annually, identifies deficiencies, and remediates findings within defined timelines.
Associated risks
Risks this control addresses
- Unauthorized physical access to facilities containing critical systems or sensitive data due to degraded access controls or outdated authorization lists
- Theft or tampering of hardware containing unencrypted data or cryptographic material by individuals exploiting surveillance blind spots or inactive cameras
- Environmental incidents (fire, flood, HVAC failure) causing system outages or data loss due to undetected sensor failures or inadequate environmental monitoring
- Social engineering attacks allowing tailgating or unauthorized visitor access due to ineffective visitor management processes or untrained reception staff
- Insider threats exploiting dormant employee badges, unreturned access cards, or stale physical access permissions following role changes or terminations
- Regulatory non-compliance and audit findings due to undocumented physical security posture or failure to align controls with contractual or compliance requirements
- Extended recovery times during physical security incidents due to outdated response procedures or unavailable contact information for facility management and law enforcement
Testing procedure
How an auditor verifies this control
- Request the most recent annual physical security review report, including scope definition, review methodology, assessment date, and assigned reviewers
- Verify the review encompasses all in-scope facilities including data centers, telecommunications rooms, server closets, backup media storage areas, and executive offices housing sensitive information
- Examine documentation confirming the review evaluated access control systems (badge readers, locks, biometric systems), surveillance equipment (cameras, recording retention), environmental controls (HVAC, fire suppression, water detection), and visitor management processes
- Review evidence that the assessment included physical walkthroughs with photographic documentation, testing of access controls using valid and invalid credentials, and validation of surveillance system functionality and coverage
- Verify the review produced a findings register documenting identified deficiencies, assigned risk ratings, responsible remediation owners, and target completion dates
- Select a sample of 3-5 findings from the previous year's review and trace remediation evidence including work orders, configuration changes, policy updates, or accepted risk justifications with management approval
- Interview the physical security manager or facilities director to confirm the review process includes consultation with IT, HR for personnel changes, and legal/compliance for regulatory requirements
- Confirm the review results were presented to senior management or the security steering committee with evidence of meeting minutes, executive acknowledgment, or board reporting
Where this control is tested