Badge access list reviewed monthly
Demonstrate that the organization performs documented monthly reviews of physical access badge lists, validates access appropriateness against current personnel records, and remediates identified discrepancies in a timely manner.
Description
What this control does
This control requires a designated security or facilities management team to conduct a monthly review of all active badge access permissions across physical facilities. The review verifies that badge holders still require access based on current job roles, employment status, and business need, and identifies badges that should be deactivated due to terminations, role changes, or transfers. Monthly cadence ensures timely detection of orphaned or inappropriate access rights before they can be exploited.
Control objective
What auditing this proves
Demonstrate that the organization performs documented monthly reviews of physical access badge lists, validates access appropriateness against current personnel records, and remediates identified discrepancies in a timely manner.
Associated risks
Risks this control addresses
- Terminated employees retain physical access credentials and enter facilities to steal assets, sabotage systems, or exfiltrate data
- Contractors or temporary workers maintain badge access beyond engagement period, creating unmonitored entry points
- Employees with changed roles retain access to areas no longer relevant to their duties, violating least privilege and separation of duties principles
- Dormant or lost badges remain active in access control systems and are used by unauthorized individuals who find or steal them
- Insider threats exploit unchecked badge privileges to access sensitive areas such as server rooms, executive offices, or research facilities
- Compliance violations occur when audit trails show access granted to individuals without business justification or current employment relationship
- Badge cloning or sharing goes undetected when no periodic validation matches physical badge assignments to authorized personnel lists
Testing procedure
How an auditor verifies this control
- Obtain the organization's physical access control policy and identify the documented monthly badge review requirement and assigned responsible party
- Request badge access review records for the most recent 12-month period, including dated reviewer sign-offs and review completion dates
- Select three non-consecutive months from the trailing 12-month period for detailed examination
- For each selected month, obtain the badge access list snapshot used during that review, including cardholder names, badge IDs, assigned access zones, and issuance dates
- Obtain corresponding human resources records or personnel rosters for the same review dates to validate employment status and job roles of sampled badge holders
- Select a sample of 20-30 badge holders from each month's review and trace their access permissions to current job descriptions and facility access authorization forms
- Review documented remediation actions from each monthly review, including deactivation records for identified inappropriate access, and verify these changes were implemented in the physical access control system logs
- Interview the responsible review personnel to confirm review procedures, criteria for identifying inappropriate access, escalation processes for discrepancies, and system access for performing deactivations
Where this control is tested