A.7.2 — Are entry controls (badges, escorts, visitor logs) in place for secure areas?
Demonstrate that entry to all designated secure areas is restricted by functioning physical access controls, visitor management processes are documented and followed, and access events are logged for accountability.
Description
What this control does
This control ensures that physical access to secure areas (server rooms, data centers, restricted offices) is managed through documented entry mechanisms including badge readers, biometric scanners, escort requirements for visitors, and maintained visitor logs. Organizations must define what constitutes a secure area, implement access control systems that record entries and exits, and enforce policies requiring authorized personnel to escort uncleared visitors. Effective implementation prevents unauthorized physical access to critical assets, creates audit trails for forensic investigations, and supports regulatory compliance requirements for data protection and operational security.
Control objective
What auditing this proves
Demonstrate that entry to all designated secure areas is restricted by functioning physical access controls, visitor management processes are documented and followed, and access events are logged for accountability.
Associated risks
Risks this control addresses
- Unauthorized individuals gaining physical access to servers, network equipment, or sensitive paper records without detection
- Social engineering attacks where threat actors tailgate legitimate employees into restricted areas without proper authentication
- Data exfiltration via physical removal of storage media, backup tapes, or hardware containing sensitive information
- Sabotage or destruction of critical infrastructure by malicious insiders or external attackers who bypass perimeter controls
- Compliance violations and regulatory penalties due to inadequate physical safeguards for regulated data (PCI DSS, HIPAA, GDPR)
- Inability to conduct forensic investigations or identify responsible parties after security incidents due to absent access logs
- Theft of proprietary hardware, cryptographic keys, or authentication tokens stored in unsecured physical locations
Testing procedure
How an auditor verifies this control
- Obtain the organization's physical security policy and documented inventory of all locations designated as secure areas requiring entry controls
- Conduct a physical walkthrough of each identified secure area to verify the presence and operational status of badge readers, biometric scanners, or other access control mechanisms at entry points
- Select a representative sample of 10-15 employees with access to secure areas and verify their badge credentials are properly provisioned in the physical access control system with appropriate zone restrictions
- Review visitor access logs for the past 90 days for at least three secure areas, confirming entries include visitor name, sponsoring employee, timestamp, purpose, and sign-out confirmation
- Interview facility security personnel or designated area owners to confirm escort procedures for visitors and verify understanding of protocols for challenging unescorted individuals
- Test badge functionality by attempting access to a secure area with valid credentials and verify the system logs the entry with timestamp, badge ID, and location
- Review evidence that physical access rights are reviewed quarterly and terminated access credentials are promptly disabled (test 5 recent termination cases against badge deactivation records)
- Examine alarm logs or security incident reports for the past year to verify tailgating attempts, forced entry, or policy violations are detected and documented with corrective actions