Visitor escort + sign-in
Demonstrate that all visitors to secure facilities are consistently identified, logged, issued temporary credentials, and escorted by authorized personnel in accordance with documented policy.
Description
What this control does
Visitor escort and sign-in controls require that all non-employees entering secure facilities be registered at reception, issued temporary identification, and accompanied by authorized personnel throughout their visit. The system typically includes a visitor log (physical or electronic), badge issuance process, and defined escort responsibilities that prevent unauthorized access to sensitive areas. This control creates accountability, ensures visitors remain in authorized zones, and provides an audit trail for all physical access by third parties.
Control objective
What auditing this proves
Demonstrate that all visitors to secure facilities are consistently identified, logged, issued temporary credentials, and escorted by authorized personnel in accordance with documented policy.
Associated risks
Risks this control addresses
- Unauthorized individuals gain physical access to facilities housing critical IT infrastructure or sensitive data
- Visitors wander into restricted areas containing servers, network equipment, or confidential information without supervision
- Social engineering attacks where malicious actors impersonate legitimate visitors to gain internal access
- Theft or tampering with physical assets (workstations, storage media, network devices) by unescorted visitors
- Insider threats facilitated by visitors who collude with employees to bypass security controls
- Lack of accountability and forensic traceability when physical security incidents occur involving external parties
- Regulatory non-compliance with physical security requirements under frameworks requiring visitor management
Testing procedure
How an auditor verifies this control
- Obtain the documented visitor management policy including sign-in procedures, escort requirements, and badge issuance protocols
- Identify all facility entry points and verify visitor access controls are consistently applied at each location
- Review visitor logs (physical or electronic system records) for a 90-day period to assess completeness of required fields including name, company, host employee, entry/exit times, and purpose of visit
- Select a sample of 20-25 visitor entries spanning different dates, times, and facility locations and verify each includes documented host assignment and escort confirmation
- Interview 3-5 employees designated as visitor escorts to confirm understanding of escort responsibilities, restricted areas, and procedures for visitors who separate from escorts
- Conduct an unannounced observation at the main reception area during business hours to witness real-time visitor check-in, badge issuance, and escort handoff procedures
- Test badge return procedures by reviewing log entries for badge retrieval upon visitor departure and reconcile outstanding badges against current visitors in the facility
- Verify technical controls by testing visitor badge permissions at secured doors to confirm badges grant only temporary, limited access to authorized areas
Where this control is tested