SOC 2 CC6.4: Logical and Physical Access - Physical Access Restrictions
What This Control Requires
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives.
In Plain Language
Someone with physical access to your server can bypass every firewall, encryption layer, and access policy you've built. That's why auditors still care about physical security even in a world of cloud infrastructure. In practice, this means restricting who can walk into data centres, server rooms, network closets, backup storage areas, and any space where physical access could compromise your systems. Authorised personnel only, with logs and monitoring to prove it. If you're fully cloud-hosted, the scope narrows but doesn't disappear. Your cloud provider's SOC 2 report covers their data centres, but you still own physical security for your offices, any on-premises equipment, and physical media. Auditors will want to see that you've verified your provider's controls - not just assumed they're adequate.
How to Implement
Start with a physical security assessment. Identify every location that houses or provides access to sensitive systems: data centres (owned or colocated), server rooms, network closets, offices where sensitive data is accessed, backup media storage, and any branch offices. Match physical access controls to the risk level of each location. Data centres and server rooms need electronic access control (badge readers or biometric), visitor management, video surveillance, and environmental monitoring. Office spaces need badge access, visitor escort policies, and secure areas for sensitive work. Maintain a clear list of who's authorised for each secure area. Get facility manager or security team approval based on job requirements. Review the list regularly, and revoke access immediately when someone leaves or no longer needs it. Put monitoring in place for sensitive areas: CCTV at entry and exit points, access logs recording who entered and when, alarm systems for unauthorised access attempts, and regular review of both logs and footage. For cloud-hosted environments, pull your provider's SOC 2 or equivalent report and confirm their physical security meets your requirements. Document the shared responsibility model clearly. Keep your own physical security tight for any on-premises components. Set up visitor management for secure areas. Pre-approve visitors, sign them in and out, escort them in sensitive zones, and log every visit. Temporary badges should look visibly different from employee badges and be collected on departure.
Evidence Your Auditor Will Request
- Physical security assessment documenting all sensitive locations and applied controls
- Physical access authorization lists for data centers, server rooms, and sensitive areas
- Access control system logs showing entry/exit records for secured areas
- Video surveillance records and evidence of regular footage review
- Visitor management procedures and visitor logs for sensitive facilities
Common Mistakes
- Physical access lists include former employees or individuals who no longer need facility access
- Server rooms or network closets lack electronic access control, relying on physical keys without audit trails
- Visitor management procedures are not consistently followed, allowing unescorted access to sensitive areas
- Video surveillance exists but footage is not retained long enough or reviewed regularly
- Cloud provider physical security controls are assumed without verification through SOC reports or audits
Related Controls Across Frameworks
Frequently Asked Questions
We are fully cloud-based with no data centers. Does CC6.4 still apply?
How long should we retain physical access logs?
Do we need biometric access controls?
Track SOC 2 compliance in one place
AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.
Start Free Assessment