.svg){kind=logo}
You’re six weeks from your SOC 2 Type II audit. The auditor sends a pre-audit questionnaire. Somewhere in the list: “Does your company have an approved physical security policy? Please share the document and evidence of employee acknowledgement.” You check with your ops lead. The answer: “We have a sign-in sheet at the front desk. Does that count?”
It doesn’t.
A physical security policy is a formal document that governs how your organization protects its premises, equipment, and assets from unauthorized physical access, theft, damage, and environmental harm. It defines who can enter your facilities, how access is granted and revoked, how visitors are managed, how sensitive areas like server rooms are protected, and how physical equipment is disposed of when it’s no longer needed.
The policy owner is typically your COO, Facilities Manager, or Head of Security. Every employee, contractor, and relevant third party with access to your facilities is covered by it.
Without a physical security policy, your team makes these decisions informally. Different sites handle visitors differently. Nobody is sure who loses access when an employee leaves. The server rack in the storage room has a padlock that three people share the combination for. None of that survives an audit.
This policy is required, explicitly or implicitly, by:
- SOC 2: CC6.4 (physical access controls), CC6.5 (asset disposal), CC6.8 (prevent unauthorized hardware introduction)
- ISO 27001: ISO 27001 Annex A.7, Physical and Environmental Security (14 controls, A.7.1 through A.7.14)
- PCI DSS: Requirement 9 (restrict physical access to cardholder data environments)
- HIPAA: 45 CFR 164.310 Physical Safeguards (facility access controls, workstation security, device and media controls)
By the end of this guide, you’ll know exactly what a physical security policy needs to contain, how to write and roll it out, and what evidence auditors expect to see.
Here’s what I’ll cover:
- What a physical security policy actually is and who owns it
- What it should include, with a free template you can use today
- How it maps to SOC 2, ISO 27001, PCI DSS, and HIPAA
- What auditors look for and what trips companies up
- How to right-size the policy for your company stage
Free Template
Download the Free PDF Template
Pre-built and compliance-ready. Customise and use immediately.
What Is a Physical Security Policy?
A startup CTO once told me they had a physical security policy. I asked to see it. They sent a three-paragraph Confluence page titled “Office Security Rules.” It covered the front door code and a reminder not to leave laptops on desks. That’s a policy the way a sticky note is a contract.
Key insight
Physical security is one of the most-tested areas in SOC 2 Type II. Auditors pull access provisioning and deprovisioning records, visitor logs, and CCTV configuration across the entire audit period — not just a snapshot at audit time.
A physical security policy is a formal governance document that defines the rules your organization must follow to protect its facilities, equipment, and assets from unauthorized access, theft, damage, and environmental threats. It is not a list of office tips.
The policy covers:
- Facility access controls: who can enter, how access is granted and revoked, how it’s logged
- Visitor management: sign-in and sign-out procedures, escort requirements, restricted area rules
- Sensitive area controls: server rooms, network closets, data processing areas
- Surveillance: CCTV coverage, footage retention periods, who can access recordings
- Clean desk and screen lock: unattended workstation requirements
- Physical media: secure storage, transport, and certified disposal
- Environmental controls: fire suppression, climate monitoring, power continuity
- Incident response: how to report and escalate physical security incidents
What does a physical security policy statement say?
The policy statement is the declaration at the top of the document, usually a paragraph or two. It names who the policy applies to, what it’s protecting, and who is accountable for it.
Example: “Acme Corp is committed to protecting its facilities, personnel, and physical assets from unauthorized access, theft, and environmental damage. This policy applies to all employees, contractors, and visitors at all company-operated sites.”
It sounds simple. Auditors read it closely. If your policy statement says it applies to “all employees” but your evidence shows contractors weren’t included in access provisioning, that’s a finding.
Who owns a physical security policy?
In larger organizations: the Head of Physical Security, Facilities Manager, or COO. In a startup: typically whoever is most responsible for office operations, usually the COO or a senior operations lead. If your company operates a server room or data center, the CISO or CTO often co-owns the sections covering IT infrastructure.
Whoever owns it, senior management must approve it, and every employee must acknowledge it.
Corporate physical security policy vs. site-specific procedures
Your corporate physical security policy sets the baseline: the requirements that apply across all locations. Site-specific procedures (a “Data Centre Entry Procedure” or “Building A Access Procedure”) are the operational layer beneath it. The policy tells auditors what you require. The procedures tell them how you implement it. Auditors expect to see both.
Why Every Workplace Needs a Physical Security Policy
A startup I spoke to last year had a laptop stolen from their open-plan office. Mid-afternoon. Office full of people. A visitor walked in, sat at a hot-desk for 20 minutes, and walked out with a laptop containing six months of customer data. Their physical security policy was a Confluence page nobody had looked at in two years.
Free Demo
Auditors test physical controls across the full audit period — not just on audit day
ComplyJet generates a pre-built physical security policy, routes it for sign-off, and builds the evidence trail auditors expect before your Type II window opens.
The obvious risk is theft. But that’s not the main reason compliance teams care about physical security. There are three real angles.
First, the security risk. Physical breaches bypass every piece of digital security you have. If someone can walk into your office, plug in a USB, or grab a laptop off a desk, your firewalls and MFA mean nothing. Tailgating (following someone through a secured door without badging), stolen employee badges, and unlocked server rooms are the most common physical attack vectors. They’re all policy failures, not technology failures.
Second, compliance. SOC 2 Type II auditors test whether physical access controls are operating effectively over the entire audit period, not just whether they’re documented. ISO 27001 has 14 dedicated physical and environmental security controls in Annex A.7. PCI DSS Requirement 9 is one of the most rigorously tested requirements in the entire standard.
Third, operational clarity. Without a physical security policy, nobody knows the answers to basic questions: who handles access when an employee leaves? Can a vendor enter the server room alone? How long do we keep CCTV footage? A policy answers these questions once, clearly, so your team doesn’t have to reinvent them every time.
A physical security policy workplace programme doesn’t need to be complex. Even a 10-person startup needs a documented screen-lock rule, visitor sign-in process, and equipment disposal procedure to pass a compliance audit. Writing a physical security policy for a company of any size is the same document at different levels of detail, not a different document entirely.
Which Companies Need a Corporate Physical Security Policy?
If you’re pursuing any major compliance certification, you need one. Full stop.
Why it matters
If your team is fully remote and your infrastructure runs on AWS, you still need a physical security policy. It covers workstations, home offices, and device handling — not just office buildings. SOC 2 CC6.4 applies regardless.
SOC 2: CC6.4 requires you to restrict physical access to authorized individuals and maintain evidence that this is happening. An approved, communicated physical security policy is baseline evidence.
ISO 27001: Annex A.7 contains 14 physical and environmental security controls. Auditors expect a written policy as the primary evidence that these controls are governed.
PCI DSS: Requirement 9 is explicit. If you store, process, or transmit cardholder data, you must have documented physical access controls, visitor logs, and tamper inspection procedures for payment devices. No documentation, no certification.
HIPAA: The Physical Safeguards standard (45 CFR 164.310) requires facility access controls and workstation security policies for any organization handling protected health information. These are required specifications, not addressable ones.
Enterprise sales: Even without a certification, enterprise customers ask about physical security in vendor questionnaires. A documented corporate physical security policy is a faster, cleaner answer than a written explanation of your informal practices.
Bank physical security policy: what regulated institutions require
Banks and financial institutions face additional requirements from bodies like the FFIEC (US), FCA, and PRA (UK). Beyond standard access controls, regulated financial institutions are expected to have mantrap or airlock entry for sensitive processing areas, dual-control procedures for vaults and data centers, tamper-evident hardware seals with inspection logs, and periodic third-party physical security assessments.
Even early-stage fintechs pursuing SOC 2 or PCI DSS should write a policy that anticipates these requirements before they become mandatory. Building the governance foundation early is considerably easier than retrofitting it at Series B. If you need a bank physical security policy template, the template above covers the core requirements; the bank-specific section below lists the additional sections to add for regulated financial institutions.
What Your Physical Security Policies and Procedures Should Cover
The most common problem I see in physical security policies: they’re too vague. “Physical security measures shall be implemented” is not a policy requirement. It’s a sentence that could be on the wall of any building in the world.
Here’s what a properly scoped policy needs to include:
| Policy section | What to include |
|---|---|
| Purpose | The specific risks this policy addresses: unauthorized access, theft, environmental damage, and audit compliance |
| Scope | All facilities (including co-working spaces, home offices with company equipment, off-site storage), all personnel (employees, contractors, visitors, third parties), and all physical assets |
| Roles and responsibilities | Who owns the policy, who manages facility access, who handles incidents, who approves exceptions |
| Facility access controls | Badge or key requirements, access tier definitions, how access is provisioned and deprovisioned, tailgating prohibition |
| Visitor management | Sign-in and sign-out requirements, escort rules, visitor badge procedures, restricted area access |
| Sensitive area controls | Who can enter server rooms and network closets, how access is logged, who approves exceptions |
| CCTV and surveillance | Where cameras are required, footage retention period, who can access recordings |
| Clean desk and screen lock | Unattended workstation requirements, document handling, end-of-day procedures |
| Physical media | Secure storage, transport procedures, certified disposal requirements |
| Environmental controls | Fire suppression, water/flood detection, temperature and humidity monitoring, power continuity |
| Security incidents | How to report a physical security incident, escalation path, investigation process |
| Exceptions | How to request a deviation, who approves, maximum exception duration |
| Enforcement | Consequences for non-compliance, monitoring approach |
| Review cadence | Annual minimum, plus review after any office move, new site, or physical security incident |
Physical and environmental security policy: ISO 27001 Annex A.7 requirements
ISO 27001’s Annex A.7 contains 14 controls: physical security perimeters (A.7.1), physical entry (A.7.2), securing offices and facilities (A.7.3), physical security monitoring (A.7.4), protection against physical and environmental threats (A.7.5), working in secure areas (A.7.6), clear desk and screen (A.7.7), equipment siting and protection (A.7.8), off-premises assets (A.7.9), storage media (A.7.10), supporting utilities (A.7.11), cabling security (A.7.12), equipment maintenance (A.7.13), and secure disposal (A.7.14).
A well-structured physical security policy, supplemented by site-level procedures, can satisfy all 14 controls with the right evidence attached. Auditors check each control by asking practical questions: who has access to your server room and how is it logged? What is your clean desk requirement? How do you dispose of physical media? Your policy is what gives them those answers in writing.
Free Physical Security Policy Template
Below is a complete physical security policy template built from the same structure ComplyJet uses to help companies pass SOC 2, ISO 27001, PCI DSS, and HIPAA audits. Use it as a physical security policy example, starting point, or physical security policy sample to customise for your environment. This is a physical security policy free download: no sign-up required. A physical security policy PDF and Word version are available above. Replace the bracketed fields with your own details.
[Company Name] Physical Security Policy
Policy Owner: [PSP Policy Owner] Effective Date: [Policy Effective Date] Last Reviewed: [Last Review Date] Version: 1.0
Purpose
To prevent unauthorized physical access to, or damage to, [Company Name]’s information and information processing facilities. This policy establishes the minimum requirements for protecting all [Company Name] premises, equipment, and physical assets.
Scope
This policy applies to all [Company Name] offices and locations. It covers all employees, contractors, vendors, and visitors with physical access to any [Company Name] owned or leased facility.
| Location / facility | In scope |
|---|---|
| [Primary office address] | Yes |
| [Co-working or shared space, if applicable] | Yes |
| Home offices (where company equipment is used or data is accessed) | Yes |
| Third-party data center or co-location facility | Yes (provider must maintain equivalent controls; see Supplier Security section) |
| [Any additional sites] | Yes |
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Policy Owner ([PSP Policy Owner]) | Maintains this policy, reviews annually, approves exceptions |
| Facilities Manager / Office Manager | Manages physical access provisioning, visitor procedures, CCTV configuration |
| IT / Security | Manages electronic access control systems, server room access, equipment disposal |
| HR | Notifies Facilities and IT of all new hires, departures, and role changes requiring access changes |
| All employees | Comply with this policy, report incidents, complete acknowledgement on joining and at each annual review |
Physical Security Perimeter
All [Company Name] facilities must have a defined physical perimeter with controlled entry points. Interior areas that process or store sensitive information (including server rooms, network closets, and finance or HR secure zones) are designated as secure areas with access restricted to personnel who require it for their role.
Physical structures (walls, doors, windows, locks) must meet local building codes and applicable regulatory requirements for the sensitivity of the assets they protect.
Physical Entry Controls
Access to [Company Name] facilities must be controlled using one or more of the following mechanisms:
- Electronic access control (key fobs, badge readers, PIN pads) with an access event audit log
- Physical locks with documented key management procedures
- Security personnel at entry points
Access events in secure areas must be logged electronically where technically feasible. Logs must be retained for a minimum of [90 days for PCI DSS in-scope environments / 12 months for ISO 27001 environments]. Access logs must be reviewed periodically by [Facilities Manager / IT Security] for anomalies.
Cameras and intrusion detection systems must be used at any facility that stores or processes production data or internally sensitive information. CCTV footage must be retained for at least [30 days] and access to recordings restricted to authorized personnel only.
Working in Secure Areas: Visitor Management
All visitors, delivery personnel, and external technicians must:
- Sign in and out using the visitor log (paper or electronic), recording: full name, organization, purpose of visit, escort name, time in, and time out
- Wear a visible visitor badge for the duration of their visit
- Be accompanied by an authorized [Company Name] employee when in any secure area
- Not be left unescorted in any area where they could access systems, infrastructure, or data without authorization
[Company Name] staff who grant access to a visitor are personally accountable for that visitor’s conduct during the visit. Any employee who notices an unescorted visitor in a restricted area must verify their authorization or report immediately to [Facilities Manager / designated security contact].
Delivery and Loading Areas
Receiving areas, loading docks, and other entry points used by external delivery personnel must be controlled and physically separated from information processing facilities wherever possible. Delivery personnel must not enter secure areas.
Protecting Against External and Environmental Threats
Production processing facilities and server rooms must maintain the following controls:
| Control | Requirement |
|---|---|
| Fire detection and suppression | Automated detection and suppression system; gas suppression (halon, inert gas, or FM-200) preferred over water in server areas |
| Climate control | Temperature and humidity monitoring with automated alerting; target server room temperature 18-27°C (65-80°F) |
| Power continuity | UPS covering all critical systems; tested at least [quarterly / annually] |
| Water and flood detection | Sensors in server rooms and network closets; alerts routed to on-call team |
| Intrusion detection | Alarm system or video surveillance; tested at least annually |
Clean Desk and Screen Lock
All employees must:
- Lock their workstation (or equivalent screen lock mechanism) whenever leaving their desk, even briefly
- Clear desks of sensitive documents and portable media at the end of each working day
- Store physical documents classified as Confidential or above in a locked drawer or cabinet when not in active use
- Shred printed documents containing sensitive information before disposal
Screen lock must activate automatically after no more than [5-15] minutes of inactivity. Full disk encryption is required on all laptops and portable storage devices.
Physical Media Handling and Disposal
| Media type | Handling requirement |
|---|---|
| Hard drives and SSDs (end-of-life) | Degaussing or physical destruction by a certified destruction service; certificate of destruction retained on file |
| USB and portable storage | Only approved devices permitted; lost or stolen devices must be reported to IT Security immediately |
| Printed documents (Confidential and above) | Cross-cut shredding or locked shredding bin serviced by a certified disposal provider |
| Physical backup media | Stored in locked, fireproof storage; access restricted to authorized IT personnel; inventory maintained |
Supplier, Vendor, and Third-Party Security
Suppliers, vendors, and third parties with physical access to [Company Name] facilities or equipment must agree to and comply with [Company Name]’s physical security requirements.
Third-party physical security controls must be assessed as part of the vendor management process, in accordance with the Third-Party Management Policy.
For third-party data center or co-location providers, [Company Name] must obtain and retain the provider’s current physical security certifications (SOC 2 Type II report, ISO 27001 certificate, or equivalent) on at least an annual basis.
Exceptions
Requests for exceptions to this policy must be submitted to [PSP Exception Approver] and must document:
- The specific policy requirement being waived
- Business justification for the exception
- A compensating control that reduces the associated risk
- A proposed expiry date (maximum 12 months from approval)
- The name of the risk owner accepting accountability for the exception
Violations and Enforcement
Known violations of this policy must be reported to [Violation Report Contact]. Violations include: unauthorized access to a secure area, tailgating through a controlled entry point, failure to escort a visitor in a restricted area, and unauthorized removal of physical assets or media from a facility.
Violations may result in immediate withdrawal of physical access privileges and/or disciplinary action up to and including termination, in accordance with [Company Name]’s HR policies and procedures.
Review Cadence
This policy must be reviewed:
- Annually, at minimum
- After any physical security incident or confirmed breach
- After an office move, renovation, or opening of a new site
- After significant changes to the company’s compliance framework requirements
| Version | Date | Summary of changes | Reviewed by |
|---|---|---|---|
| 1.0 | [Date] | Initial version | [Name] |
Free Template
Download the Free PDF Template
Pre-built and compliance-ready. Customise and use immediately.
How to Write and Roll Out a Physical Security Policy
Writing the document is the easy part. Getting it implemented, acknowledged, and audit-ready requires a few more steps.
Free Demo
Skip the template search — get a mapped physical security policy
ComplyJet ships a policy pre-mapped to SOC 2 CC6.4, ISO 27001 Annex A.7, PCI DSS Requirement 9, and HIPAA 164.310. Customise once, collect acknowledgements automatically.
Assign an owner. Without a named owner, the policy exists as a document, not a control. The owner is accountable for keeping it current and enforcing it.
Audit your current state. Walk through each of your locations and compare what you actually do against what a proper policy requires. Note the gaps: no visitor log, server room accessible to anyone with an office key, no clean desk enforcement, access not deprovisioned after the last two departures.
Customise the template. Tailor it to your actual setup: the access control tools you use (Kisi, Brivo, key fobs), the retention period your compliance framework requires for access logs, the cloud infrastructure your CCTV runs on.
Map to your compliance framework requirements. Before finalising the policy, check each section against the specific controls you need to satisfy: SOC 2 CC6.4, ISO 27001 A.7.1 through A.7.14, PCI DSS Requirement 9, HIPAA 164.310.
Get senior management approval. The signed, dated approval block is evidence. An unsigned document is not.
Communicate it to everyone who needs to follow it. That means employees, contractors, and relevant vendors. Don’t assume people will find it in the wiki.
Collect acknowledgements. Auditors check that employees have acknowledged the policy. An LMS completion record, a signed form, or an email confirmation all work. Whatever you use, keep the records.
Run a physical walkthrough. After rollout, physically walk each site and verify that the controls described in the policy are actually in place. If you find gaps, document them and set a remediation timeline.
Set an annual review reminder. Physical security changes when offices move, headcount grows, or your compliance framework evolves. Build the review into your calendar now, before you forget.
Physical Security Policy Requirements for SOC 2, ISO 27001, PCI DSS, and HIPAA
Here’s what each framework actually requires, without the generic compliance language.
| Framework | Relevant control | What it requires |
|---|---|---|
| SOC 2 | CC6.4 | Restrict physical access to authorized individuals; maintain provisioning and deprovisioning evidence |
| SOC 2 | CC6.5 | Protect against unauthorized removal of assets; secure disposal procedures |
| SOC 2 | CC6.8 | Prevent or detect introduction of unauthorized hardware or software into the environment |
| ISO 27001:2022 | Annex A.7 (14 controls) | Physical perimeters, entry controls, securing offices, environmental threats, clear desk, storage media, equipment disposal |
| PCI DSS v4.0 | Requirement 9 | Restrict and monitor physical access to cardholder data environments; visitor logs; tamper inspection of POI devices |
| HIPAA | 45 CFR 164.310 | Facility access controls, workstation use policy, workstation security, device and media controls |
Physical and environmental security policy: how ISO 27001 Annex A.7 maps to your document
ISO 27001 auditors don’t just check that a physical security policy exists. They check that it addresses each of the 14 A.7 controls and that you have evidence they’re operating.
The most common nonconformities I see in ISO 27001 assessments:
- Policy exists but doesn’t reference specific physical security zones or access tiers
- Visitor management procedures not documented, or documented but not followed
- No evidence of CCTV retention settings or restrictions on who can access footage
- Clean desk requirement stated in the policy, but no evidence of periodic enforcement
Every A.7 control should be traceable to a specific section in your policy. A control mapping table, either inside the policy document or in your GRC tool, makes audits substantially faster.
SOC 2 physical security: what Type II auditors test
For SOC 2 Type II, physical security controls must be operating effectively over the audit period, not just documented at the start. Auditors pull access provisioning and deprovisioning records, ask for visitor logs covering the full audit period, check CCTV configuration settings, and verify that the policy was acknowledged by all relevant staff.
The most common Type II finding: badge access not revoked when employees leave. CC6.4 requires a documented deprovisioning process, and auditors test it by cross-referencing your access records against your HR termination dates. If those records don’t align, that’s a control failure, not a documentation gap.
PCI DSS Requirement 9 overview
If your cardholder data environment is in scope, Requirement 9 requires: documented physical access controls, access logs retained for at least 90 days, video surveillance or equivalent at all data center and card-processing areas, regular inspection of point-of-interaction devices for tampering signs, and documented visitor management.
If you use Stripe, Adyen, or a similar processor and don’t self-host card data, you may be out of scope for Requirement 9. Document that scoping decision explicitly. Auditors will ask about it.
Evidence Auditors Expect for Physical Security Controls
Knowing what evidence to collect is as important as having the policy itself. I’ve seen companies with excellent physical security controls fail audits because they didn’t save the right records.
| Evidence type | Example |
|---|---|
| Written physical security policy | Signed, dated document with version number, owner, and approval block |
| Facility access logs | Badge or key fob access records for the audit period, showing who entered restricted areas and when |
| Visitor log | Sign-in and sign-out records for all visitors, including escort name, for the full audit period |
| Access provisioning records | Records showing access granted at hire, tied to the onboarding process |
| Access deprovisioning records | Records showing access revoked at termination, tied to HR offboarding |
| CCTV configuration | Screenshot of camera coverage, retention period setting, and access restriction controls |
| Clean desk audit | Periodic spot-check records or policy acknowledgement log |
| Physical media disposal | Certificates of destruction from a certified provider |
| Environmental monitoring | Temperature and humidity logs, UPS test records |
| Policy acknowledgement | Signed acknowledgements or LMS completion records for all relevant staff |
| Annual review record | Policy version history with review date and reviewer |
Data center physical security policy requirements
If you operate your own server room or data center, auditors expect additional evidence: server rack access logs, environmental monitoring alerts and responses, and dual-control procedures for infrastructure changes in high-security environments.
If you use a third-party co-location facility, obtain their current SOC 2 Type II report or ISO 27001 certificate. That’s your evidence for the physical security of the hardware layer.
AWS data center physical security policy and shared responsibility
Under the AWS Shared Responsibility Model, AWS is responsible for the physical security of its data centers. You are responsible for everything above the physical layer: logical access, application security, configuration.
For compliance purposes, reference AWS’s SOC 2 Type II report and ISO 27001 certificate as evidence that physical infrastructure is secure. Auditors accept this. You don’t need to write physical security controls for infrastructure you don’t own or operate.
Physical Security Policy Mistakes That Cost Startups in Audits
These come up in almost every compliance review I’ve been part of.
Watch out
Badge access not deprovisioned when employees leave is the single most common SOC 2 CC6.4 finding. If your offboarding checklist doesn't include "revoke physical access" with evidence of completion, you will fail this control in a Type II audit.
1. No visitor log, or one that nobody actually uses. A clipboard on the front desk with inconsistent entries is not an audit-ready visitor log. You need dated entries with names, organizations, escort names, and time in/out for every visitor, covering the full audit period.
2. Badge access not deprovisioned when employees leave. This is the most common SOC 2 CC6.4 finding. If your offboarding checklist doesn’t include “revoke physical access” as a documented step with evidence of completion, you will fail this control in a Type II audit.
3. Server room with no access log. A shared padlock combination is not access control. If your server rack or network closet doesn’t have an electronic access log, auditors have no way to test CC6.4 for your most sensitive physical environment.
4. Scope defined too narrowly. Policies that cover “the office” but not co-working spaces, home offices with company equipment, or third-party data center facilities create scope gaps. Auditors ask about all of these.
5. Clean desk policy stated but never enforced. A clean desk requirement without any evidence of enforcement, spot checks, or even consistent acknowledgement by employees fails the operating effectiveness test in a Type II audit. The policy said you’d do it. If the evidence shows you didn’t, it’s a finding.
6. Physical media disposal not documented. Hard drives and USB sticks thrown in a bin or donated without certified data destruction are a serious data exposure risk. Keep certificates of destruction on file. Every one of them.
7. Policy not reviewed after moving offices. Office moves change access controls, CCTV coverage, and visitor procedures. Your policy version history must show a review after the move. If it doesn’t, an auditor will note that the document may not reflect your current environment.
Right-Sizing Your Physical Security Policy by Company Stage
Startups and small teams in co-working or shared space
You don’t need a 30-page document. You need a clear, approved, acknowledged policy that covers your actual environment.
Quick tip
At 10–30 people on AWS: reference the AWS SOC 2 Type II report for data center physical security, document clean desk + screen lock requirements, and add physical access deprovisioning to your offboarding checklist. That covers 80% of what auditors look for at this stage.
Focus on: clean desk and screen lock, visitor sign-in, who gets access and how it’s revoked when they leave, laptop full-disk encryption, and a basic physical media disposal procedure. For your server infrastructure: if it’s in AWS, GCP, or Azure, reference the provider’s SOC 2 report for data center physical security. You don’t need to write controls for infrastructure you don’t control.
The single most important thing at this stage is making sure your offboarding process revokes physical access. That one gap causes more audit findings than anything else. Your HR security policy should call this out explicitly as a step in the departure checklist.
Growing companies in their own leased space
Add electronic access control with an audit trail: badge readers, key fobs, or cloud-based systems like Kisi or Brivo. These integrate with HR systems, which makes deprovisioning far less likely to fall through the cracks.
Define formal security tiers: general office access, IT infrastructure areas, any finance or HR secure zones. Each tier should have a defined access list and a review process.
CCTV with documented retention settings becomes important here. Configure it, document the settings, and restrict access to the recordings. The configuration is the evidence, not just the cameras existing.
Larger and regulated organizations
Commission formal physical security assessments, conducted annually or after any significant incident, by a qualified third party.
Consider mantrap or airlock entry for high-sensitivity areas like data processing rooms. Tamper-evident seals on critical infrastructure with regular inspection logs. Integration with your business continuity and disaster recovery plan.
For banks and regulated financial institutions, align with FFIEC guidance (US) or FCA/PRA expectations (UK). Physical security governance at regulated institutions is assessed directly by regulators, not just certification auditors.
Keeping Physical Security Controls Audit-Ready with ComplyJet
Physical security is one of those areas where the policy is the easy part. The operational evidence is where companies come unstuck: access logs that weren’t exported before the audit window, acknowledgement records buried in email threads, media disposal certificates in someone’s personal downloads folder.
ComplyJet ships a pre-built physical security policy mapped to SOC 2, ISO 27001, PCI DSS, and HIPAA controls. You customise it once, get it approved through the built-in workflow, and collect acknowledgements automatically. Every section of the policy is linked to the exact compliance control it satisfies, so you’re not cross-referencing spreadsheets the week before your audit.
Evidence collection is centralised: access logs, visitor records, clean desk audits, and disposal certificates all live in one place, linked to the controls they support. Annual review reminders mean you’re not discovering a two-year-old policy three weeks before an assessment.
Physical Security Policy FAQs
How would you define a physical security policy?
A physical security policy is a formal document that governs how an organization protects its premises, equipment, and assets from unauthorized physical access, theft, damage, and environmental harm. It defines access control rules, visitor management procedures, server room protections, clean desk requirements, and physical media disposal standards. It’s required, in some form, by SOC 2, ISO 27001, PCI DSS, and HIPAA.
What should a physical security policy include?
At minimum: facility access controls, visitor management procedures, sensitive area controls (server room, network closet), CCTV and surveillance requirements, clean desk and screen lock rules, physical media handling and disposal, environmental controls (fire, flood, temperature), and an incident reporting process. The full table is in the “What to include” section above.
Which frameworks require a physical security policy?
SOC 2 (CC6.4, CC6.5, CC6.8), ISO 27001 (Annex A.7, 14 controls), PCI DSS (Requirement 9), and HIPAA (45 CFR 164.310 Physical Safeguards) all require documented physical security controls. A single well-written policy with the right control mapping satisfies all four.
Who is responsible for a physical security policy?
Typically the COO, Facilities Manager, or Head of Security owns the policy. The CISO or CTO may co-own sections covering IT infrastructure and server room security. Senior management approves it. All employees and relevant contractors must acknowledge it.
How often should a physical security policy be reviewed?
Annually at minimum. Additionally, review it after any physical security incident, an office move or expansion, a significant headcount change, or when the organization adds a new compliance framework.
Does our AWS-hosted infrastructure need to be covered by our physical security policy?
You still need a physical security policy for your physical office and equipment. Your AWS-hosted infrastructure, however, is covered by AWS’s own physical security controls. Reference AWS’s SOC 2 Type II report and ISO 27001 certificate as evidence for your cloud infrastructure. Auditors accept this. Your policy focuses on the premises and equipment you physically control.
What evidence do SOC 2 auditors expect for physical security?
Access provisioning and deprovisioning records, visitor logs for the full audit period, CCTV configuration details, clean desk audit or acknowledgement records, physical media disposal certificates, and the signed policy with version history. For Type II audits, all evidence must span the full audit period, typically 6 or 12 months.
Related Policies
- IT Asset Management Policy: Physical security of hardware assets overlaps with asset management. Both policies must address secure disposal consistently, ideally pointing to the same procedure.
- Information Security Policy: The parent governance document that establishes your overall security framework. The physical security policy sits beneath it as a domain-specific control.
