The entity restricts physical access to facilities and protected information assets

To meet the the entity restricts physical access to facilities and protected information assets requirement (SOC 2 TSC CC6.4), you must prevent unauthorized people from entering your spaces and from physically reaching systems or media that store or process customer data. Operationalize it by defining secure areas, enforcing badge/visitor controls, hardening server and network closets, and retaining evidence that access is approved, monitored, and revoked.

Key takeaways:

• Scope the “facility” and the “protected information assets” first, then design controls around those boundaries.
• Auditors look for operating evidence: logs, approvals, reviews, incident tickets, and documented exceptions.
• Physical security failures often show up as process gaps (shared badges, unescorted visitors, no access reviews), not missing hardware.

CC6.4 is a practical SOC 2 requirement: you need to control who can physically enter your facilities and who can physically touch or remove protected information assets. For many service organizations, the hardest part is not buying locks or badge readers; it is defining what counts as “protected,” setting consistent rules across offices, shared workspaces, and data center footprints, and proving the controls ran during the audit period.

This page is written for a Compliance Officer, CCO, or GRC lead who needs to implement CC6.4 quickly with minimal ambiguity. You’ll find (1) a plain-English interpretation, (2) applicability and scoping rules that prevent over- or under-control, (3) step-by-step implementation actions you can hand to Facilities, IT, and Security, and (4) the evidence package auditors typically request.

SOC 2 audits reward repeatability. If your physical access program depends on informal practices (“everyone knows to escort visitors”), you will struggle to evidence it. If you can show documented standards, consistent provisioning and deprovisioning, and periodic review of access rights, CC6.4 becomes straightforward to defend.

Regulatory text

Requirement (SOC 2 TSC CC6.4): “The entity restricts physical access to facilities and protected information assets.” ¹

What the operator must do

You must implement controls that:

• Limit facility entry to authorized personnel (employees and approved third parties).
• Limit physical access to protected information assets (for example: servers, network gear, backup media, paper records, end-user devices used for production access).
• Detect and respond to unauthorized physical access attempts (at minimum via monitoring, logs, and an incident path).
• Prove operation of the controls with retained evidence throughout the audit period.

Auditors commonly interpret this as a combination of preventive controls (locks, badges, secure rooms), detective controls (logs, cameras, visitor logs), and administrative controls (policies, approvals, periodic access reviews).

Plain-English interpretation

CC6.4 means: if a person can walk into a space or touch a device that would let them access customer data, you must have gates in place. Those gates need owners, rules, and records.

Two scoping clarifications prevent confusion:

1. Facilities includes offices, warehouses, labs, and any leased space you operate, plus any third-party data center space where you have physical presence or control responsibilities.
2. Protected information assets includes anything that stores, processes, or can grant access to sensitive data, including “boring” items like network closets, routers, firewall consoles, paper files, and backup drives.

Who it applies to (entity and operational context)

This requirement applies to service organizations undergoing SOC 2 examinations under the Trust Services Criteria. ¹

Operational contexts where CC6.4 becomes high-effort:

• Shared offices / coworking spaces: you may not control building lobby security, but you still control your suite, secure rooms, and asset storage.
• Hybrid work: home offices are not “facilities” you control, but you still must control protected assets (laptops, removable media) and define rules for printing and storage.
• Colocation or on-prem racks: you need to define the split: what the third party provides (cage access controls) vs what you manage (rack locks, escort requirements, key control).
• Regulated data footprints: if you process sensitive data, auditors will expect tighter control around server rooms, network closets, and media handling even if you are “cloud-first.”

What you actually need to do (step-by-step)

Step 1: Define scope boundaries and “secure areas”

Create a short Physical Security Scope Statement that lists:

• Facilities in scope (addresses, floors/suites).
• Secure areas (server room, network closet, records room, shipping/receiving cage).
• Protected information assets categories (production access devices, servers, backup media, paper records, hardware tokens).

Deliverable: a one-page scope statement owned by Security/Facilities and referenced by policy.

Step 2: Set access standards by zone (public → restricted)

Build a zone model that maps to controls:

Zone	Examples	Minimum controls you should implement
Public	Building lobby, shared hallways	Rely on landlord where applicable; document reliance and your boundaries
Controlled	Office suite entrance	Badge or key control; authorized list; revoke on termination
Restricted	Server/network closets, records rooms	Limited authorized list; visitor escort; access logs; periodic review
High sensitivity (if applicable)	Media storage, key/token storage	Dual control or heightened approvals; inventory and sign-out logs

Keep it simple. Auditors want consistency more than complexity.

Step 3: Implement identity-to-physical-access lifecycle (joiner/mover/leaver)

Tie badge and key access to HR/IT workflows:

• Provisioning: require manager approval, role justification, and zone assignment.
• Changes: movers get updated access only after approval; remove old access the same day the move is effective when practical.
• Deprovisioning: revoke badges/keys promptly on termination; recover physical tokens and keys; document exceptions.

Evidence target: tickets or HR/IT workflow records that show approvals and completion.

Step 4: Visitor management that stands up in an audit

Minimum visitor process for controlled and restricted zones:

• Pre-registration or sign-in with name, company, host, time in/out.
• Visible visitor badge (or equivalent).
• Escort requirement for non-authorized visitors in restricted zones.
• Stated rule for photography, device connection, and access to work areas.

If you use a paper visitor log, store it securely and retain it per your audit evidence retention period.

Step 5: Protect “protected information assets” beyond doors

This is where teams miss CC6.4. Add controls for:

• Server rooms and network closets: keep locked; restrict keys; log access (badge events, key sign-out, or a ticket-based entry approval).
• Workstations with production access: require screen locks; restrict leaving devices unattended in public areas; lockable storage for on-site teams where appropriate.
• Media handling: define how backups/removable media are stored, transported, and destroyed; maintain an inventory and chain-of-custody when media leaves a secure area.
• Paper records: locked cabinets or rooms; shred bins; clean desk expectations if paper contains sensitive data.

Step 6: Monitoring, review, and exception handling

Auditors will ask how you know controls worked.

• Monitor: badge/access system logs, visitor logs, camera coverage where used.
• Review: conduct periodic access list reviews for restricted zones; document findings and removals.
• Exceptions: if a door reader fails or a site is temporarily unsecured, open an incident or exception ticket, document compensating controls, and record closure.

Practical tip: treat “door propped open” as a security incident category with an owner, even if impact is low.

Step 7: Document the control and retain operating evidence (make it repeatable)

Write a control narrative for CC6.4 that explains:

• Who owns physical security.
• What systems are used (badge system, visitor system).
• What locations and zones are covered.
• How access is approved, logged, reviewed, and revoked.
• How exceptions are handled.

Daydream can help you standardize this narrative and map evidence requests to recurring tasks so Facilities and IT are not rebuilding the audit trail every year.

Required evidence and artifacts to retain

Build an “audit-ready” evidence packet around these artifacts:

Governance and design

• Physical Security Policy and/or Standard (covers zones, badges/keys, visitors, secure areas)
• Physical Security Scope Statement (facilities, secure areas, protected assets)
• Roles/responsibilities (Facilities, Security, IT, site leads)

Operational evidence

• Badge/key access roster for restricted areas (current and point-in-time)
• Samples of access provisioning approvals (tickets or forms)
• Samples of terminations with timely access removal evidence
• Visitor logs (sample periods) and escort policy
• Access review records (review date, reviewer, findings, removals)
• Incident/exception tickets related to physical security (lost badge, door malfunction, unauthorized attempt)
• Photos or floor plans showing secure area controls (as appropriate and safe to share)

Third-party dependencies (if applicable)

• Contracts/SOWs or shared responsibility notes for building security or colocation controls
• SOC reports or assurance artifacts from data center providers, if used and in scope for your audit approach

Common exam/audit questions and hangups

Expect these questions from SOC 2 auditors:

• “Show me the list of people with access to the server room/network closet and how it is approved.”
• “How do you remove physical access when someone leaves?”
• “Do you review physical access periodically? Show the last review and evidence of removals.”
• “How do you control visitors, contractors, and cleaning crews after hours?”
• “Where are backups stored, and who can access them?”
• “What is your process for lost/stolen badges or keys?”

Hangups that trigger extra testing:

• No clear definition of “protected information assets.”
• Shared badges, shared keys, or unsecured key storage.
• Visitor logs missing host names, times, or purpose.
• Access lists that do not match HR rosters or contain terminated users.

Frequent implementation mistakes and how to avoid them

1. Relying on the building lobby as your control boundary.
   Fix: define your suite entrance and secure rooms as the enforceable boundary; document landlord reliance separately.

2. Treating server rooms as “IT-only” and skipping GRC evidence.
   Fix: require tickets or periodic exports of access logs and keep them in your compliance repository.

3. No documented access reviews.
   Fix: schedule recurring reviews for restricted zones; record reviewer, date, changes, and approvals.

4. No chain-of-custody for backup media or retired drives.
   Fix: keep an inventory and sign-out/destruction records aligned to your data handling standard.

5. Third parties enter without an owner.
   Fix: require internal hosts for visitors and contractors; define after-hours rules for maintenance and cleaning.

Enforcement context and risk implications

SOC 2 is an attestation framework; your “enforcement” risk shows up as qualified opinions, control exceptions, and customer trust impacts, not regulator-issued fines under the SOC 2 standard itself. A weak CC6.4 posture increases the likelihood of:

• Unauthorized physical access leading to data exposure (device theft, console access, media loss).
• Audit exceptions that expand testing and delay report timelines.
• Customer security reviews flagging physical security as a blocker for enterprise deals.

A practical 30/60/90-day execution plan

First 30 days: define scope and stabilize basics

• Identify in-scope facilities, secure areas, and protected information assets.
• Publish/update physical security policy sections for badges/keys and visitors.
• Validate that restricted areas are locked and have a controlled entry method.
• Stand up a single repository for evidence (policy, rosters, logs, tickets).

Days 31–60: implement lifecycle controls and evidence routines

• Tie badge provisioning and deprovisioning to HR events with ticketed approvals.
• Implement visitor logging consistently across sites (even if paper-based).
• Start collecting monthly (or otherwise periodic) badge/access exports for restricted zones.
• Train site leads and office managers on escort rules and exception reporting.

Days 61–90: mature reviews, exceptions, and third-party boundaries

• Run the first formal restricted-area access review; document removals.
• Test the lost badge/key process with a tabletop scenario and confirm evidence output.
• Document shared responsibility for colocation/building security and store supporting artifacts.
• Draft the CC6.4 control narrative and align it to your SOC 2 description of the system.

Frequently Asked Questions

Does CC6.4 apply if we are fully remote with no office?

You still need to restrict physical access to protected information assets, primarily company-issued devices and any physical media. Document the absence of facilities you control and focus evidence on device handling, storage, and loss/theft response.

Our office is in a shared coworking space. What can we reasonably control?

Treat the building lobby as a third-party dependency and define your controlled boundary at your suite entrance and any secure rooms or locked storage you operate. Keep evidence of your internal access controls and document reliance on the coworking provider where applicable.

Do we need cameras to satisfy CC6.4?

CC6.4 does not mandate cameras in the text. If you have reliable badge/visitor logs and strong restricted-area controls, cameras may be optional; if you have higher risk areas or weak logging, cameras can serve as compensating detective evidence.

What counts as a “protected information asset” in practice?

Count anything that stores sensitive data or can grant access to it: servers, network devices, backup media, paper records, and endpoints used for administrative access. Write the definition into your scope statement so audits stay consistent.

How often should we review physical access lists?

Set a periodic review cadence that matches your risk and change rate, then follow it consistently and retain evidence of the review and removals. Auditors care more about consistency and remediation than the specific interval.

What evidence is most likely to fail an audit if we don’t have it?

Lack of proof that access is removed for terminated personnel is a common failure point. Keep termination samples that show badge deactivation and recovery (or documented exceptions).

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. AICPA TSC 2017