← Controls / PE

PE-03 Physical Access Control

Physical and Environmental Protection

Low Moderate High

Description

The organization controls all physical access points (including designated entry/exit points) to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facility. The organization controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk.

Supplemental Guidance

The organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing information systems. The organization secures keys, combinations, and other access devices and inventories those devices regularly. The organization changes combinations and keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or individuals are transferred or terminated. Workstations and associated peripherals connected to (and part of) an organizational information system may be located in areas designated as publicly accessible with access to such devices being appropriately controlled. Where federal Personal Identity Verification (PIV) credential is used as an identification token and token-based access control is employed, the access control system conforms to the requirements of FIPS 201 and NIST Special Publication 800-73. If the token- based access control function employs cryptographic verification, the access control system conforms to the requirements of NIST Special Publication 800-78. If the token-based access control function employs biometric verification, the access control system conforms to the requirements of NIST Special Publication 800-76.

Changes from Rev 4

Parameter from 'security safeguards' to 'physical access controls' Parameter changed from 'monitoring' to 'control of visitor activity' Discussion expanded to address physical access controls for publicly accessible areas

Compliance Mappings

ISO 27001:2022

A.7.1A.7.2A.7.3A.7.6

ISO 27002:2022

7.17.27.37.6

COBIT 2019

DSS01DSS05

NIST CSF 2.0

DE.CM-02PR.AA-06

SOC 2 TSC

CC6.4

PCI DSS v4.0.1

9.29.39.5

CSA CCM v4

DCS-03DCS-07DCS-09

CSA AICM v1

DCS-03DCS-07DCS-09

BSI IT-Grundschutz

INF.1INF.2

ANSSI

Hygiene.37SecNumCloud.12.2

FINMA Circular 2023/1

IV.B.d(59)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(b)

EU DORA

Art.9(1)

BIO2

7.17.27.37.6

RBI CSF

Annex1.3ITGRCA.18

FISC Security Guidelines

FISC.F1

LGPD + BCB 4893

LGPD.Art.46

HKMA TM-E-1

TME1.11.1TME1.11.3TME1.5.1

MLPS 2.0

8.1.1.28.1.1.38.1.10.18.48.5

DNB Good Practice

DNB.21.1DNB.21.2

SWIFT CSCF

SWIFT.3.1SWIFT.5.2

SAMA CSF

3.7

NCA ECC

1-115-1

UAE IA

T6

CBB TM

TM-10

Qatar NIA

PS

CBE CSF

CTO-10

SA JS2

JS2-PE

CBN CSF

Part10

BoG CISD

CISD-XIV

POPIA

s19

BoM CTRM

3.5

IOSCO Cyber Resilience

PROT-5

CPMI-IOSCO PFMI

CG.PR

FFIEC IS

II.C.13(a)II.C.8

HIPAA Security Rule

§164.310(a)(1)§164.310(a)(2)(i)§164.310(a)(2)(ii)§164.310(a)(2)(iii)§164.310(c)

ECB CROE

CROE.2.3.6

EBA ICT Guidelines

3.4.3

SEBI CSCRF

PR.PE

BOT Cyber Resilience

Ch2.8

CMMC 2.0

PE

NERC CIP

CIP-006-6CIP-014-3

10 CFR 73.54

RG5.71-B-PE

FERC CIP Orders

Order 850Order 888

API 1164

Sec 14

AWIA

AWWA Sec 3

IAEA NSS 17-T

Sec 10

PCI PTS v6

ADI

FIPS 140-3

FIPS 140-3 §7.7

TIBER-EU

TIBER.CONF

PCI HSM

267

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.5

Lloyd's Minimum Standards

PHYS.1

NAIC Insurance Data Security

4B

PRA SS1/23

P-IT.3

HITRUST CSF v11

08.a

ISO 27799

11.1

CCSS v9.0

1.01.11.01.71.03.61.05.5

Basel SCO60

SCO60.61SCO60.62SCO60.64

BSSC Standards

NOS-09KMS-03KMS-05KMS-09

SEC Custody (Digital Assets)

SEC-CD-02SEC-CD-06SEC-CD-08SEC-CD-16

ISO 17799 (legacy)

9.1.19.1.29.1.59.1.610.5.1

COBIT 4.1 (legacy)

DS12.2