Physical security controls is a broad topic that includes all aspects of making sure that the organization’s buildings, assets, and employees are protected from harm and malicious acts. Controls often include alarm systems, access control systems, restricting guest access, and other controls to prevent unauthorized access to the environment. Physical controls also frequently include things to address disaster preparedness, including fire suppression systems, and even the accounting for threats from natural disasters through threat modeling.
Organizations need to protect their employees and protect assets from theft, damage, or destruction. Additionally, many technical security controls can be overcome by having physical access to the systems.
Organizations generally expect that access to the data center and offices be restricted to authorized personnel and registered visitors. This can be accomplished through a number of means, including access control systems, receptionists who check company IDs and greet visitors, or security guards that do the same. Additional controls, such as alarm systems, are often required and are asked about in the questionnaire.
Personnel should have background checks and when facilities have areas with different purposes or need-to-know requirements, personnel are restricted based on their need-to-know and level of background investigation.
Security controls for environmental factors are typically separated into other questions or categories of questions but are sometimes lumped together with physical security. It is expected that your organization have fire detection and suppression systems. Other environmental controls may specify that your organization considered natural disaster potential when choosing locations for offices and data centers.