PE-8(2)—Physical Access Records

>Control Description

[Incorporated into PE-2]

Questions assessors commonly ask

•What documented policies and procedures address physical access records?
•Who is accountable for implementing and maintaining physical access records controls?
•How frequently are physical access records requirements reviewed, and what triggers updates?
•What process ensures changes to systems maintain compliance with physical access records requirements?
•How are exceptions to physical access records requirements documented and approved?

•What technical controls enforce physical access records in your environment?
•How are physical access records controls configured and maintained across all systems?
•What automated mechanisms support physical access records compliance?
•How do you validate that physical access records implementations achieve their intended security outcome?
•What compensating controls exist if primary physical access records controls cannot be fully implemented?

•What documentation proves physical access records is implemented and operating effectively?
•Can you provide configuration evidence showing how physical access records is technically enforced?
•What audit logs or monitoring data demonstrate ongoing physical access records compliance?
•Can you show evidence of a recent review or assessment of physical access records controls?
•What artifacts would you provide during an assessment to demonstrate physical access records compliance?

Configure your API key to use AI features.