03.10.07
Physical access control
Use locks, badges, visitor controls, logs, and safeguards to prevent unauthorized physical access to systems and specified information.
CPCSC Level 1 Control
03.10.01Physical protection
CPCSC 03.10.01: Physical access authorizations
Maintain an approved list of people who can physically access spaces, systems, or media related to specified information. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.
Formal Control Language
Official CPCSC Level 1 wording for 03.10.01. Use the Government of Canada page as the source of truth for certification or procurement submissions.
- The frequency to review the authorization list for physical access is defined.
- A list of individuals with authorized access to the facility where the system resides is developed, approved, and maintained.
- Authorization credentials for facility access are issued.
- The access list detailing authorized facility access by individuals is reviewed at the defined frequency.
- Individuals from the facility access list are removed when access is no longer required.
Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.
What This Means In Plain English
Know who can enter the office, server room, storage area, lab, or other location where in-scope systems and media are kept.
Physical access is still a cyber control when physical access can lead to system access, media theft, device tampering, or unauthorized viewing.
For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.
How To Implement It
1
Identify the facilities and areas that matter: office, network closet, server rack, locked cabinet, document storage, test lab, and home-office storage if relevant.
2
Maintain a list of authorized people, including employees, contractors, cleaners, building management, visitors, and managed service providers where applicable.
3
Issue and track badges, keys, access cards, combinations, or building permissions.
4
Review physical access at a defined cadence and whenever people leave, change roles, or no longer need access.
5
Align office, coworking, colocation, and shared-space arrangements with the actual system boundary.
Evidence Normally Gathered
Physical access authorization list.
Badge, key, or access card records.
Quarterly or periodic physical access review.
Termination or role-change access removal records.
Facility or building access procedures.
Colocation, coworking, or landlord access notes.
Common Auditor Questions
Which areas contain systems or media with specified information?
Who is authorized to physically access those areas?
How often is the access list reviewed?
How are keys, badges, and combinations issued and removed?
How do you handle shared offices, landlords, cleaners, or colocation staff?