03.10.01
Physical access authorizations
Maintain an approved list of people who can physically access spaces, systems, or media related to specified information.
CPCSC Level 1 Control
03.10.07Physical protection
CPCSC 03.10.07: Physical access control
Use locks, badges, visitor controls, logs, and safeguards to prevent unauthorized physical access to systems and specified information. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.
Formal Control Language
Official CPCSC Level 1 wording for 03.10.07. Use the Government of Canada page as the source of truth for certification or procurement submissions.
- Physical access authorizations are enforced at entry and exit points by verifying individual access authorizations before granting access to the facility.
- Ingress to and egress from the facility are controlled using physical access control systems, devices, and guards.
- Audit logs of physical access are maintained.
- Visitors are escorted and visitor activity is controlled.
- Keys, combinations, and other physical access devices are secured.
- Access to output devices is controlled to prevent unauthorized individuals from obtaining the output containing specified information.
Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.
What This Means In Plain English
It is not enough to have an access list. The facility or room needs controls that make the list real: locks, badges, logs, visitor escorting, and secure output handling.
This also covers printers, meeting rooms, whiteboards, shipping areas, and any place where specified information could be viewed or picked up.
For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.
How To Implement It
1
Use locked doors, badge readers, keys, cabinets, visitor logs, or reception procedures appropriate to the environment.
2
Define visitor escort expectations for offices, restricted rooms, labs, and areas where systems or media are accessible.
3
Secure keys, combinations, badges, backup keys, and admin access to physical access systems.
4
Review physical access logs where available. For small offices, retain visitor logs and building access exports if accessible.
5
Control printers, shipping labels, paper records, and output devices that may expose specified information.
Evidence Normally Gathered
Door, badge, or building access logs.
Visitor logs and escort procedures.
Key and badge inventory.
Photos or diagrams of restricted areas.
Printer or output-device control settings.
Physical security review notes.
Common Auditor Questions
How do you enforce physical access at entry and exit points?
Are visitors escorted where in-scope systems or media are present?
Where are physical access logs kept, and who reviews them?
How are keys, badges, and combinations protected?
How do you stop sensitive printouts or output from being picked up by the wrong person?