AM-19 Access Management

Physical Access (or Cloud SOC)

Physical access to processing facilities is controlled.

Domain: Access Management
Control type: Preventive/Detective
Automated / manual: Hybrid
Frequency: Continuous
Framework reference: COBIT DSS05.05

What good looks like

Physical access is restricted/logged/reviewed; for cloud, covered by the provider SOC 2 report.

Risk if it fails

Physical tampering, theft, destruction.

How Tess tests it

3 tests — each concludes only on cited evidence.

Physical-access policy or SOC reliance defined

Design

Procedure: Inspect the policy or SOC reliance approach.
Expected: Approach documented.
Sample: 1 (design inspection)
Evidence: Badge/visitor logs, access reviews, provider SOC 2.

On-prem: badge/visitor logs reviewed

Operating

Procedure: Sample logs and reviews (if on-prem).
Expected: Reviewed; anomalies actioned.
Sample: 25 (or full config inspection)
Evidence: Badge/visitor logs, access reviews, provider SOC 2.

Cloud: provider SOC 2 physical controls reviewed

Operating

Procedure: Inspect the provider SOC 2 report.
Expected: No unaddressed exceptions; CUECs noted.
Sample: 25 (or full config inspection)
Evidence: Badge/visitor logs, access reviews, provider SOC 2.

Evidence Tess looks for

Badge/visitor logs, access reviews, provider SOC 2.

More in Access Management

AM-01 IT Organisation & Segregation AM-02 Password / Authentication Policy AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO

Want Tess to test AM-19 against your evidence?