Home > Glossary > Certified Information Systems Auditor > Physical Access Control

📖 What is Physical Access Control?

Physical Access Control consists of the tangible barriers and measures used to prevent unauthorized physical entry to facilities, server rooms, or hardware. This includes locks, security guards, badges, and surveillance cameras.

🥋 Sensei Says:

"Remember that the strongest logical controls are useless if an attacker has physical access to the server. Physical security is the first line of defense."

📚 Certification: Certified Information Systems Auditor (CISA)

🔑 What are the Key Concepts of Physical Access Control?

▸ Defense in Depth applies physical security in layers, moving from the perimeter fence to the building entrance, then to the server room and individual racks.
▸ Authentication mechanisms like biometrics, smart cards, and PINs ensure that only authorized personnel can enter sensitive areas based on the principle of least privilege.
▸ Environmental monitoring and surveillance, including CCTV and motion sensors, provide detective controls to identify unauthorized access attempts and support forensic investigations.
▸ Physical barriers such as mantraps and turnstiles are critical controls designed specifically to prevent tailgating and piggybacking into secure facility zones.
▸ Access logs and visitor registries create an audit trail, allowing CISA auditors to verify that physical entry matches authorized access requests and schedules.

🎯 How does Physical Access Control appear on the CISA Exam?

You may be asked to identify the most effective control to prevent tailgating in a high-security data center, where a mantrap or biometric turnstile would be the correct answer.

A scenario might describe an audit of a server room where you must determine if the current physical controls are sufficient to prevent unauthorized hardware modifications or data theft.

Expect questions about reviewing access logs to reconcile them with employee termination lists to ensure that physical access was revoked immediately upon departure.

❓ Frequently Asked Questions

What is the difference between tailgating and piggybacking?

Tailgating occurs when an unauthorized person follows an authorized person through a door without their knowledge. Piggybacking happens when the authorized person knowingly allows the other person to enter.

How should a CISA auditor verify the effectiveness of physical access controls?

Auditors should perform a combination of policy review, observation of actual entry procedures, and testing the reconciliation between access logs and authorized personnel lists.

Related Terms from Certified Information Systems Auditor

Key Risk Indicators (KRIs) COBIT RACI Matrix Business Impact Analysis (BIA) Recovery Time Objective (RTO) System Development Life Cycle (SDLC)

📝 Related Study Guides

Deep Dive 10 min read

CISA Exam: What to Expect and How to Prepare in 2026

The CISA exam consists of 150 multiple-choice questions to be completed in 4 hours, requiring a scaled score of 450/800 to pass. Preparation requires mastering five domains focusing on IT auditing, governance, acquisition, operations, and asset protection. Success depends on a risk-based mindset and understanding frameworks like COBIT.

Deep Dive 10 min read

Mastering COBIT 2019 for the CISA Exam

COBIT 2019 is a comprehensive framework for the governance and management of enterprise IT. For CISA candidates, it provides the essential structure to evaluate how an organization aligns IT goals with business objectives, manages risk, and ensures value delivery through a clear distinction between governance and management activities.

Comparison 7 min read

Attribute vs. Variable Sampling: CISA Exam Guide

Attribute sampling is used for compliance testing to determine if a control is functioning (yes/no), while variable sampling is used for substantive testing to estimate a numerical value or monetary amount. For the CISA exam, remember that attribute sampling checks for existence, and variable sampling checks for value.