Back to Blog
Controls 5 min read

SOC 2 Physical Security Controls: What Auditors Check

Understand SOC 2 physical security requirements under CC6.4–CC6.5. Learn what controls apply to your office, how AWS shared responsibility works, and what evidence auditors request.

Key Takeaways
  • CC6.4 requires physical access controls to data centers — satisfied by the AWS SOC 2 report for cloud infrastructure.
  • You still need office physical security controls: badge access, visitor logs, clean desk policy.
  • The AWS shared responsibility model means you inherit AWS data center controls but own your office controls.
  • Visitor access logs and badge access records are the primary physical security evidence.
  • Physical media handling (laptops, USB drives, printed PII) must be addressed in your policy.

In this guide

  1. Physical Security in SOC 2
  2. AWS Shared Responsibility for Physical Security
  3. Office Physical Security Controls
  4. Physical Media Handling
  5. Visitor Management
  6. Physical Security Evidence

Physical Security in SOC 2

CC6.4 and CC6.5 address physical access controls: CC6.4 requires logical access security measures to protect against threats from sources outside the physical perimeter of the system, and CC6.5 requires disposal and removal of assets and confidential information.

For cloud-native SaaS companies, physical security is simpler than for companies with on-premises infrastructure — you don't own the data center. But you do have physical access risks at the office: unauthorized visitors, unattended workstations, printed sensitive documents, and physical media (USB drives, backup tapes).

AWS Shared Responsibility for Physical Security

AWS is responsible for the physical security of its data centers: perimeter security, access controls, surveillance cameras, environmental controls, and hardware decommissioning. The AWS SOC 2 Type II report covers all physical security controls for the data center layer.

To leverage AWS's physical security for your SOC 2: download the AWS SOC 2 report from AWS Artifact, confirm the services you use are in scope, and reference the shared responsibility model in your system description. This is standard practice and is accepted by all Big Four CPA firms.

You do not need to visit AWS data centers or perform your own physical security audit. The AWS SOC 2 report is your evidence that the underlying infrastructure meets physical security requirements.

Office Physical Security Controls

Your office physical security controls should include: access control system (badge or key fob required to enter the office, especially any server room or area with sensitive workstations), security camera coverage of entrances and server rooms, clean desk policy (no sensitive documents left on desks, workstations locked when unattended), and restricted access to any server hardware in the office.

If you do not have a dedicated server room (common for cloud-native companies), the clean desk policy and workstation locking controls are the primary office physical controls. Document these in a physical security policy.

For remote and home office setups, define physical security requirements for employees: workstations should be locked when unattended, printers used for sensitive documents should be secured, and no sensitive documents should be visible in video calls.

Physical Media Handling

CC6.5 requires controls for the disposal of assets and confidential data to prevent unauthorized disclosure. Physical media containing sensitive data — decommissioned laptops, hard drives, USB drives, printed documents — must be disposed of securely.

Policy requirements: encrypt all storage media (full disk encryption means disposal is safe without physical destruction), track all company-issued devices in an asset register, require device return upon employee departure, and use a certified NIST 800-88 media sanitization process or physical destruction for decommissioned hardware.

For printed documents: define what can be printed, require cross-cut shredding for documents containing PII or Restricted data, and provide shredding bins in office locations where printing occurs.

Visitor Management

Visitors to your office — customers, vendors, candidates — should not have unsupervised access to areas containing workstations, servers, or printed sensitive information. Implement a visitor policy: visitors sign in at reception, receive a visitor badge, are escorted by an employee at all times, and sign out when leaving.

Maintain a visitor log with date, visitor name, company, employee host, purpose, time in, and time out. This log is the primary CC6.4 physical access evidence for your office. Most modern visitor management systems (Envoy, Traction Guest) maintain digital logs that are easier to export as evidence than paper logs.

Physical Security Evidence

(1) AWS SOC 2 report reference covering data center physical security. (2) Office physical security policy. (3) Badge access system configuration or visitor log for the audit period. (4) Asset register showing all company devices (laptops, servers, mobile devices). (5) Device return records for employees who departed during the audit period. (6) Media disposal records or MDM-confirmed encryption on all devices (encryption = safe disposal without destruction). (7) Clean desk policy acknowledgment in employee onboarding records.

Frequently Asked Questions

We are fully remote — do we still need physical security controls for SOC 2?
Yes, but the scope is different. For a fully remote company, physical security controls focus on employee home offices (workstation locking, no unattended access, clean desk for video calls), device security (full disk encryption, MDM enrollment), and physical media handling (device return on termination, secure disposal). The data center physical controls are inherited from AWS.
Do we need to install security cameras in our office for SOC 2?
Cameras are a best practice but not strictly required if other physical controls are in place. Badge access logs, visitor logs, and a clean desk policy are the minimum. If you have a server room or area with particularly sensitive equipment, cameras are recommended. Document what controls you have and why they are appropriate for your physical environment.
How does CC6.5 asset disposal apply to AWS resources?
When you terminate an EC2 instance, delete an S3 bucket, or drop an RDS database, AWS handles the underlying storage media disposal according to NIST 800-88 standards — documented in the AWS SOC 2 report. For data in AWS, cryptographic erasure (deleting the KMS key used to encrypt the data) achieves the same result as physical media destruction and is faster and more verifiable.
Does a home office need a visitor policy?
If employees regularly have client or vendor visitors to their home office, yes. More practically, the policy should state that sensitive work conversations and screen contents should not be accessible to visitors or family members. For fully distributed teams, the visitor policy primarily applies to any shared workspace or office days.
How do we track decommissioned laptops for CC6.5?
Maintain an asset register that includes all company-issued devices, their current status (in use, decommissioned, lost/stolen), and disposal record (date decommissioned, disposal method, performed by). MDM tools provide device inventory automatically. For decommissioned devices, record the date the MDM enrollment was removed (confirming remote wipe) or the certificate of destruction from your hardware recycler.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

Controls

CC6: Logical and Physical Access Controls for SOC 2

Controls

SOC 2 Endpoint Security: MDM, EDR, and Disk Encryption

Controls

CC1: Common Criteria — Control Environment Requirements