Access Control Policy: Physical and Logical

Why Physical and Logical Access Control Belong Together

When people talk about information security, most immediately think of firewalls, encryption, and passwords. Yet security begins much more fundamentally: who is allowed to go where, and who is allowed to access what? These two questions form the foundation of every security concept, and they are more closely connected than they appear at first glance.

An example: you can run the best password policy in the world, but if someone physically reaches the server, they can remove the hard drive and read it offline. Conversely, the most secure server room door is useless if an attacker gains access to all systems via an unprotected VPN connection. Physical and logical controls must be thought of together and regulated together.

ISO 27001 reflects this. In Annex A, controls for physical security (A.7 group) sit directly alongside controls for logical access management (A.5.15-A.5.18, A.8 group). A combined policy covering both aspects is therefore more practical than two separate documents that do not reference each other.

Clarifying Terms: Physical Entry, System Access, Data Access

In German, the terms Zutritt (physical entry), Zugang (system access), and Zugriff (data access) are often confused, though they mean different things. A clean distinction is important because your policy becomes ambiguous otherwise. In English, "access control" is used broadly, but the distinctions remain important:

Physical Entry Control

Physical entry control governs who may physically enter rooms, buildings, or areas. It is about protection against unauthorized entry.

Examples: building access via key card, server room door with PIN code and logging, visitor registration at reception, perimeter fencing with barrier.

System Access Control (Logical)

System access control governs who may log in to IT systems. It is about protection against unauthorized use of systems.

Examples: workstation login, VPN connection to the corporate network, email system authentication, SSH access to a server.

Data Access Control (Logical, Fine-Grained)

Data access control governs what an authenticated user may do within a system. It is about permissions after authentication.

Examples: read and write permissions on files, access rights to database tables, administration functions in the ERP, API permissions.

The three levels build on each other: first physical entry to the building, then system access, then data access. Your policy should address all three levels.

The Least Privilege Principle

The principle of least privilege is the most important concept in all of access management. It states: every user, every system, and every process receives only the permissions strictly required for the respective task. No more, no less.

Why Least Privilege Matters So Much

Without least privilege, permissions grow uncontrollably over time. A typical scenario: an employee transfers from accounting to sales within the company. She gets access to the CRM system but keeps her old accounting permissions. After three role changes, she has access to systems that have nothing to do with her current role. This is called "privilege creep," and it is one of the most common audit findings.

The consequences are real: every unnecessary permission enlarges the damage a compromised account can cause. If an attacker takes over an account with minimal permissions, the blast radius is limited. If they take over an account with historically accumulated full access, the entire organization is exposed.

Implementing Least Privilege in Practice

Your policy should anchor least privilege as a binding principle and define concrete implementation rules:

• New accounts are created without permissions. Rights are granted only upon request and approved by the responsible manager.
• Upon department transfer, old rights are revoked before new ones are granted. Not afterward, not in parallel, but before.
• Administrator rights are not permanently assigned. A separate admin account is used for administrative tasks (Privileged Access Management).
• Permissions are regularly reviewed (at least semi-annually) and unneeded rights are revoked.
• Temporary permissions receive an automatic expiration date.

Role-Based Access Control (RBAC)

In a company with 50 or 500 employees, individual rights assignment quickly becomes unmanageable. Role-Based Access Control (RBAC) solves this problem by assigning permissions not to individuals but to roles. Employees are then assigned to one or more roles and inherit their permissions.

How RBAC Works

The basic idea: you define roles that represent typical job profiles. Each role contains exactly the permissions required for that job profile. Employees are assigned to a role, not to individual permissions.

Example:

Anchoring RBAC in the Policy

Your policy should establish the following points on RBAC:

• A role concept is maintained and documented. It contains all defined roles with their permissions. In ISMS Lite, the role concept can be centrally maintained and linked with the associated policies and controls.
• Each role is managed by a responsible person (role owner) who ensures the permissions remain current.
• Assignment of employees to roles is done by the manager and implemented by IT.
• Individual permissions outside defined roles are exceptions that must be approved and time-limited.
• The role concept is reviewed at least annually and adjusted to organizational changes.
• For role conflicts (Separation of Duties), critical functions remain separated (e.g., the same person may not create orders and approve payments).

Separation of Duties

An important aspect of RBAC is Separation of Duties (SoD). Certain permission combinations are risky and must be prevented:

• Whoever creates user accounts should not assign the permissions
• Whoever initiates orders should not approve payments
• Whoever makes changes to production systems should not grant the approval
• Whoever writes audit logs should not be able to delete them

Your policy should identify the critical SoD conflicts for your organization and regulate them bindingly.

Physical Entry Control

Physical entry control protects buildings, rooms, and areas against unauthorized entry. For an ISMS, it is a central building block because physical access to hardware enables the strongest conceivable attack.

Defining Security Zones

A proven concept is dividing the organization into security zones with increasing protection levels:

Zone 1: Public Area

• Entrance hall, reception, visitor parking
• No special entry controls required
• Video surveillance possible (data protection considerations apply)

Zone 2: General Business Area

• Offices, meeting rooms, kitchenettes
• Entry only for employees and registered visitors
• Key card or badge system
• Visitors are registered at reception and escorted

Zone 3: Restricted Area

• IT workstations, network distribution cabinets, archive rooms
• Entry only for authorized employees
• Electronic access control system with logging
• Visitors only accompanied by an authorized person

Zone 4: High-Security Area

• Server room, data center, vault
• Entry only for individually authorized persons
• Two-factor entry control (badge + PIN or badge + biometrics)
• Complete logging of all entries
• Escort requirement for external parties, four-eyes principle for critical work
• Video surveillance

Server Room: Special Requirements

Securing the server room deserves its own chapter in every access control policy because it houses the physical heart of the IT infrastructure. Unauthorized access can lead to data loss, manipulation, sabotage, or the physical theft of data carriers.

Minimum requirements for the server room:

Structural Measures:

• Solid walls and ceiling (no lightweight construction, no suspended ceiling that can be climbed through)
• No windows, or windows with security glazing and intrusion protection
• Fire-resistant door with automatic closing mechanism
• Independent air conditioning
• Fire alarm system and suitable extinguishing system (gas, not water)
• Water detectors on the floor (protection against pipe damage)

Entry Control:

• Electronic access control system with logging (who, when, how long)
• Two-factor authentication (badge + PIN as minimum)
• Entry rights only for individually authorized persons (no team or department blanket access)
• Regular review of the entry authorization list (at least quarterly)
• Automatic door locking when not in use

Organizational Measures:

• External service providers (maintenance technicians, delivery personnel) only accompanied by an authorized employee
• Four-eyes principle for critical work (e.g., data carrier replacement)
• Prohibition of mobile phones with camera function in the server room (optional, depending on protection requirements)
• Key management: physical emergency keys in a safe with documented removal

Visitor Management

Every access control policy needs a section on visitor handling:

• Pre-registration by the hosting employee
• Registration at reception with name, company, visit purpose, and host
• Issuance of a visibly worn visitor badge
• Escort by the hosting employee in all areas from Zone 2 onward
• Return of the visitor badge upon departure
• Documentation of visitor logs with retention period

Logical Access Control

Logical access control governs access to IT systems, networks, and data. It builds on physical entry control and extends it into the digital dimension.

Identity Management

Before you can grant access rights, you need clean identity management:

• Every user has a unique, personal identifier. Group accounts are to be avoided.
• User account creation follows a documented process (onboarding).
• Deactivation occurs immediately upon departure or suspension (offboarding).
• Service accounts and technical accounts are managed and documented separately.
• A central directory service (Active Directory, LDAP, identity provider) is the single source of truth for identities.

Authentication Methods

Your policy should specify which authentication methods apply to which systems and risk classes:

VPN and Remote Access

Remote work is routine in most organizations. Your policy must clearly regulate how access from outside the corporate network works:

Fundamental Rules:

• Remote access to internal resources is permitted exclusively via the corporate VPN.
• The VPN connection requires at least password + MFA.
• Split tunneling (only corporate traffic goes through the VPN, the rest goes directly to the internet) must be explicitly regulated. For devices with access to sensitive data, full tunnel is recommended.
• VPN certificates have a limited validity period and are centrally managed.
• Upon an employee's departure, VPN access is immediately deactivated.

Additional Regulations:

• Access to administrative consoles via VPN is permitted only from managed devices.
• RDP and SSH connections are logged.
• Access from abroad may be restricted or subject to special approval (geo-blocking or geo-alerting).
• Seasonal or project-based remote access is time-limited.

Network Segmentation

Network segmentation is the logical equivalent of physical security zones. It ensures that an attacker who penetrates one network segment does not automatically gain access to all others.

Typical segments:

• Office network (workstations)
• Server network (separated from the office network)
• DMZ (publicly accessible services)
• Guest Wi-Fi (strictly separated, no access to internal resources)
• Management network (for administration of network components, accessible only to administrators)
• IoT/OT network (if applicable, strictly isolated)

Your policy should anchor segmentation as a principle and specify which communication between segments is allowed (firewall rules based on the whitelist principle).

Permission Processes: Requesting, Approving, Revoking

An access policy is incomplete if it only describes which rights exist but not how they are granted and revoked. The processes are at least as important as the rules themselves.

Request

• The employee (or their manager) submits a request for access rights.
• The request contains: which rights, for which system, with what justification, for what period.
• Standard rights (based on the role) can be granted automatically.
• Extended rights require explicit approval.

Approval

• Approval is granted by the data owner or the manager.
• For critical systems, additional approval by the ISM or IT management may be required.
• Approval is documented and traceable.
• Automated workflows (ticketing system, ITSM tool) accelerate the process and create traceability.

Implementation

• IT implements the approved rights.
• Implementation is documented in the ticketing system.
• The requestor is informed of the implementation.

Revocation

• Upon department transfer: old rights are revoked, new ones granted according to the new role.
• Upon departure: all rights are deactivated on the last working day (not deleted but deactivated, in case of follow-up queries).
• Upon suspension: immediate deactivation of all access.
• Temporary rights expire automatically.

Regular Review (Access Review)

• At least semi-annually, managers and data owners review the granted rights in their area of responsibility.
• Unneeded rights are revoked.
• The review is documented and serves as audit evidence.
• Automated tools can support the review by identifying inactive accounts or unusual permission combinations. With ISMS Lite, you document access reviews traceably and always have the evidence ready for audits.

Example Policy: Outline

Here is a complete outline for a combined access control policy:

1. Introduction and Purpose

• Objective: protection of premises, IT systems, and data against unauthorized access
• Reference to the information security policy
• Scope (all locations, all IT systems, all user groups)

2. Terms and Definitions

• Physical entry control, system access control, data access control
• Authentication, authorization
• RBAC, least privilege, separation of duties

3. Core Principles

• Least privilege
• Need-to-know
• Separation of duties
• Default deny (everything not explicitly permitted is prohibited)

4. Physical Entry Control

• Security zones and their protection requirements
• Entry control systems and methods
• Server room and data center
• Key and badge management
• Visitor management
• Logging and retention periods

5. Logical Access Control

• Identity management and user accounts
• Authentication methods per risk class
• VPN and remote access
• Network segmentation

6. Role-Based Access Control

• Role concept and role documentation
• Assignment of employees to roles
• Handling of special rights and exceptions
• Separation of duties

7. Permission Processes

• Request and approval
• Implementation and documentation
• Revocation and deactivation
• Regular access review

8. Privileged Access

• Separate admin accounts (no admin access via the standard account)
• Privileged Access Management (PAM)
• Just-in-time access (rights granted only for the duration of the task)
• Logging of all administrative activities

9. Service Accounts and Technical Accounts

• Documentation of all service accounts
• Owner (account owner) for each service account
• Automated password rotation
• No interactive use of service accounts

10. External Service Providers and Temporary Access

• Contractual safeguards (NDA, data processing agreement)
• Time-limiting of all external access
• Escort requirement for physical entry
• Revocation upon contract termination

11. Monitoring and Logging

• Logging of successful and failed login attempts
• Logging of physical entries
• Alerting on anomalies (brute force, access outside working hours, impossible travel speed)
• Retention periods for logs

12. Responsibilities

• IT: technical implementation, MDM, account management
• ISM: policy maintenance, access reviews, exception approval
• Managers: rights approval, review within their area
• Facility Management: physical access control systems
• Employees: compliance, reporting anomalies

13. Violations and Consequences

14. Review and Update

Common Audit Findings in Access Control

So you know what auditors particularly focus on, here are the most common findings:

Privilege Creep

Employees accumulate permissions over the years that they no longer need. This typically happens during department transfers. The solution: mandatory access reviews and a joiner-mover-leaver process that resets rights with every position change.

Shared Admin Accounts

A single admin account used by multiple IT staff makes individual accountability impossible. Every administrator needs a personal admin account. Shared accounts are acceptable at most as break-glass accounts with documented usage.

Missing Server Room Logging

Many organizations have entry control at the server room but do not log entries or do not retain logs long enough. An auditor will ask for entry logs from the past six months.

No Process for Employee Departure

When accounts are not deactivated on the last working day, "ghost accounts" exist that pose a security risk. The offboarding process must include account deactivation as a mandatory step and document its execution.

VPN Access Without MFA

VPN connections that work only with username and password are a classic finding. MFA for remote access is now standard and expected by auditors.

No Regular Access Reviews

The policy says "semi-annually," but the last review was two years ago. Or reviews are conducted but not documented. Both are problematic. Schedule fixed dates, use a tool for documentation, and make results traceable.

Access Control in the Home Office

Since remote work has become the norm, a new question arises: how do you regulate the physical security of the workplace when it is in a private residence?

Your policy should address at least the following points for the home office:

• The workplace must be set up so that unauthorized persons (family members, visitors, roommates) cannot view corporate data.
• Screens must be locked when leaving the room, even briefly.
• Printouts with sensitive content must be securely stored and properly destroyed.
• Business calls with confidential content should not be conducted in the presence of third parties.
• The home network's Wi-Fi must be encrypted with WPA3 or at least WPA2, and the router's default password must be changed.

These requirements are naturally harder to monitor than security in company premises. That is why employee awareness is particularly important. The goal is not to inspect private residences but to ensure employees develop an awareness of the risks.

Technical Implementation: Tools and Systems

To ensure the policy does not just remain on paper, it needs technical implementation:

Physical Entry Control Systems:

• Electronic locking systems with badge readers
• PIN pads or biometric systems for high-security areas
• Central management software for granting and revoking entry rights
• Logging of all entry events with timestamps

Identity and Access Management (IAM):

• Central directory service (Active Directory, Azure AD, Okta)
• Automated provisioning and deprovisioning of accounts
• Self-service portal for password reset and permission requests
• Integration with HR system for automated onboarding and offboarding

Privileged Access Management (PAM):

• Separate management of privileged access
• Session recording for administrative access
• Just-in-time access: admin rights are enabled only for the duration of a task
• Automatic password rotation for privileged accounts

SIEM and Monitoring:

• Central collection and analysis of access logs
• Correlation of physical and logical access events
• Automatic alerting on anomalies

Conclusion

Physical and logical access control are not isolated topics but two sides of the same coin. A combined policy that links physical and logical controls, anchors the least privilege principle as the guiding idea, and uses RBAC as an operational tool creates a solid foundation for your ISMS.

Further Reading

• Writing an Information Security Policy: Structure, Content, and Example
• Creating an Access Rights Concept: Roles, Rights, and Approval Workflow
• Creating a Password Policy: Requirements, Example, and Enforcement
• Mobile Device Usage Policy (BYOD/MDM)
• Key ISMS Roles: ISM, CISO, Risk Owner – Who Does What?

The key lies in consistent implementation: defined security zones, technically enforced access restrictions, documented permission processes, and regular access reviews ensure that the policy does not just exist but is lived. And that is exactly what an auditor wants to see: not perfect documents but practiced processes with traceable evidence.