SOC 2 CC6.4 requires that an organization restricts physical access to facilities and protected information assets to authorized personnel only. The criterion covers data center facilities, backup media storage, office spaces, and any other sensitive location within the system boundary. Despite the shift to cloud infrastructure and remote work, CC6.4 still applies to every SOC 2 Type 2 engagement. What changes is the scope, not whether the criterion is relevant.
This guide covers what CC6.4 requires, how auditors evaluate it across four common infrastructure scenarios, the AICPA points of focus, the evidence you need, and the mistakes that lead to exceptions.
What Is CC6.4 in SOC 2?
CC6.4 is one of eight sub-criteria within the CC6 (Logical and Physical Access Controls) series of the AICPA's Trust Services Criteria, defined in TSP Section 100 (2017, with revised points of focus issued in 2022). The full criterion reads:
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives.
CC6.4 sits within the Security trust services category, the only mandatory category in a SOC 2 engagement. Because Security's Common Criteria (CC1 through CC9) apply to every SOC 2 report, CC6.4 is always in scope. The question is never whether it applies. The question is what facilities and assets fall within the system boundary and, therefore, require physical access restrictions.
One clarification worth stating plainly: SOC 2 produces an attestation report, not a certification. An independent CPA firm issues an opinion on the design and operating effectiveness of your controls under AT-C Section 205. Enterprise buyers and their legal teams know the difference.
The Three AICPA Points of Focus for CC6.4
The AICPA provides three specific points of focus that auditors consider when evaluating CC6.4. These are not a checklist of hard requirements. They are characteristics the auditor uses to determine whether the criterion has been met. In practice, your controls should address each one.
Creates or Modifies Physical Access
Processes must be in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner. Physical access is not granted informally. Someone with ownership authority must approve every new badge, key, or access credential before it is issued.
Removes Physical Access
Processes must be in place to remove access to physical resources when an individual no longer requires access. The most common trigger is employee termination or a role change. If someone leaves the organization and their badge still works two weeks later, you have a control gap.
Reviews Physical Access
Processes must be in place to periodically review physical access to ensure consistency with job responsibilities. This is the physical-access equivalent of the logical access review required under CC6.2 and CC6.3. Auditors want to see evidence of recurring reviews, not a one-time cleanup.
These three points of focus map to a lifecycle: grant access, revoke access, verify access. Your controls and evidence should cover all three phases.
Why CC6.4 Still Matters in a Cloud-First World
A common misconception among SaaS companies is that CC6.4 becomes irrelevant once all production infrastructure runs in AWS, Azure, or Google Cloud Platform. That is incorrect.
CC6.4's scope does narrow for cloud-native organizations. Your cloud provider's data center physical security is typically carved out of your SOC 2 report as a subservice organization control. Under the carve-out method, you acknowledge those controls exist and are operated by the cloud provider, and the reader of your report obtains the provider's own SOC 2 report to evaluate them independently.
However, CC6.4 does not disappear after the carve-out. Even a fully remote, cloud-hosted company has physical touchpoints: corporate office spaces, network closets with on-premises equipment, locations where backup media or sensitive printouts are stored, home offices of remote employees, and co-location facilities. Ignoring these because the company is "in the cloud" is one of the most common CC6.4 mistakes, and auditors catch it consistently.
CC6.4 by Infrastructure Scenario: What Auditors Actually Test
The practical requirements of CC6.4 vary depending on your infrastructure model. Below are the four scenarios auditors encounter most frequently, along with what each one requires.
Scenario 1: Fully Cloud-Hosted (AWS, Azure, GCP)
This is the most common scenario for SaaS companies. All production infrastructure, databases, and application services run on a hyperscale cloud provider.
What CC6.4 requires: The cloud provider's physical data center controls are carved out. To satisfy CC6.4 for the carved-out infrastructure, you need to obtain the cloud provider's SOC 2 Type 2 report (or ISO 27001 certificate) annually, review it for physical access coverage, document that physical data center security is a subservice organization control, and confirm no relevant exceptions exist. For your own office and facilities, you still need badge or key controls for the entrance, a visitor management process with sign-in and escort requirements, a clean desk and clear screen policy, and evidence that physical access is reviewed periodically.
What auditors test: The auditor will request the cloud provider's SOC 2 report and confirm you reviewed it, ask about your office controls, inspect visitor logs, and look for periodic access review evidence.
Scenario 2: Co-Location Data Center
Some organizations house their own servers in a third-party co-location facility. The co-location provider operates the building, but the company manages the hardware inside its cage or cabinet.
What CC6.4 requires: The co-location provider is treated similarly to a cloud provider. Their facility-level controls, building access, perimeter security, and environmental monitoring, are typically carved out. You have an additional obligation, however: a documented process to communicate authorized personnel to the facility and ensure that access requests follow your approval workflow, consistent with CC6.2. Keep a current authorization list of personnel approved for physical access, ensure the provider notifies you of access events to your cage or cabinet, and obtain and review the provider's SOC 2 report or equivalent assurance.
What auditors test: The auditor will request the authorized access list, evidence that it is kept current, the co-location provider's SOC 2 report, and any access logs the provider shares for your specific area.
Scenario 3: On-Premises Data Center or Server Room
Organizations that operate their own data center or maintain a server room within their office have the broadest CC6.4 scope.
What CC6.4 requires: Electronic access controls (badge readers, biometric scanners, or cipher locks) at the entrance. An authorization list specifying who has access and why, maintained by the asset owner. A formal process for granting, modifying, and revoking access. Visitor management with pre-approval, escort requirements, and a visitor log. Video surveillance covering entry and exit points with defined retention. Environmental monitoring for temperature, humidity, and water detection. Periodic access reviews, typically quarterly for high-sensitivity areas.
What auditors test: The auditor will walk through the access provisioning process, sample individuals with access and verify justification, review the removal process for terminated employees and contractors, inspect visitor logs and surveillance records, and review periodic access review evidence.
Scenario 4: Fully Remote, No Office
All-remote companies sometimes assume CC6.4 does not apply at all. That assumption is usually wrong, though the scope is narrow.
What CC6.4 requires: Even without a physical office, you need to address any locations where physical assets tied to the system exist. If employees take laptops home, there should be an asset management policy covering physical device security. If anyone stores backup media, portable drives, or sensitive printouts at home, that storage location falls within scope. Your system description should state that the organization has no physical office and describe how physical asset security is handled.
What auditors test: The auditor will review the system description for accuracy, confirm that no undisclosed physical locations exist, and look for policies covering endpoint device physical security and media handling.
Evidence Checklist for CC6.4
Auditors evaluate CC6.4 by requesting specific evidence. Here is a practical list, organized by the three points of focus.
Evidence for "Creates or Modifies Physical Access"
| Evidence Item | Purpose |
|---|---|
| Physical access request and approval records | Proves access is authorized before it is granted |
| Authorization list of personnel with physical access, by facility | Shows who has access and confirms the list is maintained |
| Access provisioning procedure documentation | Demonstrates a repeatable, documented process exists |
| Cloud provider or co-location SOC 2 report with your review notes | Proves you verified subservice organization controls |
Evidence for "Removes Physical Access"
| Evidence Item | Purpose |
|---|---|
| Termination checklist showing physical access revocation steps | Proves access removal is part of the offboarding process |
| Badge or key deactivation logs for terminated employees | Provides specific evidence of timely access removal |
| Contractor access expiration records | Shows temporary access is time-bound and revoked |
Evidence for "Reviews Physical Access"
| Evidence Item | Purpose |
|---|---|
| Periodic physical access review reports (quarterly or semi-annual) | Proves access appropriateness is verified on a cadence |
| Records of access changes resulting from reviews | Shows the review actually leads to corrections |
| Visitor log for facilities with restricted access | Demonstrates visitor access is tracked and controlled |
| Video surveillance footage retention evidence | Confirms surveillance operates and footage is available |
Common CC6.4 Audit Exceptions and How to Avoid Them
Based on patterns across SOC 2 Type 2 engagements, the following CC6.4 gaps appear repeatedly. Each one can lead to a qualified opinion or a management letter comment.
1. No Evidence of Cloud Provider SOC 2 Report Review
The most frequent CC6.4 gap in cloud-native companies is failing to obtain and review the cloud provider's SOC 2 report. The fix: assign someone to download the report annually, review the physical access sections, document exceptions, and file the review as evidence.
2. Stale Physical Access Lists
Access lists not updated after terminations or role changes are a consistent finding. If an employee left six months ago and their badge still appears on the active list, the auditor will flag it. Tie physical access revocation to your HR offboarding process.
3. Missing or Incomplete Visitor Logs
A visitor log with a three-month gap suggests the process is not operating effectively, which is exactly what a Type 2 audit evaluates: operating effectiveness over a period, not just policy existence.
4. No Periodic Physical Access Review
Some organizations perform logical access reviews under CC6.2 and CC6.3 but forget that physical access also requires periodic review. The two can be combined, but the physical dimension must be explicitly included and documented.
5. Treating CC6.4 as Not Applicable Without Justification
Cloud-first companies sometimes exclude CC6.4 entirely without documenting why. The correct approach is to describe the physical access controls in scope, even if the answer is office badge access plus a cloud provider carve-out.
How CC6.4 Connects to Other Common Criteria
CC6.4 does not exist in isolation. It interconnects with CC6.1 (logical access security), extending protection from the digital realm into the physical one. It mirrors the access lifecycle of CC6.2 (user registration and authorization) but applies it to badges and keys rather than usernames and passwords. It shares the principle of least privilege with CC6.3 (role-based access): physical access should be role-appropriate, so a software engineer may need office access but should not have badge access to a server room unless the role requires it. It ties into CC6.5 (discontinuation of protections), ensuring assets remain physically secured until data is rendered unrecoverable. And it supports CC9.1 (risk mitigation), because the cloud provider SOC 2 report review required under CC6.4 directly feeds your vendor risk management obligations.
CC6.4 in SOC 2 Type 2 vs. Type 1
In a SOC 2 Type 1 engagement, the auditor assesses the design of your physical access controls at a single point in time. The question is whether the controls could reasonably restrict physical access to authorized personnel. Policies must exist, access control mechanisms must be in place, and the process must be documented.
In a SOC 2 Type 2 engagement, the auditor tests operating effectiveness over the audit period, typically 6 to 12 months. The auditor will sample access provisioning and revocation events, review visitor logs for completeness, confirm that periodic access reviews happened on cadence, and look for gaps where controls failed to operate.
The operating effectiveness standard is significantly harder to satisfy. A policy that exists but was not followed will produce an exception. A visitor log maintained for three months and then abandoned will be flagged. A quarterly access review that only happened once will produce a finding. This is why SOC 2 Type 2 preparation should begin well before the audit period starts: controls need to operate consistently for the entire observation window, and the evidence trail needs to be continuous.
Practical Steps to Implement CC6.4 Controls
If you are preparing for your first SOC 2 Type 2 engagement or remediating gaps from a prior audit, follow this implementation sequence.
Step 1: Identify all physical locations within your system boundary. List every facility, office, server room, co-location cage, and home office arrangement in scope. If a location houses equipment, data, or media related to the system, it belongs on this list.
Step 2: Document your physical access policy. Create or update a Physical and Environmental Security Policy covering who authorizes physical access, how access is granted and revoked, how visitors are managed, how access is reviewed, and the retention period for access logs and surveillance footage.
Step 3: Implement access control mechanisms matched to risk. A server room needs electronic controls, a badge reader or biometric scanner. A general office can use badge access or physical keys with a key log. A cloud provider needs an annual SOC 2 report review.
Step 4: Build the evidence trail from day one.Start collecting evidence before the audit period begins. Set up visitor logs, configure badge access reporting, schedule periodic reviews, and assign ownership for the cloud provider report review. Evidence that does not exist cannot be tested.
Step 5: Tie physical access revocation to your offboarding process. When HR processes a termination, the offboarding checklist must include badge deactivation, key collection, and removal from physical access lists. Automate this by integrating badge access systems with your HR or identity provider platform where possible.
Step 6: Conduct periodic physical access reviews. Review access lists quarterly for high-sensitivity areas and at least semi-annually for general office access. Document who performed the review, what was reviewed, what changes were made, and the date.
Frequently Asked Questions About SOC 2 CC6.4
Does CC6.4 apply if my company is fully cloud-based with no data centers?
Yes, but the scope is narrower. You still need to address physical security for office spaces, on-premises equipment, and physical media. You also need to review your cloud provider's SOC 2 report annually. Fully remote companies should describe that in their system description and address physical device security through policy.
How often should physical access reviews happen?
The AICPA says "periodically" without specifying a frequency. In practice, auditors expect at least semi-annual reviews. Quarterly is common for data centers and server rooms. Align your physical and logical access review cadences to simplify the process.
What happens if my cloud provider's SOC 2 report has a physical access exception?
Evaluate whether the exception creates a gap in your own controls. Document your assessment: describe the exception, determine whether it affects the services you use, and note any compensating controls. Auditors want evidence you read the report critically, not that the provider's report is perfect.
Can I combine physical and logical access reviews?
Yes. As long as the review explicitly covers both dimensions, documents findings for each, and produces corrective actions where needed, a combined review satisfies CC6.2, CC6.3, and CC6.4.
Is video surveillance required?
Not explicitly. Video surveillance is a common control for data centers, but badge access logs, visitor sign-in sheets, and periodic reviews can satisfy the criterion for lower-risk locations. Match the control to the risk.
How long should I retain physical access logs?
There is no AICPA-mandated retention period. Common practice is 90 days for operational review and at least one year for audit purposes, covering the full observation period.
Summary
SOC 2 CC6.4 is a focused but essential criterion. It requires that physical access to facilities and information assets is restricted to authorized personnel, governed by three points of focus: creating and modifying access, removing access, and reviewing access. The criterion applies to every SOC 2 engagement, though the scope varies by infrastructure model. Cloud-native organizations can carve out data center controls to the cloud provider but must still address office, equipment, and media security. SOC 2 Type 2 audits evaluate operating effectiveness over a period, so controls must operate consistently and produce a continuous evidence trail. Start collecting evidence early, tie physical access revocation to your offboarding process, and conduct periodic reviews on a documented cadence.
A control matrix that maps CC6.4 to the specific evidence artifact behind it is what keeps this criterion from becoming a last-minute scramble. If you want an honest read on where your physical and logical access controls stand before an auditor tests them, that is exactly what a Gap Sprint is for.