Skip to main content

PES-05: Monitoring Physical Access

PES 7 — High Detect

Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.

Control Question: Does the organization monitor for, detect and respond to physical security incidents?

General (41)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.4-POF4
CSA CCM 4 DCS-10
CSA IoT SCF 2 PHY-01
ENISA 2.0 SO9
GovRAMP Low PE-06
GovRAMP Low+ PE-06
GovRAMP Moderate PE-06
GovRAMP High PE-06
ISO 27002 2022 7.4
MPA Content Security Program 5.1 PS-1.3
NIST 800-53 R4 PE-6
NIST 800-53 R4 (low) PE-6
NIST 800-53 R4 (moderate) PE-6
NIST 800-53 R4 (high) PE-6
NIST 800-53 R5 (source) PE-6
NIST 800-53B R5 (low) (source) PE-6
NIST 800-53B R5 (moderate) (source) PE-6
NIST 800-53B R5 (high) (source) PE-6
NIST 800-82 R3 LOW OT Overlay PE-6
NIST 800-82 R3 MODERATE OT Overlay PE-6
NIST 800-82 R3 HIGH OT Overlay PE-6
NIST 800-161 R1 PE-6
NIST 800-161 R1 C-SCRM Baseline PE-6
NIST 800-161 R1 Level 1 PE-6
NIST 800-161 R1 Level 2 PE-6
NIST 800-161 R1 Level 3 PE-6
NIST 800-171 R2 (source) 3.10.2
NIST 800-171A (source) 3.10.2[c] 3.10.2[d]
NIST 800-171 R3 (source) 03.10.02.a 03.10.02.b
NIST 800-171A R3 (source) A.03.10.02.ODP[01] A.03.10.02.ODP[02] A.03.10.02.a[01] A.03.10.02.a[02] A.03.10.02.b[01] A.03.10.02.b[02]
NIST CSF 2.0 (source) DE.CM-02
PCI DSS 4.0.1 (source) 9.2.1.1
PCI DSS 4.0.1 SAQ C (source) 9.2.1.1
PCI DSS 4.0.1 SAQ D Merchant (source) 9.2.1.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 9.2.1.1
SWIFT CSF 2023 3.1
TISAX ISA 6 8.1.6
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PES-05
SCF CORE ESP Level 1 Foundational PES-05
SCF CORE ESP Level 2 Critical Infrastructure PES-05
SCF CORE ESP Level 3 Advanced Threats PES-05
US (25)
Framework Mapping Values
US C2M2 2.1 ACCESS-3.C.MIL1 ACCESS-3.J.MIL3
US CERT RMM 1.2 EC:SG2.SP1 IMC:SG2.SP1
US CJIS Security Policy 5.9.3 (source) 5.9.1.6
US CMMC 2.0 Level 2 (source) PE.L2-3.10.2
US CMMC 2.0 Level 3 (source) PE.L2-3.10.2
US CMS MARS-E 2.0 PE-6
US FedRAMP R4 PE-6
US FedRAMP R4 (low) PE-6
US FedRAMP R4 (moderate) PE-6
US FedRAMP R4 (high) PE-6
US FedRAMP R4 (LI-SaaS) PE-6
US FedRAMP R5 (source) PE-6
US FedRAMP R5 (low) (source) PE-6
US FedRAMP R5 (moderate) (source) PE-6
US FedRAMP R5 (high) (source) PE-6
US FedRAMP R5 (LI-SaaS) (source) PE-6
US FFIEC D3.PC.Am.E.4 D3.Dc.Ev.B.5
US IRS 1075 PE-6
US NERC CIP 2024 (source) CIP-006-6 1.4 CIP-006-6 1.6 CIP-006-6 1.7
US NISPOM 2020 5-300
US - CA CCPA 2025 7123(c)(3)(D)
US - OR 646A 622(2)(d)(C)(ii)
US - TX DIR Control Standards 2.0 PE-6
US - TX TX-RAMP Level 1 PE-6
US - TX TX-RAMP Level 2 PE-6
EMEA (5)
Framework Mapping Values
EMEA EU NIS2 Annex 13.1.2(f) 13.3.2(d)
EMEA Israel CDMO 1.0 18.8 18.10 18.11
EMEA Saudi Arabia IoT CGIoT-1 2024 2-13-1
EMEA Saudi Arabia ECC-1 2018 2-14-3-2
EMEA UK DEFSTAN 05-138 1500
APAC (4)
Framework Mapping Values
APAC India SEBI CSCRF PR.AA.S10
APAC New Zealand HISF 2022 HHSP66 HML65 HSUP57
APAC New Zealand HISF Suppliers 2023 HSUP57
APAC Singapore MAS TRM 2021 5.5.5
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.10.02.A 03.10.02.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to monitor for, detect and respond to physical security incidents.

Level 1 — Performed Informally

Physical & Environmental Security (PES) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Physical access control is decentralized.
  • Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).
  • Human Resources, or a similar function, maintains a current list of personnel and facilitates the implementation of physical access management controls.
Level 2 — Planned & Tracked

Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
  • Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
  • Physical security controls are primarily administrative in nature (e.g., policies & standards).
  • Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
Level 3 — Well Defined

Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.

  • A physical security team, or similar function:
  • A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
  • Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
  • Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
  • A physical security team, or similar function, monitors physical intrusion alarms and surveillance equipment.
Level 4 — Quantitatively Controlled

Physical & Environmental Security (PES) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to monitor for, detect and respond to physical security incidents.

Assessment Objectives

  1. PES-05_A01 the frequency at which to review physical access logs is defined.
  2. PES-05_A02 events or potential indications of events requiring physical access logs to be reviewed are defined.
  3. PES-05_A03 physical access to the facility where the system resides is monitored to detect physical security incidents.
  4. PES-05_A04 physical access logs are reviewed per an organization-defined frequency.
  5. PES-05_A05 physical access logs are reviewed upon occurrence of organization-defined events or potential indicators of events.
  6. PES-05_A06 results of reviews are coordinated with organizational incident response capabilities.
  7. PES-05_A07 results of investigations are coordinated with organizational incident response capabilities.
  8. PES-05_A08 physical security incidents are responded to.
  9. PES-05_A09 physical access logs are reviewed <A.03.10.02.ODP[01]: frequency>.
  10. PES-05_A10 physical access logs are reviewed upon occurrence of <A.03.10.02.ODP[02]: events or potential indicators of events>.

Evidence Requirements

E-PES-05 Physical Security Operations

Documented evidence of the organization's physical security capabilities as it pertains to operating and monitoring Physical Access Control (PAC)mechanisms.

Physical Security

Technology Recommendations

Micro/Small

  • Physical alarm systems
  • Video surveillance systems

Small

  • Physical alarm systems
  • Video surveillance systems

Medium

  • Physical alarm systems
  • Video surveillance systems

Large

  • Physical alarm systems
  • Video surveillance systems
  • Physical security guards
  • Staffed lobby (receptionist)

Enterprise

  • Physical alarm systems
  • Video surveillance systems
  • Physical security guards
  • Staffed lobby (receptionist)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free