Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

04-D: Site Security

This section evaluates the physical security of the sites where your services are delivered and where systems or data are stored.

The questions focus on how facilities are protected against unauthorized access, theft, tampering, and environmental threats, including controls such as badges, visitor management, surveillance, secure areas, and onsite equipment protections. They also assess how access to sites is granted, monitored, and revoked.

Overall, this section confirms that your physical environments provide an appropriate level of protection for the information and systems you manage.

Full Name

Organization

13.5- Does your company have a documented physical security policy or program for the sites it manages?

YES

NO

N/A

"Explanation: A documented physical security policy ensures that the organization has formalized procedures to protect its premises, equipment, and sensitive information.

Risks of Incorrect Answer: Increased risk of unauthorized access to facilities.

Difficulty demonstrating due diligence during audits or legal proceedings.

Applicable Frameworks: ISO 27001 (A.11.1.1): Defines requirements for secure areas.

NIST CSF (PR.AC-6): Ensures physical access to assets is managed and protected.

13.5- If No or N/A, please provide an additional explanation

14.6- Do you use an access control system (e.g., biometrics, keycards)?

YES

NO

N/A

''Explanation: Access control systems limit physical access to authorized personnel only, and retaining access logs supports accountability and incident investigations.

Risks of Incorrect Answer: Unauthorized access to critical areas.

Lack of traceability in case of security incidents.

Applicable Frameworks: ISO 27001 (A.11.2.2): Ensures secure entry controls.

NIST CSF (PR.AC-1): Requires the management of identities and credentials.''

14.6- If yes, what is the data retention period for access logs?

14.6-No to If No or N/A, please provide an additional explanation

15.4- Do you use a CCTV or similar security recording system?

YES

NO

N/A

''Explanation: CCTV systems deter unauthorized activities and provide evidence in case of incidents. Retention policies ensure compliance with legal and regulatory requirements.

Risks of Incorrect Answer: Inability to investigate security incidents due to lack of footage.

Non-compliance with data protection regulations regarding retention limits.

Applicable Frameworks: ISO 27001 (A.11.1.4): Requires physical protection monitoring.

GDPR (Art. 5): Addresses data retention and processing limitations.''

15.4- If yes, what is the retention period for the recordings?

15.4- If No or N/A, please provide an additional explanation

16.7- Does your company share its facilities with other tenants or organizations?

YES

NO

N/A

''Explanation: Shared facilities can introduce risks due to less control over who can access shared spaces.

Risks of Incorrect Answer: Increased vulnerability to unauthorized access or shared infrastructure breaches.

Difficulty implementing and enforcing consistent physical security measures.

Applicable Frameworks: ISO 27001 (A.11.1.3): Ensures secure areas and separation of shared facilities.

NIST CSF (PR.AC-6): Protects physical access to organizational assets.''

16.7- If No or N/A, please provide an additional explanation

17.8- Does your company directly manage both physical and logical security?

YES

NO

N/A

Explanation: Identifying who is responsible for physical and logical security ensures accountability and clarity, especially when third parties are involved.

Risks of Incorrect Answer: Lack of accountability for security incidents.

Misalignment between physical and logical security measures, leading to vulnerabilities.

Applicable Frameworks: ISO 27001 (A.15.1.1): Ensures roles and responsibilities for third-party risks are defined.

NIST CSF (ID.GV-3): Establishes processes to assign responsibilities and roles.

17.8- If No or N/A, please provide an additional explanation

Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

HOME

ABOUT

CONTACT

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

I Consent to Receive SMS Notifications, Alerts & Occasional Marketing Communication from CRISP. Message frequency varies. Message & data rates may apply. Text HELP to (330) 737-2223 for assistance. You can reply STOP to unsubscribe at any time.

​Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

04-D: Site Security

​Compliance Risk &

Information SecurityPartners

Empowering small businesses with BIG Solutions

HOME

ABOUT

Contact Us

LEGAL POLICIES

Compliance Risk &

Compliance Risk &

Information Security
Partners

Empowering small businesses
with BIG Solutions