3.10.4 — Maintain Audit Logs of Physical Access

You need a record of who entered and exited your facility and when. This audit log is critical for investigating incidents and proving compliance to an assessor.

Example 1: Configure your badge access system to retain access logs for at least one year. Most systems (Honeywell, LenelS2, Genetec) store logs in a database that you can export to CSV or PDF for assessor review. Make sure the logs capture the badge holder’s name, the door accessed, the date and time, and whether access was granted or denied.

Example 2: If you do not have an electronic badge system, maintain a paper sign-in/sign-out log at each controlled entry point. Each entry should include the person’s name, date, time in, time out, and purpose. Store completed log sheets in a secure location (locked file cabinet) and retain them for your defined retention period. Scan and back up the logs digitally as well.