3.10.5 — Control and Manage Physical Access Devices

Physical access devices — keys, badges, key cards, PINs, combination codes — need to be controlled and managed. If you do not know where your keys are, you do not really have physical security.

Example 1: Maintain a key and badge inventory. Track every physical key and badge issued: who has it, when it was issued, and what areas it grants access to. Use a spreadsheet or your access control system’s built-in asset tracking. When a key or badge is lost, rekey the lock or deactivate the badge immediately and issue a replacement.

Example 2: Change default access codes and combinations on cipher locks and keypad entries on a regular schedule (e.g., every 90 days) and whenever someone with knowledge of the code leaves the organization. Document each code change with the date, the lock location, and the person who made the change. Avoid obvious codes like 1234 or the company’s street address.