Content library
C2M2: MIL1
ACCESS-3: Control Physical Access

Requirement description

MIL1 requirements
a. Physical access controls (such as fences, locks, and signage) are implemented, at least in an ad hoc manner
b. Physical access privileges are revoked when no longer needed, at least in an ad hoc manner
c. Physical access logs are maintained, at least in an ad hoc manner

MIL2 requirements
d. Physical access requirements are established and maintained (for example, rules for who is allowed to access an asset, how access is granted, limits of allowed access)
e. Physical access requirements incorporate the principle of least privilege
f. Physical access requirements incorporate the principle of separation of duties
g. Physical access requests are reviewed and approved by the asset owner
h. Physical access privileges that pose higher risk to the function receive additional scrutiny and monitoring

MIL3 requirements
i. Physical access privileges are reviewed and updated
j. Physical access is monitored to identify potential cybersecurity events

How to fill the requirement

C2M2: MIL1

ACCESS-3: Control Physical Access

Task name
Priority
Status
Theme
Policy
Other requirements
Physical access control to building, offices and other premises
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Property security
32
requirements

Examples of other requirements this task affects

F04: Kulkuoikeuksien hallinta
Katakri
11.1.2: Physical entry controls
ISO 27001
11.1.1: Physical security perimeter
ISO 27001
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Omavalvontasuunnitelma
PR.AC-2: Physical access control
NIST
See all related requirements and other information from tasks own page.
Go to >
Physical access control to building, offices and other premises
1. Task description

Secure areas of the organization cannot be accessed unnoticed. The premises are protected by appropriate access control. Only authorized persons have access to the secure areas.

Monitasoisen suojauksen periaate
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Property security
5
requirements

Examples of other requirements this task affects

F01: Fyysiset turvatoimet
Katakri
FYY-02: Fyysisten turvatoimien valinta (monitasoinen suojaus)
Julkri
FYY-07: Turva-alue - TL III
Julkri
ACCESS-3: Control Physical Access
C2M2
F-03: FYYSISTEN TURVATOIMIEN VALINTA (MONITASOINEN SUOJAUS)
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Monitasoisen suojauksen periaate
1. Task description

Organisaatio suunnittelee fyysiset turvatoimet monitasoisen suojaamisen periaatetta noudattaen. Monitasoisella suojaamisella tarkoitetaan sitä, että toteutetaan joukko toisiaan täydentäviä turvatoimia.

Esimerkiksi rakennuksen ulkoseinät ja kuori voivat muodostaa ensimmäisen turvallisuustason. Kulunvalvonta muodostaa seuraavan kerroksen ja korkeamman suojaustason tietoa käsitellään ainoastaan rakennuksen sisemmissä osissa, jotta tunkeutuminen tiloihin on estetty. Turvallisuustekniset ratkaisut (säilytysyksiköt, hälytysjärjestelmät, kameravalvonta, valaistus, jne.) täydentävät rakenteellisia ratkaisuja. Suunnittelussa otetaan huomioon ikkunat, ovet ja muut aukot.

Key management and access control procedures of secure areas
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Management of secure areas
5
requirements

Examples of other requirements this task affects

FYY-05.4: Turvallisuusalue - Pääsyoikeuksien ja avaintenhallinnan menettelyt
Julkri
ACCESS-3: Control Physical Access
C2M2
F-05.2: PÄÄSYOIKEUKSIEN MYÖNTÄMINEN
Katakri 2020
F-06.3: PÄÄSYOIKEUKSIEN MYÖNTÄMINEN
Katakri 2020
3.2: Toimitilaturvallisuus
TiHL tietoturvavaatimukset
See all related requirements and other information from tasks own page.
Go to >
Key management and access control procedures of secure areas
1. Task description

The organisation must define procedures and roles for access rights and key management in the area. Access to the area can be restricted either mechanically, electronically or based on personal identification. A responsible person shall be appointed for the area to manage the access rights and key management procedures. Spare keys for the area shall be stored securely and locked in a sealed storage envelope with a date of closure and receipt or, alternatively, in a key cabinet connected to an access control system. Keys shall be handed over in connection with the job and against receipt. The procedure is described in the security management guidelines. Access to the area is not permitted with a master key suitable for a lower level facility.

A responsible person has been appointed to ensure the following access rights and key management procedures are in place.

  • Access rights and key management procedures and roles are established, documented and instructed.
  • A list of access rights and key holders is maintained.
  • Access rights are regularly audited and kept up to date.
  • responsibility for additional orders and changes to keys and access codes is assigned.
  • key cards, unallocated keys and access codes are stored appropriately.
  • the reason for key issuance is documented.
  • keys are issued only to the person with independent access rights to the area.
  • changes in personnel are communicated to the key management authority as appropriate.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.