Home Compliance & Certification Physical Access Control Photo Guide

Physical Access Control Photo Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact proves your company has physical barriers in place to stop unauthorised access to IT systems. Cyber Essentials requires this because even the best digital fortress is useless if someone can just stroll into your office and plug into a server. Think of it as your moat, drawbridge, and portcullis.

2. What You Will Submit

You will need:

  • photo clearly showing one or more physical access control measures, such as:

    • Card or biometric access system on a server room door.

    • Cable locks securing laptops or desktops.

    • Locked server racks or cabinets.

    • Security turnstiles or restricted office access points.

3. How to Collect / Obtain / Generate This Evidence

Office Door Access Control:

  1. Take a photo of the keycard reader, biometric scanner, or keypad at your office/server room.

  2. Ensure the photo shows it is installed and in use (e.g., at the entry point).

Workstation Cable Locks:

  1. Photograph a workstation with a cable lock securing the device to a desk.

  2. Ensure the lock mechanism and tether are visible.

Locked Server Rack / Cabinet:

  1. Photograph your server/network cabinet with lock engaged.

  2. Include evidence of labelling or restricted access signage if present.

Multi-layered Controls:

  • Show combinations of controls (e.g., card access + CCTV, or locked racks inside a restricted room).

4. Evidence Format

  • Accepted file types: JPG, PNG, PDF.

  • Suggested naming format:
    YourCompanyName_PhysicalAccessControl_YYYY-MM-DD.jpg
    Example: AcmeCorp_PhysicalAccessControl_2025-07-01.jpg

5. What “Good” Looks Like

  • Evidence is clear and unambiguous (no blurry hallway photos).

  • Shows a real physical control in place, not just an empty room.

  • Ideally, includes multiple types of access control (e.g., locked racks + card access).

Why it matters: auditors want proof that attackers can’t simply bypass digital controls by physically walking into your workspace.

6. Tips

  • Avoid capturing staff faces in the photo (privacy).

  • Redact serial numbers or sensitive signage if visible.

  • If controls are outsourced (e.g., data centre), request a photo or access log evidence from the provider.