Physical and Environmental Controls are the tangible safeguards that protect information assets from unauthorized physical access, theft, damage, and environmental hazards. They span two interrelated domains: (1) Physical Access Controls — mechanisms that restrict and monitor entry to facilities, data centers, server rooms, and sensitive work areas (badge readers, biometrics, locks, mantraps, CCTV, guards); and (2) Environmental Controls — systems that maintain the operating conditions required for information infrastructure to function reliably (temperature and humidity regulation, fire suppression, flood and water detection, power conditioning, backup power). Together, these controls protect the Confidentiality, Integrity, and Availability of information assets at the physical layer — the foundational layer beneath all logical security measures. Physical and Environmental Controls are not cybersecurity tools (firewalls, encryption, SIEM), not logical access controls (passwords, MFA tokens), and not administrative controls (policies, procedures) — though they must align with and support all three.
Where it stops · what it isn't
- —IN SCOPE: Facility perimeter controls (fencing, gates, guards, lighting); building entry systems (badge readers, mantraps, biometrics); internal zone controls (server room access, data classification zones); CCTV and video surveillance; visitor and contractor management systems; environmental monitoring (temperature, humidity, water, smoke); fire suppression systems; power protection (UPS, generators, PDUs); and secure equipment disposal and transport protocols.
- —OUT OF SCOPE: Logical access controls (IAM, RBAC, software-based MFA); network security controls (firewalls, IDS/IPS); cryptographic controls; administrative and policy controls. Integration points with these domains exist but are addressed in their respective cubelets.
- —BOUNDARY CASE: Physical multi-factor authentication (badge + biometric) sits at the intersection of physical and logical controls. Convergence platforms that unify badge access with network authentication are in scope here but require coordination with the Identity and Access Management cubelet.
- —NOT: Physical controls do not guarantee information security in isolation. A fully secured data center with weak logical controls remains vulnerable. These controls form one layer of a defense-in-depth strategy.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFCISA Domain 4: Protection of Information Assets
REQUIRESInformation Asset Security Policies, Frameworks, Standards, and GuidelinesRisk Assessment and Management
RELATED TOIdentity and Access Management (Logical Controls)Network and Infrastructure Security Controls
ENABLESOperational Resilience and Business ContinuityRegulatory Compliance (PCI-DSS, HIPAA, NIS2, FISMA, SOX)
CONSTRAINSThird-Party and Supply Chain Risk Management