The section of the audit you didn't study for

A software team's mental model of security is almost entirely digital — accounts, encryption, MFA, logs. So the first time an auditor's request list arrives with a heading like Physical and Environmental Security, the reaction is often a blank stare. We're in the cloud. We don't have a data center. What physical controls?

That reaction is the trap. Every serious framework has a physical-security domain that you are expected to satisfy regardless of where your servers live. SOC 2's common criteria ask about physical access to your facilities; ISO 27001 devotes an entire Annex A theme to physical and environmental security; HIPAA's Security Rule names physical safeguards as one of its three pillars, alongside the administrative and technical ones. The auditor is not asking whether you run your own data center. They are asking who can walk into the room where your laptops, your backups, and your people are — and whether you can prove you've thought about it. "We're cloud-native" is an answer to a question nobody asked.

The good news is that for a lean team the scope is small and finishable, the same way endpoint hardening is. You are not securing a hyperscale facility. You are securing an office (or the absence of one), the devices that move in and out of it, and the handful of physical artifacts — backup media, hardware tokens, printed records — that a purely digital mental model tends to forget exist.

What "physical security" actually covers for a cloud-native team

The domain reduces to a short list of things an attacker with a body — not just a keyboard — could reach:

  • The premises. If you have an office, who has keys or badges, and how is that list maintained when someone leaves? An ex-employee who can still open the front door is the physical twin of the account you forgot to disable during offboarding.
  • Any on-site equipment. Even a cloud-native shop often has something physical: a network closet, an office switch and Wi-Fi gear, an on-prem NAS, a stack of loaner laptops in a drawer. The room or cabinet that holds them is in scope.
  • The endpoints themselves. Laptops are the most exposed physical asset most software teams own — they leave the building daily. The physical risk of a stolen laptop is why full-disk encryption and remote wipe are the control that turns a theft into a lost asset instead of a reportable breach.
  • Portable media and paper. Backup drives, USB sticks, the printed onboarding packet with someone's SSN on it, the whiteboard with production credentials still written on it. Digital-first teams underestimate how much sensitive data leaks through physical channels precisely because they've stopped looking there.
  • Visitors. The person who follows a badged employee through the door — "tailgating" — is one of the oldest and most reliable ways into a building, and it defeats the lock entirely. It's the physical version of the social-engineering path your awareness training already teaches people to distrust online.

Notice that none of this requires a data center. It requires a door, some devices, and a handful of people — which every team has.

A physical baseline a lean team can actually finish

You don't need guards and mantraps. You need a short set of controls proportionate to what you hold, applied and provable:

  • Control and review physical access. Whoever can enter the office should be a maintained list — keys issued, badges assigned — reviewed on the same cadence as your logical access reviews, and revoked the day someone leaves. If your "office" is a co-working space or everyone's home, write that down: the company operates no controlled facility; endpoint and remote-access controls carry the physical-security burden. Scoping a control to "not applicable, and here's why" is a legitimate, auditable answer — a silent gap is not.
  • Lock the room with the equipment in it. A network closet or a cabinet holding on-prem gear should be locked, and access to it limited to the people who need it. If you have nothing on-prem, say so explicitly — that too is a documented control decision, not an omission.
  • Enforce a clean-desk and clear-screen habit. Screens lock on a short timeout (the same control that protects the endpoint), sensitive papers don't sit out overnight, and production secrets never live on a whiteboard. Cheap, unglamorous, and it closes the most common in-office data leak.
  • Handle visitors deliberately. Even an informal "guests are escorted and don't roam" rule, written down, is a control. Teach people that holding the door for a stranger is the physical cousin of clicking a link — the same instinct your insider-risk and awareness work already cultivates.
  • Track the physical media. Backup drives and hardware tokens belong in your asset inventory with a location and an owner, and sensitive media gets securely wiped or destroyed at end of life rather than tossed in a bin. An untracked backup drive is a breach waiting for a burglar.

The discipline, as always, is not the length of the list — it's that each item is a real practice with an owner, written into your security policies, and reflected honestly in your chosen framework's scope.

The physical/digital seam is where teams get caught

The controls that matter most sit exactly where the physical world hands off to the digital one, because that seam is where a purely digital security program has a blind spot:

  • Offboarding is physical too. The offboarding checklist that disables accounts must also collect the laptop, the badge, and the hardware token — the residual physical access that outlives the deactivated login.
  • A stolen device is a physical event with a digital blast radius. Whether a laptop theft is a shrug or a crisis is decided entirely by controls you set in advance: disk encryption, screen lock, and remote wipe. The physical loss is inevitable eventually; the data loss is optional.
  • The office network is a trust boundary. A guest who plugs into an office ethernet port or joins the internal Wi-Fi has crossed a physical barrier into a digital one — which is the argument for treating the office network as untrusted and leaning on zero-trust access rather than location-based trust.

Treating physical security as a separate silo is what creates these gaps. It's better understood as the ground floor of the same building your digital controls sit on top of.

Proving it, and where a platform fits

Like every other domain, physical security is only a control if you can show it. An auditor asking about physical access wants an artifact: the access list and its last review, the visitor policy, the clean-desk policy, the media-handling procedure, evidence that a departed employee's badge was collected. These map straight into continuous evidence collection so you're proving the controls on an ongoing basis, and physical gaps — a stale key list, an uncollected token — belong in the same findings workflow with an owner and a deadline as any other risk. Whether your physical baseline is current is a real, measurable dimension of your posture, not a one-time box.

One honest caveat: a platform can help you keep the physical-security policies, access lists, and media inventory organized, route physical gaps into the same tracked findings queue as everything else, and keep that evidence current for an auditor — it organizes, tracks, and proves the work. It does not lock your doors, collect a departing employee's badge, escort a visitor, or make you compliant, and it grants no certification; the keys, the locks, and the human discipline are operational steps your team owns, and which physical obligations apply to you is a question for counsel.

Software teams arrive at their first audit having never thought about physical security, then discover every framework requires it. You don't need a data center to be in scope — you need a door, some laptops, and a few people. Control and review who can get in, lock the room with the gear, keep desks and screens clear, handle visitors and media deliberately, and collect the badge when the account gets disabled. Write down the "not applicable" parts and why. It's the rare control category that's both easy to overlook and easy to finish.