Physical Security Policy Guide

Home office, co-working, device storage, and visitor controls when you have no corporate datacenter.

physical security policy template preview (COR-012)
.docx COR-012

Physical Security Policy (Remote-First)

Home office, co-working, device storage, and visitor controls when you have no corporate datacenter.

Get SOC 2 Phase 2 Implementation Kit
How to Fill Out This Physical Security Policy (Remote-First)

Physical security policy template — Remote-first companies still need clear rules for laptops, badges, and co-working. State what you do not control (e.g., home networks).

Recommended Owner: Security Lead | Facilities if you have offices

What this file is for

Document purpose

Physical security for remote-first orgs (CC6.4 where applicable).

In your program: Covers laptops and co-working — not datacenter (usually vendor CUEC).

Before you start

Getting Started

  • Enable Editing in Word; replace `[` placeholders and delete gray examples.
  • Cross-check names and vendors with SOC-002, SOC-004, and Phase 1 COR policies.

Document tour

Fill out the file section by section

Work through the sections below in order. Each block matches a heading or tab in the downloaded COR-012 file.

1. Purpose
  • Protect assets outside traditional offices (remote-first).
  • After editing 1. Purpose, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
2. Scope
  • Employees, contractors, and company equipment.
  • After editing 2. Scope, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
3. Inherited Physical Security (Cloud / Colocation)
  • Document reliance on AWS/GCP SOC reports — CUECs in SOC-004 Section 8.
  • After editing 3. Inherited Physical Security (Cloud / Colocation), search for `[` placeholders and gray sample names — auditors flag incomplete templates.
4. Remote Workspace Requirements
  • Private workspace, screen privacy, cable lock where applicable.
  • After editing 4. Remote Workspace Requirements, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
5. Company Device Standards
  • Encryption, auto-lock, MDM enrollment.
  • After editing 5. Company Device Standards, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
6. BYOD (Personally Owned Devices)
  • Prohibit or define minimum controls if allowed.
  • After editing 6. BYOD (Personally Owned Devices), search for `[` placeholders and gray sample names — auditors flag incomplete templates.
7. Media & Removable Storage
  • Encrypted USB only or prohibition.
  • After editing 7. Media & Removable Storage, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
8. Office & Co-Working Spaces
  • Badge policy if physical office or WeWork used.
  • After editing 8. Office & Co-Working Spaces, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
9. Travel & Off-Site Events
  • Device custody, VPN, no sensitive calls in public.
  • After editing 9. Travel & Off-Site Events, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
10. Loss, Theft & Incident Reporting
  • Report within 24h; remote wipe — open SOC-013 row.
  • After editing 10. Loss, Theft & Incident Reporting, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
11. Review & Approval
  • Annual sign-off.
  • After editing 11. Review & Approval, search for `[` placeholders and gray sample names — auditors flag incomplete templates.

12. Related Documents

  • COR-011, SOC-004, vendor physical SOC reports.
  • After editing 12. Related Documents, search for `[` placeholders and gray sample names — auditors flag incomplete templates.

13. SOC 2 Mapping

  • CC6.4 — note if fully inherited from cloud provider.
  • After editing 13. SOC 2 Mapping, search for `[` placeholders and gray sample names — auditors flag incomplete templates.

Quality check

Before You Finalize

  • Clear statement on home office and travel expectations.

Evidence

Where to Store It

  • Store the completed file in your compliance evidence folder (signed PDF for policies).
  • Register the document in COR-013 with version, owner, and next review date.
  • Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.

Next Steps

After customizing Physical Security Policy (Remote-First):

  1. 1Complete the file: Finish every section or tab in COR-012.
  2. 2Register: Add version and owner to COR-013.
  3. 3Operationalize: Train owners listed in the document.
  4. 4Evidence: Keep exports auditors can sample during fieldwork.
Get SOC 2 Phase 2 Implementation Kit See what’s included