If your organisation does keep physical access logs, please state the number of months that the access logs are kept for. If your organisation does not use a system that allows logging of access, please put 0 (zero). If different retention times are used depending on the access control system, please state the different retention times in the notes and enter the lowest retention time in the answer box.
Physical access control logs are an auditable record of the date, time, location, and user identity of each valid and invalid entry attempt to your premises, and the reason for denial of access for each invalid entry attempt. A log can be manual or electronic. If you use a physical access control system, it should generate and store these logs for you.
Retention of the access log data is vital to support any subsequent investigation after a security incident, which can be some months after the actual event. Unless there is a local legislative ruling, it is recommended that access log data be kept for a minimum period of 12 months.
As per control J4, an access control system should be implemented by an access control or physical security specialist who can help you to choose the correct specification of system and configure the system in a secure manner. The system should be configured to store all physical access logs. These logs should be protected using encryption controls.
For SMEs, most offices for rent will use an access control system that is under the control of the landlord. Speak to your landlord to find out how long the logs are kept for, and for the controls in place to protect the logs.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.