Physical and Logical Access Control

The Control That Stops an Attacker at the Door

Picture a data center with a six-digit PIN on the door, badge readers at every rack, and cameras covering every angle. Now picture the same data center where the admin password for every server is “Welcome1” and remote access has no multi-factor requirement. The physical side is locked down. The logical side is wide open. An attacker does not care which path is easier — they take whichever one you left unguarded.

Access control is not physical or logical. It is both, simultaneously, and the exam expects you to design layered strategies that address both dimensions.

This module covers CISSP objective 5.1: control physical and logical access to assets. ISC2 is testing whether you understand the categories of access controls, how physical and logical controls complement each other, and how to select the right combination based on risk.

Access Control Categories

Every access control falls into a functional category based on when it acts and what it does. The exam tests these categories repeatedly because they form the vocabulary for discussing any security architecture.

• Preventive — Stops an unauthorized action before it happens. A locked door, a firewall rule that blocks a port, an account lockout policy. Preventive controls are the first choice because they eliminate the incident entirely.
• Detective — Identifies that an unauthorized action occurred or is occurring. Security cameras, audit logs, intrusion detection systems, motion sensors. Detective controls do not stop the action — they alert you to it.
• Corrective — Restores the system to a secure state after an incident. Restoring from backup, terminating a malicious session, re-imaging a compromised workstation. Corrective controls assume the incident already happened.
• Deterrent — Discourages an action through the threat of consequences. Warning signs, login banners, visible cameras, acceptable use policies. Deterrent controls work psychologically, not technically.
• Compensating — Provides an alternative when the primary control is not feasible. If a system cannot support MFA, a compensating control might be network segmentation plus enhanced monitoring. Compensating controls are always second-best — they exist because the preferred control could not be implemented.
• Directive — Instructs people on expected behavior. Policies, procedures, training, signage. Directive controls establish what should happen; other control types enforce it.
• Recovery — Rebuilds capability after a disruption. Disaster recovery procedures, failover systems, backup restoration. Recovery goes beyond corrective by focusing on full operational restoration.

Most exam questions present a scenario and ask which category the described control belongs to, or which category is missing from a set of existing controls. The pattern: if the scenario describes something that failed silently, the answer is usually a missing detective control. If the scenario describes an incident that could have been prevented, the answer points to a missing preventive control.

Physical Access Controls

Physical controls protect people, hardware, and facilities from unauthorized physical access. The exam treats physical security as a first-line defense — if someone can physically access a device, most logical controls become irrelevant.

Badges and Smart Cards

Proximity badges and smart cards are the most common physical access control in enterprise environments. They serve as something you have — a physical token that grants access.

• Proximity cards — Passive RFID that transmits a stored credential when near a reader. Convenient but vulnerable to cloning.
• Smart cards — Contain a microprocessor that performs cryptographic operations. The card proves identity through a challenge-response protocol rather than simply broadcasting a static credential.
• Badge + PIN — Combining a badge (something you have) with a PIN (something you know) creates two-factor physical authentication. This is standard for sensitive areas like server rooms and labs.

Biometrics for Physical Access

Biometric systems authenticate based on something you are. The exam focuses on the accuracy metrics, not the underlying technology.

• False Acceptance Rate (FAR) — The probability that the system accepts an unauthorized person. Also called a Type II error. A high FAR means weak security.
• False Rejection Rate (FRR) — The probability that the system rejects an authorized person. Also called a Type I error. A high FRR means poor usability.
• Crossover Error Rate (CER) — The point where FAR and FRR are equal. The lower the CER, the more accurate the system. CER is the standard metric for comparing biometric systems.

Tuning the sensitivity creates a trade-off: increasing sensitivity lowers FAR but raises FRR (fewer unauthorized people get in, but more authorized people get locked out). The right balance depends on the risk profile of what you are protecting. A nuclear facility prioritizes low FAR even at the cost of high FRR. An office building prioritizes low FRR to avoid frustrating employees.

Mantraps and Security Vestibules

A mantrap (now commonly called a security vestibule) is a small room with two interlocking doors. Only one door can be open at a time. This prevents tailgating — the act of following an authorized person through a controlled entry point.

• The first door opens after initial authentication
• The person enters the vestibule and the first door closes
• The second door opens only after a second authentication or verification step
• Some vestibules include weight sensors to detect multiple people

Guards and Monitoring

Security guards are the most flexible physical control because they can make judgment calls that automated systems cannot. Guards can verify identities against visitor logs, detect social engineering, and respond to situations that do not match any predefined rule. The trade-off is cost, human error, and fatigue.

Guards are often paired with cameras (detective) and access logs (detective) to create an auditable record of physical access events.

Logical Access Controls

Logical controls protect information and systems through software-based mechanisms. They enforce who can access what, under which conditions, and with what level of privilege.

Passwords

Still the most widely deployed authentication mechanism despite well-documented weaknesses. The exam expects you to understand password policy elements: length, complexity, history, expiration, and lockout thresholds. Modern guidance (NIST 800-63B) favors longer passphrases over complex-but-short passwords, and discourages forced periodic rotation unless there is evidence of compromise.

Tokens

Hardware or software tokens generate one-time passwords (OTPs) that serve as a second factor. Time-based OTP (TOTP) tokens generate codes synchronized to a clock. Event-based tokens (HOTP) generate codes based on a counter. Both prevent replay attacks because each code is valid only once or for a brief window.

Certificates

Digital certificates bind a public key to an identity through a trusted Certificate Authority (CA). Certificate-based authentication is stronger than passwords because it proves possession of a private key without transmitting it. Smart cards and PIV cards use certificate-based authentication for both physical and logical access.

Multi-Factor Authentication

MFA requires two or more distinct authentication factors from different categories: something you know, something you have, something you are. Using two passwords is not MFA — both are the same factor type. A password plus a fingerprint is MFA. A badge plus a PIN is MFA.

The exam distinguishes between multi-factor and multi-step. Entering a password and then answering a security question is multi-step but single-factor — both are something you know.

Access Control Administration

How access controls are managed across the organization affects consistency, responsiveness, and security.

• Centralized administration — A single authority (such as an identity management team) controls all access decisions. Provides consistency, easier auditing, and uniform policy enforcement. The risk is that a single point of failure or compromise affects all access.
• Decentralized administration — Individual departments or system owners manage their own access controls. More responsive to local needs but creates inconsistency, policy drift, and audit complexity.
• Hybrid administration — Central authority sets policy and standards; local administrators implement them for their systems. This balances consistency with operational flexibility and is the most common approach in large organizations.

The exam tends to favor centralized or hybrid approaches because they maintain governance oversight. Decentralized administration appears in wrong answers when the scenario describes inconsistent policies or audit gaps.

Defense in Depth Through Layered Controls

No single control is sufficient. Defense in depth applies multiple controls from different categories at different layers so that failure of one control does not result in a complete security breach.

Consider the layers protecting a server containing financial records:

1. Perimeter — Fenced facility with guards (preventive, deterrent)
2. Building — Badge readers at entries (preventive), cameras (detective)
3. Server room — Mantrap with biometric scanner (preventive), motion sensors (detective)
4. Network — Firewall rules, network segmentation (preventive), IDS (detective)
5. System — MFA for login, certificate-based authentication (preventive), audit logs (detective)
6. Application — Role-based access, input validation (preventive), transaction logging (detective)
7. Data — Encryption at rest and in transit (preventive), DLP (detective/preventive)

If the badge reader fails, the mantrap still blocks entry. If the firewall is misconfigured, MFA still requires authentication. Each layer assumes the one before it might fail.

Pattern Recognition

Domain 5 access control questions follow predictable patterns:

• Missing control category — A scenario describes only preventive controls. The question asks what is missing. The answer is detective controls (you need to know when preventive controls fail).
• Physical bypasses logical — Someone gains physical access to a device, making logical controls moot. The answer points to strengthening physical security.
• Compensating control needed — The preferred control cannot be implemented due to cost, technology, or business constraints. You must select an alternative that addresses the same risk.
• Control category identification — A scenario describes a control and asks what category it belongs to. Focus on when the control acts: before (preventive), during/after detection (detective), or after the fact (corrective).

Trap Patterns

Watch for these wrong answers:

• “Biometric CER should be as high as possible” — Lower CER means higher accuracy. A low CER indicates the system achieves the best balance between false acceptance and false rejection.
• “Two passwords equals multi-factor” — Two factors from the same category is multi-step, not multi-factor. MFA requires different factor types.
• “Cameras are a preventive control” — Cameras are primarily detective. A visible camera may have a deterrent effect, but its primary function is recording events for review, not preventing them.
• “Decentralized administration provides better security” — Decentralized may be more responsive but creates inconsistency. The exam values governance and auditability, which favor centralized or hybrid models.

Scenario Practice

Question 1

A pharmaceutical company’s research lab uses badge readers for entry but has no cameras, no visitor logs, and no tailgating prevention. After a security incident involving unauthorized lab access, the security team reviews their controls.

Which control category is MOST critically absent?

A. Corrective — they need the ability to restore security after incidents
B. Detective — they have no way to identify when unauthorized access occurs
C. Deterrent — without visible consequences, unauthorized access will continue
D. Directive — employees need clearer instructions on lab access procedures

Question 2

An organization is selecting a biometric system for its data center. The security team wants to minimize the risk of unauthorized individuals gaining access. The operations team is concerned about authorized staff being repeatedly denied entry during shift changes.

What metric should the organization use to evaluate and compare biometric systems?

A. False Acceptance Rate (FAR) — choose the system with the lowest FAR
B. False Rejection Rate (FRR) — choose the system with the lowest FRR
C. Crossover Error Rate (CER) — choose the system with the lowest CER as the best overall balance
D. Processing speed — choose the system that authenticates fastest during peak times

Question 3

A financial services firm requires MFA for VPN access. Due to budget constraints, the IT team proposes using a password combined with a security question as the two factors. The CISO rejects this proposal.

Why is the CISO correct to reject this approach?

A. Security questions are too easy for attackers to guess through social media research
B. Both a password and a security question are something you know — this is single-factor, multi-step authentication
C. VPN access should require three factors, not two
D. Security questions violate NIST 800-63B password guidelines

Key Takeaway

Access control is a layered discipline. Physical and logical controls serve the same purpose — restricting access to authorized individuals — but they operate in different dimensions. The exam tests your ability to categorize controls, identify gaps in layered defenses, and select the right combination for a given risk profile. When you see an access control scenario, ask three questions: What category is this control? What layer does it protect? And what happens when it fails?