The organization SHALL create and maintain documentation defining the individuals who are permitted access to the facilities, along with the specific locations they are permitted access to.

It is extremely difficult to configure access controls for your physical facilities if you don't have a clear idea of who exactly should have access, and how much of it they should have. Before any further work can be done in the area of physical access controls, you need to sit down and create a detailed document that lists the individuals who enter and leave your facilities daily. This should immediately contain all of the individuals currently employed at your business and working out of the facility. Furthermore, even remote employees should be listed despite the fact that they are working from a distance. They are still employees of your business, and there are bound to be times when they need to physically visit. However, since they may not have an on-premises office or facility-specific duties, their designated access levels will be different. In addition to employees, you must also list all third parties that have been granted any level of access to the business facilities. Examples include contractors, auditors, and personnel from partner organizations.

After you have made a complete documentation of the individuals, you must match each of them with the specific areas of the facilities they should have access to. You should be able to discern the proper access requirements by reviewing company procedures and job descriptions. The complexity of this task is heavily dependent on the size of your business. Medium-sized businesses with more than fifty or so employees will probably require a detailed reassessment to define the appropriate granularity. However, a small business with just a handful of employees will probably be able to ascertain access requirements pretty quickly.

Once this documentation has been created, it should be properly stored and secured as a piece of confidential business data, due to its high-level view of specific access levels throughout the facility. This documentation will need to grow dynamically with both your workforce and your access control systems and policies. The documentation should be immediately revised whenever an employee onboards or offboards the physical environment, as well as when any changes are made to your physical access controls.