HomeGuidesIdentity & Access › IS-14B
IS-14B Identity & Access 8% of OML score

Are servers or critical systems physically secured (locked room, restricted access)?

This question asks whether your servers and important business systems are kept in a locked room that only authorized people can access. If anyone can walk in and physically touch or unplug your servers, then all your passwords and digital locks mean nothing—they can steal data, copy files, or damage equipment directly.

Why This Matters to Your Business

A competitor's employee, a disgruntled contractor, or even a thief can walk into an unlocked server room, plug in a USB drive, and steal your entire customer database or financial records in 10 minutes—no hacking skills needed. If you lose customer data this way, you face DPDP Act penalties (up to ₹5 crores), loss of customer trust, and business shutdown during recovery. Many Indian startups and MSMEs keep servers in shared office spaces or open server cabinets because they think 'we are too small to be targeted'—but ransomware groups specifically target smaller businesses precisely because physical security is weak. An audit failure on this point can disqualify you from government tenders, GST compliance reviews, or bank loans.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You walk into the office and find server CPU towers or network cabinets sitting on open desks or in a corner of the main office floor with no lock, no door, and anyone passing by can reach them. Cleaning staff, visitors, and new hires all have the same physical access as your IT person.

Level 1
Initial

You walk into the office and see the servers are stored in a closed almirah or cabinet with a basic padlock, but the key is left in the lock or taped to the cabinet. Multiple people—office assistants, managers, delivery people—know where the key is or can easily access it.

Level 2
Developing

You walk into the office and find the servers in a locked cabinet or small utility room, and only 2-3 named people (the IT manager, the owner, and one backup person) have a key. The room has a sturdy lock and a sign saying 'Server Room—Authorized Access Only,' but there is no visitor log or camera.

Level 3
Defined

You walk into the office and see the server room is a dedicated locked space with a strong door, card access or a key lock controlled by one person, and a visitor log sheet at the entrance. When someone needs to enter, a supervisor signs them in and accompanies them, and there is a CCTV camera pointed at the door.

Level 4
Managed

You walk into the office and see the server room has a biometric lock (fingerprint or card reader), a hardwired alarm system that alerts the owner if the door opens outside business hours, a detailed access log with timestamps, and 24/7 CCTV coverage. Only 3-4 named staff have biometric access, and all entries are recorded.

Level 5
Optimised

You walk into the office and see the server room meets all Level 4 controls plus backup power (UPS), climate control, environmental sensors (smoke, temperature, humidity), a redundant server setup in a secondary location (disaster recovery), and a quarterly third-party audit of physical access logs. Access is tied to a central identity management system, and all attempts (successful and failed) are logged and reviewed monthly.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Move all servers into a single locked cabinet or storage box and assign a single key to the IT person. Create a written rule: 'Only IT person has access to servers. Anyone else asking must get written approval from the owner.' Business owner 1 day
1 → 2 Identify a small spare room, utility closet, or lockable storage area in the office. Move servers there. Install a sturdy padlock or door lock. Give keys only to owner and IT manager. Create and post a simple sign on the door. Business owner + IT manager 3-5 days
2 → 3 Create a physical access log (paper or simple spreadsheet). Require anyone entering the server room to sign in with date, time, name, and reason. Install a basic ₹3,000–₹8,000 CCTV camera at the door. Brief all staff that unauthorized access is not permitted. IT manager 1-2 weeks
3 → 4 Replace mechanical lock with a card-based or biometric lock (₹15,000–₹30,000). Configure the lock to log all access attempts with timestamps. Enroll only 3-4 authorized staff. Set up automatic alerts to the owner if the door is opened outside business hours (via email or SMS). IT manager + security vendor 2-4 weeks
4 → 5 Install environmental monitoring sensors (temperature, humidity, smoke) in the server room. Set up backup power (UPS battery backup for at least 4 hours). Create a quarterly audit report reviewing all access logs. Document a disaster recovery plan with a backup server location outside the main office. IT manager + external consultant Ongoing (implementation 6-8 weeks, then quarterly reviews)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Physical access log or register (electronic or paper) showing who accessed the server room, when, and for what reason, maintained for at least 3 months
  • Photograph or floor plan showing the locked server room, cabinet, or secure storage location with the access control mechanism (lock, card reader, biometric) visible
  • List of authorized personnel with access rights and their roles (e.g., 'IT Manager – daily access; Owner – backup access')
  • CCTV footage or camera installation receipt showing camera covering the server room door or entry point, plus evidence it is working (recent timestamped footage or screenshot)
  • Access control system configuration documentation or alert logs showing access attempts, timestamps, and who entered, plus evidence of any failed access attempts being reviewed
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me the server room or the secure location where your critical servers are kept. Is it locked? Who has keys or access cards, and how many people are that?"
  • "Can you walk me through your physical access log for the last 3 months? Who accessed the server room, when, and why? Is this reviewed regularly?"
  • "What happens if someone without authorization tries to enter the server room? Do you have an alarm or alert system? Show me the CCTV footage or camera if you have one."
  • "If I came to your office as a visitor or a new hire today, could I walk into the server room and take a photo of your equipment, plug in a USB drive, or disconnect a network cable? Why or why not?"
  • "Do you have a written policy stating who is allowed to access critical systems and how access is controlled? Has it been reviewed and signed by authorized staff in the last 12 months?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Record who enters the server room and when Paper logbook or a free Google Sheet shared with IT manager and owner; simple and effective for small teams ZKTeco access control system with cloud logging (₹25,000–₹50,000 one-time) or Suprema BioStar 2 (₹35,000–₹60,000)
Monitor the server room door with video recording Smartphone with a free motion-detection app (limited, not recommended for compliance) Hikvision turret CCTV camera (₹8,000–₹12,000) or CP Plus IP camera (₹6,000–₹10,000); cloud storage subscription ₹2,000–₹4,000/year
Alert you if the server room door opens outside business hours None reliable; a simple door contact sensor + manual SMS requires custom setup Smart door lock with notification feature (₹18,000–₹35,000) or alarm system integration (₹15,000–₹25,000 setup + ₹500/month monitoring)
🛡
How This Makes You More Resilient
When your servers are physically locked and controlled, you stop opportunistic theft, sabotage, and data breaches that do not require any hacking skills—an intruder cannot simply walk in, copy your files, or destroy equipment. This means you stay operational during a security incident and avoid the ₹5 crore+ penalties and reputation damage from losing customer data. You also pass customer audits and regulatory inspections, keeping your business trusted and legally compliant.
⚠️
Common Pitfalls in India
  • Assuming 'we are too small, so no one will target us'—ransomware groups and opportunistic thieves specifically target small businesses because physical security is weak; size is no protection
  • Keeping the server room key in an obvious place (taped to the cabinet, left in the lock, given to the office assistant who manages supplies) instead of limiting it to 2-3 named people only
  • Not maintaining an access log because 'everyone here is trustworthy'—auditors require evidence; without a log, you cannot prove who accessed the servers or when a breach happened
  • Storing servers in a shared office space or open area because the company did not budget for a dedicated room, then being shocked when a visitor or contractor is found taking photos of equipment
  • Installing a CCTV camera but not reviewing footage regularly or keeping recordings for more than a few days, so there is no evidence if a breach occurs
  • Upgrading to a biometric lock but still giving the backup mechanical key to multiple people, defeating the purpose of controlled access
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Security Safeguards) and Schedule 2 (Security measures including physical access controls)
CERT-In 2022 Direction 4 (Physical security measures for critical information infrastructure) and Direction 5 (Access controls and monitoring)
ISO 27001:2022 Annex A 11.1 (Physical and environmental controls), specifically A.11.1.1 (Physical security perimeter) and A.11.1.2 (Physical entry)
NIST CSF 2.0 Govern (GV.RO-01: Physical access control) and Protect (PR.AC-01: Physical and logical access control)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →