SOC 2 Cares About Your Lobby
SOC 2 (Service Organization Control 2) audits evaluate how well an organization protects data. Most people think of SOC 2 as a technical audit — encryption, access controls, incident response. And it is. But SOC 2 also covers physical security, and that includes visitor management.
If an unauthorized person can walk into your building, sit down at an empty desk, and access your network, your encryption doesn't matter. SOC 2 auditors know this, which is why they look at how you control physical access — including how you manage visitors through a comprehensive check-in system.
The Trust Services Criteria That Apply
SOC 2 is built on five Trust Services Criteria. Three directly involve visitor management:
CC6: Logical and Physical Access Controls
This is the big one. CC6 requires organizations to:
CC6.1 — Implement logical and physical access controls to protect assets
CC6.2 — Restrict physical access to facilities and assets
CC6.3 — Manage access to information assets
CC6.4 — Restrict and manage logical access to systemsFor visitor management, auditors evaluate:
How visitors are identified and registered
How visitor access is restricted to authorized areas
How temporary credentials are managed and revoked
How visitor access is logged and monitoredCC6.4 Specifically: Physical Access
Auditors look for evidence that:
All visitors are registered before accessing the facility
Visitors are identified (ID verification, photo capture)
Visitors are escorted or restricted to authorized areas
Visitor access is time-limited (badge expiration)
Visitor records are maintained for the audit period
Access to sensitive areas (server rooms, data centers) has additional controlsCC7: System Operations
CC7.2 requires monitoring for anomalies in physical access. Your VMS provides:
Unusual visit patterns (frequency, timing, after-hours visits)
Watchlist matches
Unauthorized access attempts
Badge expiration overridesCC5: Control Activities
CC5.2 covers the policies and procedures that govern access. Auditors want to see:
A documented visitor management policy
Staff training on visitor procedures
Regular policy review and updatesWhat Auditors Actually Ask For
During a SOC 2 audit, expect to provide:
Documentation
Written visitor management policy
Visitor registration procedures
Visitor escort and access restriction procedures
Badge management and expiration procedures
Incident response procedures for visitor-related events
Staff training recordsEvidence
Visitor logs for the audit period (typically 12 months)
Evidence that all visitors were registered (no gaps in the log)
Evidence that visitor IDs were verified
Evidence that temporary credentials were issued and revoked
Evidence that sensitive areas have additional access controls
Evidence that visitor access was monitoredTesting
The auditor may:
Walk through the visitor check-in process
Request visitor records for specific dates
Ask to see the watchlist and deny list configuration
Check that badge expiration is enforced
Verify that former visitor credentials are revoked
Test whether an unregistered person could bypass the lobbyPaper Logs vs. Digital VMS: The Audit Gap
Paper sign-in sheets create problems during SOC 2 audits:
Completeness — How do you prove every visitor signed in? You can't prove a negative.
Legibility — Auditors can't read handwriting
Integrity — Paper can be altered after the fact
Retention — Are you keeping 12 months of paper logs in good condition?
Search — Finding a specific visitor's records across a year of paper takes hours
Access control — Anyone in the lobby can read the sign-in sheetA digital VMS produces complete, searchable, tamper-evident visitor records that satisfy every audit requirement automatically.
Configuring Your VMS for SOC 2
Essential configuration for SOC 2 compliance:
Mandatory Check-In
All visitors must complete full registration (no bypassing the kiosk)
ID scanning enabled for all visitor types
Photo capture enabled
Host verification requiredAccess Restriction
Badge printing with expiration time
Access control integration for sensitive areas
Different access levels by visitor type
Escort requirements for data-center and server room visitsMonitoring
Real-time alerts for watchlist matches
After-hours visit alerts
Unusual visit pattern detection
Failed check-in attempt loggingRecord Retention
Retain visitor records for the audit period plus buffer (minimum 12 months)
Automated retention policy enforcement
Export capability for auditor requests
Tamper-evident record storageAudit Trail
Every check-in, check-out, and modification logged with timestamp and user
Administrator access to visitor records logged
Configuration changes logged
Report generation loggedPreparing for the Audit
30 days before your SOC 2 audit:
Pull visitor logs — Generate a complete visitor report for the audit period
Review completeness — Identify any gaps or anomalies
Verify policies — Ensure written procedures match actual practice
Check training records — Confirm all front desk staff have current training
Test the system — Walk through the check-in process to verify it works as documented
Prepare sensitive area documentation — Extra controls for data centers and server roomsBeyond Passing the Audit
SOC 2 compliance isn't a one-time event. Maintain compliance by:
Reviewing visitor management policies quarterly
Running monthly training refreshers for front desk staff
Auditing visitor logs monthly for anomalies
Testing emergency procedures involving visitors
Updating watchlists and deny lists as needed
Keeping the VMS software current---
KyberAccess includes a built-in SOC 2 compliance center with audit-ready reports, tamper-evident logs, and policy documentation templates. See the compliance features.
Related: Compliance Guide · Access Control · Request a Demo