Compliance & Regulations

SOC 2 Compliance and Visitor Management: What Auditors Want to See

KyberAccess Team · · 9 min read

SOC 2 Cares About Your Lobby

SOC 2 (Service Organization Control 2) audits evaluate how well an organization protects data. Most people think of SOC 2 as a technical audit — encryption, access controls, incident response. And it is. But SOC 2 also covers physical security, and that includes visitor management.

If an unauthorized person can walk into your building, sit down at an empty desk, and access your network, your encryption doesn’t matter. SOC 2 auditors know this, which is why they look at how you control physical access — including how you manage visitors through a comprehensive check-in system.

The Trust Services Criteria That Apply

SOC 2 is built on five Trust Services Criteria. Three directly involve visitor management:

CC6: Logical and Physical Access Controls

This is the big one. CC6 requires organizations to:

  • CC6.1 — Implement logical and physical access controls to protect assets
  • CC6.2 — Restrict physical access to facilities and assets
  • CC6.3 — Manage access to information assets
  • CC6.4 — Restrict and manage logical access to systems

For visitor management, auditors evaluate:

  • How visitors are identified and registered
  • How visitor access is restricted to authorized areas
  • How temporary credentials are managed and revoked
  • How visitor access is logged and monitored

CC6.4 Specifically: Physical Access

Auditors look for evidence that:

  • All visitors are registered before accessing the facility
  • Visitors are identified (ID verification, photo capture)
  • Visitors are escorted or restricted to authorized areas
  • Visitor access is time-limited (badge expiration)
  • Visitor records are maintained for the audit period
  • Access to sensitive areas (server rooms, data centers) has additional controls

CC7: System Operations

CC7.2 requires monitoring for anomalies in physical access. Your VMS provides:

  • Unusual visit patterns (frequency, timing, after-hours visits)
  • Watchlist matches
  • Unauthorized access attempts
  • Badge expiration overrides

CC5: Control Activities

CC5.2 covers the policies and procedures that govern access. Auditors want to see:

What Auditors Actually Ask For

During a SOC 2 audit, expect to provide:

Documentation

  • Written visitor management policy
  • Visitor registration procedures
  • Visitor escort and access restriction procedures
  • Badge management and expiration procedures
  • Incident response procedures for visitor-related events
  • Staff training records

Evidence

  • Visitor logs for the audit period (typically 12 months)
  • Evidence that all visitors were registered (no gaps in the log)
  • Evidence that visitor IDs were verified
  • Evidence that temporary credentials were issued and revoked
  • Evidence that sensitive areas have additional access controls
  • Evidence that visitor access was monitored

Testing

The auditor may:

  • Walk through the visitor check-in process
  • Request visitor records for specific dates
  • Ask to see the watchlist and deny list configuration
  • Check that badge expiration is enforced
  • Verify that former visitor credentials are revoked
  • Test whether an unregistered person could bypass the lobby

Paper Logs vs. Digital VMS: The Audit Gap

Paper sign-in sheets create problems during SOC 2 audits:

  • Completeness — How do you prove every visitor signed in? You can’t prove a negative.
  • Legibility — Auditors can’t read handwriting
  • Integrity — Paper can be altered after the fact
  • Retention — Are you keeping 12 months of paper logs in good condition?
  • Search — Finding a specific visitor’s records across a year of paper takes hours
  • Access control — Anyone in the lobby can read the sign-in sheet

A digital VMS produces complete, searchable, tamper-evident visitor records that satisfy every audit requirement automatically.

Configuring Your VMS for SOC 2

Essential configuration for SOC 2 compliance:

Mandatory Check-In

  • All visitors must complete full registration (no bypassing the kiosk)
  • ID scanning enabled for all visitor types
  • Photo capture enabled
  • Host verification required

Access Restriction

  • Badge printing with expiration time
  • Access control integration for sensitive areas
  • Different access levels by visitor type
  • Escort requirements for data-center and server room visits

Monitoring

  • Real-time alerts for watchlist matches
  • After-hours visit alerts
  • Unusual visit pattern detection
  • Failed check-in attempt logging

Record Retention

  • Retain visitor records for the audit period plus buffer (minimum 12 months)
  • Automated retention policy enforcement
  • Export capability for auditor requests
  • Tamper-evident record storage

Audit Trail

  • Every check-in, check-out, and modification logged with timestamp and user
  • Administrator access to visitor records logged
  • Configuration changes logged
  • Report generation logged

Preparing for the Audit

30 days before your SOC 2 audit:

  1. Pull visitor logs — Generate a complete visitor report for the audit period
  2. Review completeness — Identify any gaps or anomalies
  3. Verify policies — Ensure written procedures match actual practice
  4. Check training records — Confirm all front desk staff have current training
  5. Test the system — Walk through the check-in process to verify it works as documented
  6. Prepare sensitive area documentation — Extra controls for data centers and server rooms

Beyond Passing the Audit

SOC 2 compliance isn’t a one-time event. Maintain compliance by:

  • Reviewing visitor management policies quarterly
  • Running monthly training refreshers for front desk staff
  • Auditing visitor logs monthly for anomalies
  • Testing emergency procedures involving visitors
  • Updating watchlists and deny lists as needed
  • Keeping the VMS software current

KyberAccess includes a built-in SOC 2 compliance center with audit-ready reports, tamper-evident logs, and policy documentation templates. See the compliance features.

Related: Compliance Guide · Access Control · Request a Demo

SOC 2 compliance audit data security trust services criteria access control

Ready to Secure Your Building?

Start your free trial — no credit card required.

Get Started Free Book a Demo

Related Articles

Security & Safety

Digital Printed Badges vs. Paper Sticker Badges: A Security Comparison

Paper sticker badges are cheap. They're also easy to forge, impossible to track, and a security liability. Here's the full comparison between printed digital badges and adhesive stickers.

 Security & Safety

CCTV Cameras vs. Visitor Management Systems: Which Matters More for Security?

Cameras record what happens. Visitor management prevents it from happening. Here's an honest comparison of CCTV and VMS — and why the debate misses the point.

 Compliance & Regulations

REAL ID Act and Visitor Management: What Changes for ID Scanning and Verification

REAL ID enforcement changes how facilities verify visitor identity. Here's what your visitor management system needs to handle — and what happens if you ignore the shift.