⚡ Quick Answer
Physical security controls protect facilities and hardware from unauthorised physical access. The exam tests four types of physical controls: deterrent (discourage attackers — fences, signs), preventive (stop access — mantraps, locks, badge readers), detective (identify incidents — cameras, motion sensors, logs), and corrective (respond after — guards, alarm response). The most tested physical security topic is the access control vestibule (mantrap) — know exactly how it works and why it prevents tailgating.

Access Control — Entry Points

Access Control Vestibule (Mantrap)
Preventive
A small enclosed space with two interlocking doors — the second door only unlocks after the first has closed and the person has been authenticated. Prevents tailgating (piggybacking) by ensuring only one person can enter at a time. CompTIA uses the term "access control vestibule" in SY0-701 — older materials and the real world still call it a mantrap.
How it works: Person enters through outer door (which locks behind them) → authenticates (badge, PIN, biometric) inside the vestibule → inner door unlocks. If authentication fails, the person is trapped in the vestibule for security personnel to respond. Exam trap: A mantrap prevents tailgating — it does NOT prevent someone with a stolen valid credential from entering.
Badge / Proximity Card Readers
Preventive
Electronic access control using smart cards or proximity cards (RFID). Badge readers enforce least privilege at the physical layer — each employee's badge only grants access to areas required for their role. Access logs are maintained automatically.
Key terms: Proximity card = passive RFID, no battery, short range (tap to read). Smart card = contains a chip, can store certificates, used with a PIN (something you have + something you know = MFA). Tailgating = following an authorised person through a controlled door without authenticating — the main threat badge systems face.
Biometric Authentication
Preventive
Uses physical characteristics to verify identity — fingerprint, retina scan, iris scan, facial recognition, hand geometry, voice recognition. Something you are — the strongest MFA factor because it cannot be lost or shared (unlike a badge or PIN). Used in high-security environments like datacentres and government facilities.
Key metrics: FAR (False Acceptance Rate) = incorrectly accepts unauthorised users (security risk). FRR (False Rejection Rate) = incorrectly rejects authorised users (usability problem). CER/EER (Crossover Error Rate) = the point where FAR = FRR — lower CER = more accurate system. The exam may ask which metric measures security vs convenience.
Locks — Cipher, Deadbolt, Cable
Preventive
Physical locks remain fundamental. Cipher locks use a keypad combination — no badge required but combination must be changed when personnel leave. Deadbolts are standard door locks. Cable locks secure laptops and equipment to desks — prevents opportunistic theft.
Exam note: Cable locks are specifically called out in A+ as a physical security control for mobile devices and workstations. They are a deterrent and preventive control but can be defeated with sufficient time/tools — they protect against opportunistic theft, not a determined attacker.

Perimeter Security

Bollards & Barricades
Preventive
Short vertical posts or barriers that prevent vehicle-based attacks — crashing through building entrances or ramming into infrastructure. Commonly seen outside government buildings, datacentres, and airports. Also includes concrete barriers, jersey barriers, and reinforced planters.
Exam use: If a scenario describes protecting a datacentre or office building from vehicles, bollards are the answer. Not relevant for stopping foot traffic — that's a mantrap or fence.
Fencing & Security Guards
Deterrent
Fencing deters and delays unauthorised perimeter entry. Height matters — 3–4ft deters casual entry, 6–7ft is more serious, 8ft+ with barbed wire is high security. Security guards provide both deterrence and detection — they can respond to incidents and use judgement in ways technology cannot.
Key distinction: Fencing is a deterrent (slows down) and preventive (blocks) control. Guards are deterrent and detective. Neither is as effective at preventing a determined attacker as layered controls — fence + guard + mantrap + badge is defence in depth.
Lighting
Deterrent
Adequate lighting deters attackers who rely on concealment and improves the effectiveness of surveillance cameras. Motion-activated lighting draws attention to movement in restricted areas. Lighting is a low-cost, high-impact physical deterrent.
Exam note: Lighting is classified as a deterrent control — it discourages attacks but does not prevent entry. Combined with cameras (detective) and locks (preventive), it contributes to defence in depth.

Surveillance & Monitoring

CCTV / Surveillance Cameras
Detective
Cameras serve as both deterrent (visible cameras discourage bad actors) and detective (recordings are reviewed after incidents). Key design considerations: coverage without blind spots, resolution sufficient for facial identification, adequate recording retention, protection of camera feeds from tampering.
PTZ cameras (Pan-Tilt-Zoom) can be remotely directed. IP cameras transmit over the network — secure the network feed. Motion-triggered recording reduces storage requirements. The exam may ask about camera placement strategy — cover entry/exit points, server rooms, and areas where sensitive equipment is stored.
Motion Sensors & Alarms
Detective
Detect movement in restricted areas and trigger alerts. PIR (Passive Infrared) sensors detect heat signatures from moving bodies — common in server rooms and offices after hours. Alarms alert security personnel to respond (corrective component).
Faraday cages are a related physical security concept — metal enclosures that block electromagnetic signals, preventing wireless communication (phone calls, Wi-Fi, RFID) inside. Used in high-security facilities to prevent wireless data exfiltration.

Secure Data Disposal

Physical security isn't just about keeping people out — it's also about ensuring data cannot be recovered from decommissioned hardware. The exam tests specific disposal methods for different media types.

MethodHow It WorksMedia TypeRecovery Possible?
Degaussing Exposes magnetic media to a powerful magnetic field that randomises magnetic domains, erasing all data HDDs, magnetic tape only — does NOT work on SSDs or optical media No — permanently destroys data and renders the drive unusable
Shredding Physical destruction — cuts media into small pieces. Industrial shredders handle HDDs, SSDs, optical discs, paper All media types, paper, credit cards No — most secure method when done to a fine enough particle size
Incineration Burns media to ash — highest assurance of destruction All media types No — complete destruction
Secure erase / Wiping Overwrites all sectors with random data (multiple passes). NIST 800-88 guidelines define standards. DoD 5220.22-M is a common standard. HDDs (effective). SSDs (less reliable due to wear levelling — physical destruction preferred) Effectively no for HDDs with proper passes — SSDs may retain data in inaccessible sectors
Cryptographic erase Destroys the encryption key used to encrypt the drive — data becomes permanently inaccessible even though it technically still exists Self-encrypting drives (SEDs), SSDs with hardware encryption No — without the key the data is unreadable
🎯 Degaussing Exam Trap

Degaussing only works on magnetic media — HDDs and tape drives. It does NOT work on SSDs, USB drives, CDs/DVDs, or any flash/optical media because those don't use magnetic storage. The exam will try to trick you into choosing degaussing for an SSD — the correct answer for SSD disposal is physical destruction (shredding) or cryptographic erase.

Defence in Depth — Layering Physical Controls

Physical security is most effective when layered — no single control is sufficient. A well-designed facility uses: perimeter controls (fencing, bollards, lighting) → building entry (guards, badge readers, mantrap) → internal zones (additional badge readers, biometrics for server rooms) → detection (cameras, motion sensors, access logs) → response (alarms, guards, incident procedures).

The exam may present a scenario and ask which additional control is most appropriate — think about which layer of defence is weakest and pick the control that fills that gap.

Exam Scenarios

💬 "An organisation wants to prevent unauthorised individuals from following authorised employees through a secured door. Which physical control best addresses this?" → Access control vestibule (mantrap) — the two interlocking doors ensure only one person can pass through at a time after authentication. It specifically prevents tailgating, which badge readers alone cannot stop.
💬 "A security team is disposing of decommissioned hard drives containing sensitive patient data. Which method provides the strongest assurance that data cannot be recovered?" → Physical shredding or incineration — both guarantee data cannot be recovered. Degaussing also works for HDDs and renders them unusable. Simple deletion or formatting is not acceptable for regulated data.
💬 "A datacentre needs to dispose of 50 SSDs. A technician suggests degaussing. Is this appropriate?" → No — degaussing only works on magnetic media. SSDs use flash storage, which is not affected by magnetic fields. The correct methods for SSDs are physical destruction (shredding) or cryptographic erase if the drive supports hardware encryption.
💬 "A biometric system has a very low FAR but a high FRR. What does this mean in practice?" → The system rarely lets unauthorised users in (low FAR = good security) but frequently rejects legitimate users (high FRR = poor usability). It's secure but frustrating. Lowering the sensitivity would improve FRR but increase FAR — this is the security vs convenience tradeoff in biometrics.
💬 "Which physical control would best protect a datacentre entrance from a vehicle ramming attack?" → Bollards — short reinforced posts designed specifically to stop vehicle intrusions. Fencing, badges, and cameras do not provide vehicle resistance.
💬 "An employee's smart card is used to access the server room. The security team wants to ensure the card alone is insufficient for entry. What should they add?" → A PIN or biometric requirement — turning the smart card (something you have) into two-factor authentication by requiring something you know (PIN) or something you are (biometric). If the card is lost or stolen, the second factor prevents misuse.

Ready to pass Security+?

See the best courses, practice exams, and study guides for SY0-701.

See Security+ Resources →

Layered Physical Security — Defence in Depth Applied to Space

Physical security follows the same defence-in-depth principle as cybersecurity — multiple overlapping controls so that an attacker who defeats one layer still faces additional barriers. A well-designed physical security architecture has concentric rings: perimeter security (fencing, vehicle barriers, lighting), building access (badge readers, security guards, visitor logs), internal zones (separate badge access for different floors or departments), server room access (biometric + badge + PIN, mantrap entry), and equipment-level security (cable locks, rack locks, chassis intrusion detection). An attacker who tailgates through a door at the perimeter still needs to defeat building access, internal zone access, and server room access before reaching critical equipment.

The exam tests this layered approach primarily through scenario questions: a company wants to prevent unauthorised physical access to their server room. What controls should they implement? The answer typically involves multiple layers — not just one control. A badge reader alone is defeated by tailgating; adding a mantrap prevents tailgating by ensuring only one person can enter at a time.

Access Control Vestibules (Mantraps)

An access control vestibule (commonly called a mantrap) is a physical security control consisting of a small room with two interlocked doors — the first door must close and lock before the second door can open. This prevents tailgating (an unauthorised person following an authorised person through a secured door). Mantraps are used at the entrance to high-security areas like server rooms, datacenter floors, and secure research facilities. Some implementations include biometric verification in the vestibule itself, weighing the occupant to confirm only one person is present, or video monitoring with security guard oversight.

The distinction between tailgating and piggybacking: tailgating is when an unauthorised person follows an authorised person through a door without the authorised person's knowledge or consent. Piggybacking is when the authorised person knowingly holds the door open for or allows an unauthorised person to enter — effectively a social engineering attack that exploits courtesy and authority. Both are physical security violations; mantraps address tailgating mechanically but piggybacking requires security awareness training to address.

Data Destruction Methods — What the Exam Tests

Physical security extends to how data is destroyed when storage media is retired. CompTIA tests specific destruction methods and when each is appropriate. Shredding physically destroys the storage media (shredded hard drives, SSDs, optical discs) — appropriate for media that must be completely destroyed and cannot be reused. Degaussing exposes magnetic storage (HDDs, magnetic tape) to a powerful magnetic field that scrambles all data — effective for traditional hard drives but does not work on SSDs, USB drives, or optical media (which are not magnetic). This distinction is a common exam question.

Overwriting (wiping) writes patterns of data (zeros, ones, or random data) over all sectors of a drive. Multiple-pass overwriting (like the DoD 5220.22-M standard specifying 7 passes) is considered sufficient for most purposes. However, overwriting is not appropriate for highly classified or sensitive data — physical destruction is required. Also, overwriting HDDs with bad sectors may miss data in those sectors; again, physical destruction is the only guarantee. Incineration (burning) is the highest level of destruction, used for classified media that must be completely rendered unreadable under any circumstance.

On the exam: a company needs to dispose of old hard drives containing financial records. They want to reuse the drives. What method is appropriate? Overwriting (wiping). They don't want to reuse them and want complete assurance? Shredding or incineration. They have old magnetic tape backups? Degaussing. The method depends on media type, sensitivity level, and whether reuse is required.

Environmental Controls in Physical Security

Datacenters and server rooms require environmental controls that are themselves a form of physical security — protecting equipment from environmental threats. Temperature monitoring and cooling (HVAC) prevents hardware failure from overheating; most server equipment operates safely at 65–80°F (18–27°C). Humidity controls prevent static electricity buildup (too dry) and condensation damage (too humid); target range is 40–60% relative humidity. Fire suppression in server rooms uses clean agent systems (FM-200, Halon alternatives, NOVEC 1230) rather than water sprinklers — water destroys servers. Hot aisle/cold aisle rack arrangement directs cool air to server intake faces and exhausts hot air to the rear, dramatically improving cooling efficiency.

UPS (Uninterruptible Power Supply) protects against power loss and power quality issues. A UPS provides battery backup that keeps servers running during brief outages and filters power fluctuations (voltage sags, surges, spikes) that can damage hardware. Generator backup extends protection for longer outages. The exam tests UPS as a physical security and availability control — know that UPS prevents data corruption from sudden power loss and gives systems time to shut down gracefully.

Related Articles

Social Engineering Attacks IAM Explained Zero Trust Security Incident Response Malware Types Security+ Exam Domains Security+ Cheat Sheet Best Security+ Resources