SOC 2 CC6.4 visitor log checklist for SMBs

SOC 2's CC6.4 is the trust services criterion for physical access. It sits inside the Common Criteria, the part of the framework every SOC 2 attest touches. If you are pursuing SOC 2 Type I or Type II, CC6.4 will be looked at. If you have a clipboard at the front desk, this is where your audit gets stuck.

Below is the 12-point checklist your auditor will use, written plainly. Run it against your front desk this week.

The 12 points

1. Visitor identification. Every visitor's name is captured before they enter restricted areas. Identification is verifiable (a stated name is not sufficient if your restricted area is high-risk).
2. Host association. Every visitor is tied to the employee, agent, or third party who authorized the visit.
3. Visit purpose recorded. Vague is fine ("vendor meeting"); blank is not.
4. Arrival and departure timestamps. Both. Departure is the one most SMBs forget.
5. Escort policy documented and applied. If your written policy says "visitors must be escorted in restricted areas," your log should reflect that escort actually happened.
6. Restricted areas defined. Your CC6.4 documentation should list which physical zones are "restricted." Your visitor flow should treat them accordingly.
7. Badging or visual identification. Visitors are visually distinguishable from employees (badge, sticker, color).
8. Retention policy. Visitor records are retained per your written policy. The policy length matters; the consistency matters more.
9. Audit log production. On demand, you can produce the visitor record for any defined period (typically the last 12 months) in under 5 minutes.
10. Roster on demand. At any given moment, you can produce a list of every visitor currently on site.
11. Incident response link. Your incident response policy references the visitor log as evidence in the event of a physical-security incident.
12. Periodic review. Your visitor log practices are reviewed at least annually as part of CC6.4's documented review cadence.

Where SMBs fail

The four most common audit findings in CC6.4 visitor sections, in our experience working with SMB SOC 2 prep:

• Departure timestamps are missing (point 4). Paper sheets capture arrival but not departure.
• Retention is inconsistent (point 8). Paper logs are sometimes kept, sometimes shredded, with no policy in writing.
• Audit log production takes too long (point 9). Auditor asks for May visitors. The team takes a week.
• Roster on demand cannot be produced (point 10). Fire alarm scenario fails.

A digital check-in solves all four. A paper clipboard cannot, no matter how diligent the receptionist is.

Why this matters at renewal time

SOC 2 reports are increasingly required by enterprise customers in their vendor risk reviews. If your sales motion includes one Fortune 500 client, that client's procurement team will ask for your SOC 2 report. CC6.4 findings show up in the report. If the findings are visitor-log related, the conversation is straightforward to fix (digital check-in solves most of it). If you do not fix it, the same finding shows up next year.

Frequently asked questions

Does CheckinIQ produce a CC6.4-aligned audit log?

Yes. The audit log captures arrival, departure, host, purpose, and the user who created/modified the record. Exportable in CSV or PDF.

Can I configure retention to match my SOC 2 policy?

Yes. Retention is configurable per tenant.

What about SOC 2 Type II (operating effectiveness)?

The digital audit log gives your auditor evidence of consistent control operation over the audit window, which is exactly what Type II tests.

Do I need to do anything special for the 12-month look-back?

No. The audit log preserves the full window per your retention policy.

Related reading: Are paper sign-in sheets HIPAA compliant? · Replace a paper sign-in sheet in 10 minutes