There are several links between Sarbanes-Oxley requirements and a company’s security program. Infosec controls are a critical component to ensure an effective COSO-based internal control environment. Physical security does fall under the requirements, but infosec control is a key component of the program. The process for implementing Section 404 should include project management, people, process and technology, as well as various phases of implementation including scope and plan; assess and define; identify and document controls; perform tests and remediate.”]
Source: https://www.csoonline.com/article/2116786/sarbanes–oxley-and-you.html