Management protocol for physical security

Ensure your physical security practices are known and followed to achieve a strong security culture

PHY003

Keep your organisation secure with robust physical security. Reduce the risks to your organisation’s people, information, and assets.

This protocol:

  • explains the steps your organisation must take to improve your physical security
  • defines a physical security management cycle
  • outlines the mandatory requirements for New Zealand Government organisations.

If you’re a chief executive, chief security officer (CSO), chief information security officer (CISO), senior manager, or line manager, make sure you:

  • understand the management cycle, and
  • meet the mandatory requirements.

If you’re a private sector organisation, voluntarily adopting the mandatory requirements will improve your physical security.

What is physical security?

Physical security is a key component of your health and safety regime. Physical security is a combination of physical and procedural measures designed to prevent or reduce threats to your people, information, and assets. Physical security measures complement your security measures in other areas, such as personnel, information handling, communications, and ICT.

Understand the benefits of robust physical security

Having robust physical security measures can help you:

  • keep your people, customers, and the public safe
  • prevent unauthorised people accessing your premises, information, or assets
  • maintain the trust and confidence of the people and organisations you serve or work with
  • deliver services without disruption in the event of a heightened threat level or disaster
  • meet your obligations under the Health and Safety at Work Act 2015.(external link)

Know the threats and risks you need to manage

Physical security threats can come from your own people or from outside your organisation (for example, visitors, contractors, the public, external groups). Threats can apply to people working in your office or normal place of business. Different threats can be present when your people are working away from the office, particularly when they are working alone.

Threats include:

  • crime, including personal and property crime
  • workplace violence, such as assaults, harassment, and revenge attacks, from both insiders and external parties
  • civil disturbances, such as protests and riots
  • natural disasters, such as floods, earthquakes, and pandemics
  • industrial disasters, such as explosions, building fires, and structural collapses 
  • terrorist acts, such as bombings, extortion, ‘white powder’ incidents, and kidnappings
  • other risks, such as disturbed people and traffic accidents.

Within your organisation, physical security breaches can be accidental. For example, if your people aren’t alert to the risk of tailgating, they might allow unauthorised people access to your secure areas.


Understand the physical security lifecycle

Understand and follow the physical security lifecycle to protect your organisation’s people, information, and assets.

The lifecycle stages show the steps you should work through to understand what you need to protect; assess the risks to your people, information, and assets; design appropriate security measures; validate that those measures are implemented correctly; and maintain them over time.


Take a risk-based approach to physical security

Your organisation’s unique context and potential threats determine which physical security measures you need. When you take a risk-based approach, you can ensure your physical security measures are right for your organisation.

You should identify the people, information, physical assets, and functions to be protected. You should then determine the threats facing your organisation within New Zealand and abroad. 

You need to fully understand the value and sensitivity of your information and assets to accurately assess your physical security risks.

Use the Business Impact Levels (BILs) to assess the potential impact if your people, information, or assets were harmed, compromised, or unavailable. For example:

  • if customers were aggressive to your people
  • if your organisation’s property was stolen
  • if someone tampered with your security system and gained unauthorised access to your office out of hours
  • if someone gained unauthorised access to your premises and stole valuable information.

For every threat scenario, consider the risks to:

  • the public
  • your people, property, operations, reputation, finances, or business processes
  • New Zealand as a whole.

Create a security culture

Everyone in your organisation contributes to your security culture. No amount of investment in physical security will be effective without the right security culture. It only takes one person being tailgated or an unsecured reception area to compromise your entire organisation.  

Make sure your people and partners:

  • understand the security risks
  • understand your physical security policies
  • adopt the right security behaviours
  • speak up about security issues or incidents.

Provide security awareness communications, training, and support to help create a strong security culture. And make sure your physical security policies are communicated to your people and everyone you work with.

People should be encouraged to report emerging concerns or near misses, and be seen as good corporate citizens rather than troublemakers.

Your chief security officer (CSO) is responsible for your organisation’s physical security in line with your overall protective security policy.


Plan your physical security

Establish a physical security plan for your organisation that:

  • matches the level of security risk in your physical environment
  • is consistent with your business needs and legal obligations
  • builds on the overall framework and plan for your organisation’s security
  • Covers your obligations under the Health and Safety at Work Act 2015.

Effective physical security planning:

  • accounts for increased risks in places where you have collections of information and physical assets, and higher concentrations of people
  • accounts for the specific needs of your organisation’s different work locations
  • includes scalable measures to meet increased threat levels and accommodate changes in the overall national threat level
  • includes a system of controls and barriers to help your organisation deter, detect, delay, and respond to any threat: external or internal
  • addresses the risks associated with shared facilities, and the security requirements for working away from the office.