Physical security

PHY017

Security zones

Use security zones to match your security to the risks facing your people, information or assets.

Extra security measures apply to areas where protectively-marked information and other official or valuable resources are processed, handled, discussed, and stored. These areas are called ‘security zones’. Security zones are based on the business impact levels (BILs) and each has minimum security controls that your organisation must implement.

If your organisation faces increased threat levels, use your risk assessments to work out what extra measures you need in each affected zone. Increased threat levels can be due to foreign interference, politically motivated violence, criminal activity, or cyber-attacks.

Meeting the minimum zone standards gives assurance to other organisations when you are sharing information or assets.


Understand the different zones

Zone 1: Public Access Areas

These are unsecured areas including out-of-office working arrangements. They provide limited access controls to information and physical assets where any loss would result in a low to medium business impact. They also provide limited protection for people.

Examples of public access areas are:

  • building perimeters and public foyers
  • interview and front-desk areas
  • temporary out-of-office work areas where the agency has no control over access.
  • field work, including most vehicle-based work
  • public access parts within multi-building facilities (for example cafes or shops).

Permitted uses

In zone 1, you can:

  • store information and physical assets needed to do business with low-to-medium BILs
  • use information and physical assets with a high or very high BIL (storage is not recommended but is permitted if unavoidable)
  • use information and physical assets with a BIL above very high only under exceptional circumstances with approval of the originating agency (no storage is permitted).


Zone 2: Work Areas

These are low-security areas with some controls. They provide access controls to information and physical assets where any loss would result in a business impact up to very high. They also provide some protection for people.

Zone 2 areas allow unrestricted access for your people and contractors. Public or visitor access is restricted.

Examples of work areas are:

  • normal office environments
  • normal out-of-office or home-based worksites where you can control access to areas used for your business
  • interview and front-desk areas where your people are separated from clients and the public
  • military bases and airside work areas with a security fence around the perimeter and controlled entry points
  • vehicle-based work where the vehicle is fitted with a security container, alarm and immobiliser
  • exhibition areas with security controls and controlled public access.

Permitted uses

In zone 2, you can:

  • store information and physical assets with a BIL up to very high
  • use information and physical assets with an extreme BIL, (but this information should not normally be stored in the area and you must use approved security containers)
  • use information and physical assets with a catastrophic BIL only under exceptional circumstances to meet operation imperatives with approval of the originating agency. No storage is permitted.


Zone 3: Restricted Work Areas

These are security areas with high security controls. They provide access controls to information and physical assets where any loss would result in a business impact up to extreme. They also provide protection for people.

Access for your people and contractors is limited to those with a need to access the area. People with ongoing access must hold an appropriate security clearance. Visitors must be escorted, or closely controlled, and have a business need to access the area.

Examples of restricted areas are:

  • secure areas within your building that have extra access controls for your people (such as IT server rooms)
  • exhibition areas with very valuable assets
  • areas with high-value items or items of cultural significance when not on display.

Permitted uses

In zone 3, you can:

  • store information or physical assets with a BIL up to extreme
  • use information with a catastrophic BIL (but this information should not normally be stored in the area).


Zone 4: Security Areas

These are security areas with higher levels of security. They provide access controls to information where any would result in a business impact up to extreme, and physical assets where any loss would result in a business impact up to catastrophic. They also provide protection for people.

Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area.

Examples of security areas are:

  • secure areas within your building that have extra access controls for your people
  • exhibition areas with very valuable assets with specific item asset protection controls and closely controlled public access
  • areas used to store high-value items or items of cultural significance when not on display.

Permitted uses

In zone 4, you can:

  • store information with a BIL up to extreme
  • use information with a catastrophic BIL (but this information should not normally be stored in the area).


Zone 5: High-Security Areas

These are security areas with the highest level of security controls. They provide access controls to information where any loss would result in a business impact up to catastrophic.

Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area.

Examples of high-security areas are:

  • areas storing TOP SECRET, sensitive, or compartmented information
  • New Zealand Intelligence Community facilities.

Permitted uses

In zone 5, you can store information marked TOP SECRET, compartmented information, or large quantities of information that when aggregated have a catastrophic BIL.


Apply the zone requirements

The zone requirements provide a minimum level of assurance against:

  • information being compromised, damaged, or unavailable
  • physical assets being compromised, lost, or damaged.

Security zone requirements

These minimum requirements may not be enough to protect your people, information, and physical assets. Use your risk assessments to work out which additional mitigations you need. Your organisation must use the right security controls to treat the risks you identify. 

Page last modified: 8/10/2018