Physical security


Site planning

Organisations must assess whether the physical security environment is acceptable as part of their regular security risk assessment.

Use your site-specific risk assessments to help you:

  • prepare site-specific security plans
  • include security requirements within other site development plans. 

Consult with security experts early in the planning process

Since physical security measures may be more expensive and less effective if introduced at a later stage, evaluate your security requirements in consultation with your chief security officer (CSO) at the earliest stages of planning new sites or buildings, or alterations to existing buildings.

For high-risk sites or buildings, consult early with relevant agencies, such as the New Zealand Security Intelligence Service (NZSIS), the Government Communications Security Bureau (GCSB), or other specialist agencies.

Create site security plans

Consider security measures for new buildings and sites as early as possible, preferably during the concept and design stages.

A site security plan documents measures to counter identified risks to your organisation’s functions and resources at the site.

Your organisation must prepare site security plans for any:

  • new sites
  • greenfield sites
  • facilities under construction
  • facilities undergoing major refurbishment.

For each site security plan, you need to ensure that your physical security measures:

  • provide enough delay to allow planned responses to take effect
  • meet business needs
  • complement and support other operational procedures
  • include any necessary measures to protect audio and visual privacy
  • do not unreasonably interfere with the public.

Remember to think about where different functions of your organisation will be sited within a facility, so these locations can be constructed to provide appropriate protection.

What to include in a site security plan

In your plan, document the answers to the following groups of questions.

Location and ownership

  • What is the location and nature of the site?
  • Does your organisation have sole or shared ownership, or tenancy of the site?


  • What hours will your people work at the site?
  • Who else will visit the site (for example, the public, service providers)?
  • What hours are you open to the public or other visitors?

Protectively-marked information

  • What protectively-marked information will be stored, handled, processed, or otherwise used in each part of the site? Which protective measures will you need for that information?
  • Which protective measures are needed for sensitive discussions and meetings (including those that involve protectively-marked information)?

ICT assets and resources

  • Which information and communications technology (ICT) assets and resources will be on the site? (Including, but not limited to, data, software, hardware, workstations, servers, frames and cabling, and portable devices such as laptops and tablets.)

Whole site, areas within the site, scalable measures

  • Which protective measures are needed for the site as a whole?
  • Which protective measures are needed for certain areas within the site? For example, part of a floor that will hold information of a higher classification than the rest of the site.
  • How will you scale your security measures to meet increases in threat levels?

Protect your security plans too

Remember that your site security plans contain valuable information about your organisation’s security and operations. Assess the impact of any loss or harm to your plan and apply a protective marking if necessary.

Include security requirements in briefs and contracts

Include all relevant security measures from your site security plans in building design briefs and requests for tender and contracts, so they’re included in the completed facilities.

More information:

Page last modified: 2/10/2018