Physical security

PHY026

Access control systems

Use access control systems to prevent unauthorised access.

An access control system is a measure or group of measures designed to:

  • allow authorised personnel, vehicles, and equipment to pass through protective barriers
  • prevent unauthorised access.


Achieving access control

Access control can be achieved in several ways. The most common ways are:

  • using psychological or symbolic barriers — for example, Crime Prevention Through Environmental Design (CPTED)
  • positioning security staff at entry and exit points
  • positioning security staff at central points and having them monitor and control entry and exit points using intercoms, videophones, CCTV cameras, and similar devices
  • installing mechanical locking devices operated by keys or codes
  • using electronic access control systems (EACS).


Validating identity using authentication factors

Access control systems should provide identity validation using authentication factors about:

  • what you have — keys, identity (ID) cards, and passes
  • what you know — personal identification numbers (PINs)
  • who you are — visual recognition, biometrics, and so on.


Using dual authentication

Dual authentication requires the use of two authentication factors.

Your organisation must use dual authentication to control access to zone 5 areas.

You should use also use dual authentication when your risk assessment identifies a significant risk of unauthorised access.


Using EACS

Your organisation must use EACS when there are no other suitable identity verification and access control measures in place.

EACS can be used along with other personnel and vehicle access control measures.

Get expert help

Your organisation should:

  • seek specialist advice before selecting EACS
  • use a designer or installer recommended by the manufacturer to design and commission EACS.

Follow good practice

Your organisation must verify the identity of every potential cardholder before you issue them with access cards for your EACS.

You must also audit regularly to check who has access to your EACS. You need to find out who still needs access, and disable or remove access for people who no longer need it or have left your organisation.

You can use sectionalised EACS to control access to specific areas in your facility. The sections of EACS are normally the same as the sections of your alarm systems, but they may have extra operational access control points not covered by your individual alarm sections.

EACS should typically start at zone 2 perimeters, but may be used in zone 1 (for example, to control access to car parking).

Keep your EACS software and hardware up to date. Ensure your software is updated to address known vulnerabilities. Consider updating EACS cards and readers as they age and become vulnerable to new threats.

Relevant standards
CAN/ULC-S319 - Electronic Access Control Systems

Meet the highest threat and risk level

When you implement EACS to cover a whole facility (on their own or with other access control measures), design them to meet the highest perceived threat and risk level.

If you use multiple EACS along with other access control measures, design each system to meet the highest perceived threat and risk level in the areas covered by the system.


Using anti-passback controls in high security areas

When you use anti-passback controls, cardholders can’t pass their cards to another person to use and tailgaters can’t get through. This control system is valuable for preventing unauthorised access to highly secure environments.

Anti-passback establishes a specific sequence in which access cards have to be used for the system to grant access.

Anti-passback controls may also be achieved by linking access control to various other access systems, such as information systems and other physical access controls.


Using a two-person access system to protect highly valuable information and physical assets

Some EACS can be enabled to only allow access to areas when two people are present and will activate an alarm if one leaves the area. This feature is known as a ‘no-lone-zone’. It requires two authorised people to access and exit a designated area.

Consider using a two-person access system when you need to protect very highly or extremely valuable information and physical assets.


Implementing an identity card system

Identity (ID) cards allow you to quickly recognise people who work for your organisation.

You must use ID cards in all facilities with security zones 3 to 5.

You should issue ID cards to all people who have regular access to your facilities and meet your personnel security requirements.

Establish high-quality processes first

To build an ID system of high integrity, you need robust processes for verifying identities, and for registering, enrolling, issuing, and auditing ID cards. Consider conducting a privacy impact assessment.

Verify all identities

Before you issue an ID card, you must verify the person’s identity.

You should sight each person’s:

  • government-issued credentials with photographic or biometric identity features and a signature
  • evidence of other identity verification documentation
  • evidence of residential address.

For examples of each form of evidence, go to Proof of identity

If your organisation already has information that verifies a person's identity, you can streamline the process. However, make sure the potential ID cardholder provides government-issued credentials with a photo and a signature.

Verify security clearance holders
When an ID card will grant access to areas requiring a security clearance, or indicate that the holder has a security clearance, you must independently verify the details of their clearance (including when it expires or is due for revalidation) before you issue an ID card.

Follow good practice

Your ID cards should:

  • be worn and clearly displayed at all times in your premises
  • be uniquely identifiable
  • include a return address for lost cards
  • not identify the facility to which the card gives access
  • not be worn outside your premises
  • be audited regularly in line with your risk assessment.

Within a zone 2 or higher area, remember to protect your:

  • card making equipment
  • spare, blank, or returned cards.

You can include other information on ID cards to improve your control of access, such as names, photographs, and colours.

Using EACS access cards as ID card is not recommended, particularly in high security or high-risk areas.

Page last modified: 2/10/2018