Specific security measures

Learn more about the use of specific security measures

PHY056

The following guidance describes the use of specific security measures.

Remember that physical security is a combination of physical and procedural measures. You should develop policies that support your physical security measures and control their use.

On this page

Using NZSIS-approved products

PHY021

Protect your organisation’s people, information, and assets and using approved security products from the New Zealand Security Intelligence Service (NZSIS).

The NZSIS tests and approves security products that:

  • safeguard protectively-marked information with a Business Impact Level (BIL) of high or above
  • prevent widespread loss of life
  • require specialist testing.

If you’re a government organisation, you must use NZSIS-approved products when they’re necessary to meet security zone requirements and mitigate risks you’ve identified in your risk assessment.

These approved items are listed in the NZSIS Approved Products List (APL). The information in the list is classified.

If your organisation wants to use NZSIS-approved products and similar commercial equipment for lower level security needs, your chief security officer (CSO) must get advice from the NZSIS first.


Perimeter access controls

PHY022

Restricting access to your facilities with perimeter access controls can help your organisation to reduce threats.

Some types of perimeter access controls are:

  • fences and walls
  • pedestrian barriers
  • vehicle barriers.

Work out if your organisation needs perimeter access controls during your security risk assessment and before you complete any site selection process.

Pedestrian barriers are used to restrict access through fences or walls by controlling the entry and exit points.

Examples of pedestrian barriers are:

  • locked gates
  • gates connected to electronic access control systems (EACS) or alarm systems
  • guard stations

Vehicle barriers are used to prevent hostile vehicle attacks. Vehicle related threats range from vandalism to sophisticated or aggressive attacks by determined criminals or terrorists.

Examples of vehicle barriers are:

  • gates
  • retractable barriers or bollards
  • fences and walls
  • bunds and berms.

More information on selecting the right fixed barrier for your needs:

Fences and walls are used to define and secure the perimeter of a facility.

Fences might not be practical in urban environments, particularly in central business districts.

The level of protection a fence gives depends on its:

  • height, construction, material, and access control method
  • any additional features used to increase its performance or effectiveness, such as topping, lighting, or connection to an external alarm or CCTV system.

If you choose to use fences or walls to deter unauthorised access, you must develop supporting procedures for:

  • monitoring and maintaining the fences or walls
  • monitoring the grounds for unauthorised access.

Make sure any access points are at least as strong as any fence or wall you use.

Related standards


Building construction

PHY023

Before your organisation leases or constructs any premises, assess the construction methods and materials to find out if they will give the protection you need.

Increasing the level of building security afterwards may be expensive or impossible.

Typically, buildings are constructed to the New Zealand Building Code(external link). Some older buildings may not meet this code.

Domestic construction provides little protection from unauthorised access. Intrusion for theft is the most common type of unauthorised access. Skilled covert access is normally very hard to detect in domestic situations.

Standard commercial offices normally provide more perimeter protection than domestic buildings. However, internal walls, false ceilings, and other common building techniques reduce your ability to protect information and physical assets.

Most commercial office spaces are only suitable for protecting assets and information with a Business Impact Level (BIL) of medium or below.

Slab-to-slab construction prevents access through false ceilings. The walls are joined directly to the floor and to the bottom of the next floor or the roof structure.

Where you must use slab-to-slab construction

Your organisation must use slab-to-slab construction at the perimeter of security zones, including all access points.

For details on slab-to-slab construction methods, see the NZSIS Technical Note - Physical Security of Intruder Resistant Areas. This note is classified.

Structural changes can affect the integrity of buildings, so seek structural engineering advice before you implement slab-to-slab construction.

When you can go without slab-to-slab construction (with care)

Your access points for zone 1 and zone 2 may vary between business hours and after hours. For example, from internal points (such as controlled office entry points) during business hours to the perimeter of the building or premise after hours (such as the main door).

You can use access points for zone 2 during business hours without slab-to-slab construction when the out-of-hours access point has slab-to-slab construction.

Alternatively, you can install an intruder-resistant layer in the ceiling, such as steel mesh, to address the problem of removable false ceiling panels when you need intrusion delays for specific rooms.

Be aware that these measures don’t give any protection from over-hearing, so you must not use them where you need speech security.

You can also use tamper-evident building techniques to provide some indication of unauthorised access.

For information on constructing zone 3 and zone 4 areas to store protectively-marked information or aggregations of information with a Business Impact Level (BIL) of very high damage, refer to NZSIS Technical Note - Physical Security of Secure Areas.

As this technical note is a classified document, contact the PSR team for more information.

For information on constructing zone 5 areas to store TOP SECRET information or aggregations of information with a Business Impact Level (BIL) of catastrophic damage, refer to NZSIS Technical Note - Physical Security of Zone 5 Areas.

As this technical note is a classified document, contact the PSR team for more information.

If your risk assessment shows you need to add building elements to address specific risks, building hardening may provide some level of mitigation.

Some examples of building hardening are:

Related New Zealand standards


Alarm systems

PHY024

Alarm systems can provide early warning of unauthorised access to your facilities.

However, an alarm system is only of value when you use it alongside other measures designed to detect an intrusion attempt, delay an intruder’s progress, and give you time to respond. Your alarm systems must be monitored and linked to a predetermined response.

Alarm systems can be broadly divided into two types:

  • a perimeter (or external) intrusion detection system (PIDS) or alarm
  • an internal security alarm system (SAS).

Alarm systems may be single sector or sectionalised to give coverage to specific areas of risk. Sectionalised alarm systems allow greater flexibility because highly sensitive areas can remain secured when not in use and other parts of the facility are open.

A PIDS can be valuable for organisations with facilities enclosed in a perimeter fence because it will give early warning of unauthorised breaches.

Your organisation should seek specialist advice when designing and installing PIDS.

For alarm systems in zone 3 and above, your organisation must have:

  • direct management and control
  • appropriately cleared and trained staff as privileged operators and users.

In zone 3, you may use guard patrols instead of an alarm system outside of usual work hours. For more information, go to Visitor Control (Out-of-hours guarding).

In lower zones, you should manage and administrate your alarm systems directly but you can outsource operational functions, such as monitoring and maintenance.

You can use guard patrols instead of an alarm system outside of usual work hours. For more information, go to Visitor Control (Out-of-hours guarding).

Your organisation should ensure all personal identification numbers (PINs) for arming and disarming alarm systems are:

  • uniquely identifiable to an individual
  • not recorded by the individual
  • regularly changed in line with your risk assessment.

Your people must advise your chief security officer (CSO) straight away if they suspect any PINs have been compromised. Your CSO must disable the PIN and investigate any potential security breach.

For more information, go to Reporting incidents and conducting security investigations.

You must remove the default/engineering/installer user codes from alarm systems at commissioning.

For zones 3 and above, the engineering/installer codes must only be known to appropriately cleared personnel who have access to the zone.

When you need to give the code to others for maintenance purposes, you must change the codes as soon as the maintenance work is finished.

Your organisation should develop appropriate testing and maintenance procedures to ensure your alarm system is continually operational.

Security alarm systems are used to protect information and assets. To choose the right SAS, consider the:

  • level of the zone you need to protect
  • complexity of the zone's layout
  • security level of the information or assets you need to protect.

Also refer to Security zone requirements [PDF, 94 KB].

Five classes of SASs are defined in AS/NZS 2201.1:2007 Intruder alarm systems - Client's premises - Design, installation, commissioning and maintenance. You must only use alarm systems that comply with this standard.

The five classes and their uses are:

  • Class 1 and 2: base-level systems only suitable for domestic use.
  • Class 3: mid-level systems suitable for protecting normal business operations in most organisations.
  • Class 4: mid-level systems suitable for protecting normal business operations in most organisations; and when used with detection devices and other controls, suitable for protecting information and physical assets in a Zone 3.
  • Class 5: high security commercial alarm system suitable for protecting information and physical assets with a BIL lower than catastrophic.

You must develop procedures for using, managing, monitoring, and responding to an alarm system. When possible, adopt the administration and management principles set out in the NZSIS SAS Implementation and operation guide (under development).

Any contractors employed to maintain a SAS should be cleared to a level appropriate to the information to which they could reasonably be expected to have incidental access in the zones covered by the alarm system.

Use a suitably qualified designer or installer to design and commission any commercial alarm systems.

Make sure each different security zone is a separate alarm section (area) or have a separate alarm system for each zone.

When possible, configure your alarm systems to continuously monitor detection devices in high-risk areas. For example, irregularly accessed areas, roof spaces, inspection hatches, and under-floor cavities.

Related New Zealand standards

When an NZSIS-approved SAS is not mandatory, your organisation should determine:

  • whether a commercial SAS is required at your facilities, including any temporary sites, as part of your risk mitigation strategies
  • the specifications for any such system
  • whether alternative security methods, such as guard patrols, are required as part of your risk mitigation strategies.

Consider whether you need guard patrols as well as an SAS to satisfactorily mitigate your risks.

Zone 2

If you use a commercial SAS in zone 2 it must meet or better the following standard: AS/NZS 2201.1:2007 Intruder alarm systems - Client's premises - Design, installation, commissioning and maintenance - Class 3(external link)

Zone 3

A SAS used in zone 3 must be separate from all other systems including access control and building management systems.

If you use a commercial SAS in zone 3 it should meet or better the following standard: AS/NZS 2201.1:2007 Intruder alarm systems - Client's premises - Design, installation, commissioning and maintenance Class 4 (external link)

Zone 4 

A SAS used in zone 4 must meet or better the following standard. AS/NZS 2201.1:2007 Intruder alarm systems Client’s premises - Design, installation, commissioning and maintenance Class 5(external link) or be an NZSIS-approved SAS.

A SAS used in zone 4 must be separate from all other systems including access control and building management systems.

Any detection devices used with the SAS must be approved by the NZSIS.

Also refer to NZSIS Guidelines on equipment selection and the Approval Products List.

Zone 5 

NZSIS-approve alarm systems must be used for zone 5.

Any detection devices used with the SAS must be approved by the NZSIS.


Individual alarm options

PHY025

Individual alarms can protect people and vehicles from harm.

In some situations, building alarm systems or other facility-wide measures might not give all the protection your people and assets need. For example, when you need to protect:

  • people working away from the office
  • areas with a high potential for personal violence
  • valuable physical assets in public areas
  • valuable assets stored in vehicles used for work purposes.

Several individual alarm options are available to supplement your security measures, including:

  • duress alarms (fixed, hidden, and mobile options)
  • individual item alarms or alarm circuits
  • vehicle alarms.

Duress alarms enable your people to call for help in response to a threatening incident.

To get fewer false alarms, choose duress alarms that are activated by dual-action buttons (users need to press two separate buttons to trigger the alarm).

Fixed duress alarms are individual alarms that are monitored remotely. They’re normally hardwired and fixed to a location.

Consider equipping your public contact areas with duress alarms if your organisation’s risk assessment has identified a potential problem. Public contact areas include reception areas, counters, and interview rooms.

Hidden duress alarms should:

  • enable your people to raise an alarm discreetly
  • be augmented by procedures that provide an appropriate response.

AS/NZS 2201.1:2007 Intruder alarm systems - Client's premises - Design, installation, commissioning and maintenance(external link) is the standard you must comply with when you configure duress alarms as part of an intruder alarm system. The same standard governs where the alarm panel is located within the protection zones of the alarm system.

You need to ensure that your people are aware of any duress alarms, have regular training, and participate in trials so they know what to do in a real situation.

Mobile or individual duress alarms help to deter violence towards your people. They’re suitable for times when your people are outside the office or circulating in public areas.

Personal duress alarms fall into two broad categories:

  • alarms that monitored remotely
  • alarms that produce loud noise when activated. 

These alarms are suitable for use within facilities where there is a dedicated monitoring and response force. The alarms consist of a personal alarm transmitter linked to the facility or a separate alarm system.

These alarms rely on the response of bystanders. They are more suitable than monitored duress alarms when there could be considerable delay in response to the alarm.

You can use noise-producing alarms within your facility when you need people in the immediate area to notice an incident as soon as it happens.

When you can’t easily protect valuable items using normal alarm systems (particularly when they’re are in public areas, such as exhibitions) two options to consider are:

  • installing a separate alarm system to monitor individual items
  • installing an individual item alarm circuit.

 Some alarm sensor types that may be suitable are:

  • pressure switches
  • motion sensors
  • closed-circuit television (CCTV) activated alarms
  • radio frequency identification (RFID) tag systems.

Seek specialist advice when you’re designing alarm systems for individual items.

Consider installing vehicle alarms if your people need to work from vehicles and those vehicles contain large quantities of valuable equipment.

Most vehicle alarms rely on noise to deter intruders. However, if the vehicle driver is outside hearing range, these kinds or alarms rely on a response from bystanders.

When the Business Impact Level of the information or assets in the vehicle, or the vehicle itself, is high or above, consider fitting vehicle alarms that are monitored remotely.

Remote vehicle alarms can also be linked to remote vehicle tracking and immobilisation systems.


Access control systems

PHY026

Use access control systems to prevent unauthorised access.

An access control system is a measure or group of measures designed to:

  • allow authorised personnel, vehicles, and equipment to pass through protective barriers
  • prevent unauthorised access.

Access control can be achieved in several ways. The most common ways are:

  • using psychological or symbolic barriers — for example, Crime Prevention Through Environmental Design (CPTED)
  • positioning security staff at entry and exit points
  • positioning security staff at central points and having them monitor and control entry and exit points using intercoms, videophones, CCTV cameras, and similar devices
  • installing mechanical locking devices operated by keys or codes
  • using electronic access control systems (EACS).

Access control systems should provide identity validation using authentication factors about:

  • what you have — keys, identity (ID) cards, and passes
  • what you know — personal identification numbers (PINs)
  • who you are — visual recognition, biometrics, and so on.

Your organisation must use EACS when there are no other suitable identity verification and access control measures in place.

EACS can be used along with other personnel and vehicle access control measures.

Get expert help

Your organisation should:

  • seek specialist advice before selecting EACS
  • use a designer or installer recommended by the manufacturer to design and commission EACS.

Follow good practice

Your organisation must verify the identity of every potential cardholder before you issue them with access cards for your EACS.

You must also audit regularly to check who has access to your EACS. You need to find out who still needs access, and disable or remove access for people who no longer need it or have left your organisation.

You can use sectionalised EACS to control access to specific areas in your facility. The sections of EACS are normally the same as the sections of your alarm systems, but they may have extra operational access control points not covered by your individual alarm sections.

EACS should typically start at zone 2 perimeters, but may be used in zone 1 (for example, to control access to car parking).

Keep your EACS software and hardware up to date. Ensure your software is updated to address known vulnerabilities. Consider updating EACS cards and readers as they age and become vulnerable to new threats.

Relevant standards

Meet the highest threat and risk level

When you implement EACS to cover a whole facility (on their own or with other access control measures), design them to meet the highest perceived threat and risk level.

If you use multiple EACS along with other access control measures, design each system to meet the highest perceived threat and risk level in the areas covered by the system.

When you use anti-passback controls, cardholders can’t pass their cards to another person to use and tailgaters can’t get through. This control system is valuable for preventing unauthorised access to highly secure environments.

Anti-passback establishes a specific sequence in which access cards have to be used for the system to grant access.

Anti-passback controls may also be achieved by linking access control to various other access systems, such as information systems and other physical access controls.

Some EACS can be enabled to only allow access to areas when two people are present and will activate an alarm if one leaves the area. This feature is known as a ‘no-lone-zone’. It requires two authorised people to access and exit a designated area.

Consider using a two-person access system when you need to protect very highly or extremely valuable information and physical assets.

Identity (ID) cards allow you to quickly recognise people who work for your organisation.

You must use ID cards in all facilities with security zones 3 to 5.

You should issue ID cards to all people who have regular access to your facilities and meet your personnel security requirements.

Establish high-quality processes first

To build an ID system of high integrity, you need robust processes for verifying identities, and for registering, enrolling, issuing, and auditing ID cards. Consider conducting a privacy impact assessment.

Verify all identities

Before you issue an ID card, you must verify the person’s identity.

You should sight each person’s:

  • government-issued credentials with photographic or biometric identity features and a signature
  • evidence of other identity verification documentation
  • evidence of residential address.

For examples of each form of evidence, go to Proof of identity

If your organisation already has information that verifies a person's identity, you can streamline the process. However, make sure the potential ID cardholder provides government-issued credentials with a photo and a signature.

Verify security clearance holders
When an ID card will grant access to areas requiring a security clearance, or indicate that the holder has a security clearance, you must independently verify the details of their clearance (including when it expires or is due for revalidation) before you issue an ID card.

Follow good practice

Your ID cards should:

  • be worn and clearly displayed at all times in your premises
  • be uniquely identifiable
  • include a return address for lost cards
  • not identify the facility to which the card gives access
  • not be worn outside your premises
  • be audited regularly in line with your risk assessment.

Within a zone 2 or higher area, remember to protect your:

  • card making equipment
  • spare, blank, or returned cards.

You can include other information on ID cards to improve your control of access, such as names, photographs, and colours.

Using EACS access cards as ID card is not recommended, particularly in high security or high-risk areas.


Alarm system and other building management systems interoperability

PHY027

Interoperable systems must be designed carefully to avoid creating vulnerabilities.

Implementing interoperability between security alarm systems (SASs) and other building management systems can increase the threat of unauthorised system access and penetration.

Examples of other building management systems or external integrated systems (EISs) are:

  • building management systems (BMSs)
  • closed-circuit television (CCTV)
  • electronic access control systems (EACS).

When you interconnect systems, ensure your SAS cannot be controlled or disabled by any of your interconnected systems.

Your IT security team should review the implementation of any interconnection.

Interoperability in security zones 1 and 2

SASs suitable for Zone 1 and Zone 2 applications may include fully integrated EACSs as a single system.

Interoperability in security zones 3 and above

For zone 3 and higher, your SAS and EISs must be separate and independent from each other. Any interoperability must not allow the SAS to be controlled or disabled by the EIS.

Interoperability with EISs

Designers of EIS or sub-systems need to secure the EIS to prevent unauthorised access or manipulation, especially when it is interconnected with an SAS. EISs should be designed with appropriate logical and physical controls.


Locks, key systems, and doors

PHY028

Choose the right hardware to protect your information and assets.

Your organisation must secure all access points to your premises, including doors and operable windows, using commercial grade or NZSIS-approved locks and hardware. These locks may be electronic, combination, or keyed.

You must give combinations, keys, and electronic tokens the same level of protection as the most valuable information or physical asset contained by the lock.

You must use NZSIS-approved locks and hardware in security zones 4 and 5 (refer to NZSIS Guidelines on equipment selection and the Approval Products List).

Use suitable commercial locking systems in other areas.

Locks can deter or delay unauthorised access to information and physical assets.

However, locks are only as strong as the fittings and hardware surrounding them. So assess the level of protection you need from doors and frames when you’re selecting locks.

Protecting lock combination settings

Your chief security office (CSO) should manage the security of your lock combinations.

Your people must memorise lock combination settings, and make sure you keep only one written record of each setting for use in an emergency.

Keep the record of the combination in an appropriately sealed envelope and protect it in a container. Protectively mark the envelope with the highest security classification of the material protected by the lock.

Follow the lock manufacturer's instructions when you use or service combination locks.

When to change settings

You must change lock combination settings:

  • when you first receive a container
  • after a lock is serviced
  • after a change of custodian or other person who knows the combination
  • when there is reason to believe the setting has been, or may have been, compromised
  • at least every 6 months
  • when a container is disposed of by resetting the lock to the manufacturer's settings

When to report a security breach

Your people must immediately report the compromise or suspected compromise of a combination setting to your CSO. For more information, go to Reporting incidents and conducting security investigations.

If you use a keying system, design it to prevent unauthorised people from making duplicate keys or using common techniques to compromise it.

Keying systems should include security measures. For example:

  • legal controls, such as registered designs and patents
  • physical controls that make it difficult for people to get or manufacture blank keys or the machinery used to cut duplicate keys
  • controls that protect against techniques like picking, bumping, impressioning, and decoding.

Choosing a keying system

  • When you’re choosing a keying system, consider the following questions.
  • What level of protection does the system provide against common forms of compromise?
  • What is the length of legal protection the manufacturer offers?
  • What level of protection can the supplier provide for your keying data within their facility?
  • How transferable is the system and are there any associated costs?
  • What are the costs for commissioning and on-going maintenance?

Complying with security zone requirements

In zone 1, use restricted keying systems when there is a risk of theft.

In zone 2, you must use commercial restricted keying systems. That means using keys that aren’t easy to copy or combination locks.

In zones 3 to 5, you must use NZSIS-approved keying systems. If your risk assessment shows it’s necessary, use approved systems in other zones too.

For more information, go to the NZSIS Guidelines on equipment selection and the Approval Products List.

Using mastered key systems

If you use a mastered key system, it must have enough levels to allow you to have separate area master keys to control any:

  • locks within an electronic access control system (EACS)
  • alarm system control points.

The following image outlines how mastered key systems allow you to separate and protect different areas.

You must maintain a register of all keys that you hold and issue. Ensure your key register is secure and only allow authorised employees to access it.

Your key register should include the following details:

  • key number
  • name, position, and location of person holding the key
  • date and time issued
  • date and time returned or reported lost.

Keeping master keys secure

Strictly control your master keys and limit the number of them.

Because grand master keys may give access to all areas of a facility, your CSO should control the issuing of them.

Audit your key register regularly to confirm the location of all keys. Losing a master key may mean you need to re-key all locks under that master.

Removing master keys from your facilities

Keys to security zones 4 and 5 should not be removed from your facilities.

Keys to security containers must not leave your facilities, except in cases of emergency.

For zones 1 to 3, base any decisions about allowing keys to be removed from your facilities on your risk assessment. Removing keys significantly increases the risk of loss.

When you allow a key to be removed, make sure:

  • a manager approves the removal
  • you increase the frequency of your key audits

Ensure everyone in your organisation knows and follows your key management policy.

Locate key cabinets within your facility's secure perimeter and, where possible, within the perimeter of the zone where your locks are located.

Key cabinets may be either manual or electronic.

Commercial grade key cabinets provide very little protection from forced or covert access.

Electronic key cabinets

Electronic key cabinets may have an automatic audit capacity and replace the need to maintain a key register.

In some cases, electronic key cabinets can be integrated into an EACS. Most commercial grade electronic key cabinets are not suitable for high security applications. Guidance on selecting electronic key cabinets can be found in the NZSIS Security Product Guide - Electronic Key Cabinets. This guidance is classified. Contact the PSR team for more information.

However, there are currently no electronic key containers suitable for high security applications, unless they’re used along with other control measures, such as locating the key container within a security room or area covered by a security alarm.

Electronic key cabinets protecting keys in Zone 3 areas and above, or Class C security containers, must be listed in the NZSIS Approved Products List (APL). The information in the list is classified. Contact the PSR team for more information.

Select doors that provide a similar level of protection to the locks and hardware you’ve fitted.

Incorporate any requirements of the New Zealand Building Code(external link) and any disability access requirements.

Door types and thicknesses for zones 3 to 4 are specified in the NZSIS Technical Note - Physical Security of Secure Areas. Door types and thicknesses for zones 5 are specified in the NZSIS Technical Note - Physical Security of Zone 5 areas. Both these notes are classified. Contact the PSR team for more information.

Types of doors

Commercial office doors vary significantly. Some examples of different types are:

  • solid core timber
  • composite timber
  • metal framed insert panel
  • metal clad solid core or hollow core
  • glass swing opening
  • rotating glass
  • glass sliding: single and double.

Solid core wood or metal clad doors may have glass or grill insert panels. The panels and fixings must provide the same level of protection as the door.

Automatic sliding glass doors normally operate through an electric motor and guide fitted to the top of the door. Some of these doors, particularly when unframed, may be levered open either at the centre joint for double sliding doors or sides for double and single sliding doors. This can make them difficult to secure without fitting drop bolts, lower guides, and/or door jambs.

Domestic hollow core doors (used for most internal domestic doors) and domestic sliding glass doors provide negligible delay as they are easily forced. However, if you fit them with appropriate locks, they’ll give some evidence of an intrusion when broken.


Closed-circuit television

PHY029

Consider using CCTV when your organisation is developing 'security in depth' for a site.

CCTV is a visual deterrent to unauthorised access, theft, or violence. It can be used to cover:

  • site access points, including internal access to higher security zones
  • site perimeters
  • access to specific physical assets or work areas.

CCTV also gives a visual record of access for audit purposes.

Considering CCTV

The benefits of CCTV may include being able to:

  • monitor event-activated alarms
  • use it along with a security alarm system (SAS) to help those responsible for responding to the alarm
  • use it along with an access control system to aid personal identification for remote site entry control
  • use motion detectors
  • use visual analytics (suspicious package detection).

However, a CCTV system can be a significant capital cost. On-going monitoring, maintenance, and support costs may also be high.

You will also have to comply with all relevant jurisdictional legislation governing CCTV usage. For information about complying with the Privacy Act 2020, refer to the Privacy Commission’s guide: Privacy and CCTV: A Guide to the Privacy Act for Businesses, Agencies and Organisations(external link).

 Other considerations on the use of CCTV include:

  • how its use fits into your overall security plan for the site
  • which types of security incidents you anticipate and what your expected response to those incidents might be
  • how you will advise your people and visitors that it is in use on the premises
  • what your functional requirements are.

If you will use CCTV to support criminal proceedings, the quality of images or data should be suitable for use as evidence.

Be aware that:

  • computers used to store CCTV images may require significant memory space.
  • excessive compression of data may severely affect the quality of images stored.

 You should also consider how long you will need to retain the images. 

Seek specialist advice before you design and install a CCTV system to ensure the proposed system meets your needs.


Security lighting

PHY030

Using lighting to enhance physical security at your site.

Lighting can make an important contribution to physical security. It can be used inside and outside your facility to reduce risks and increase safety.

When you’re designing a site, consider what you need to achieve with your security lighting. For example, you might need to:

  • deter unauthorised entry
  • help guards conduct patrols
  • illuminate areas with CCTV coverage
  • provide employees with safety lighting in car parks.

Motion detection devices can also be set up, so any detected movement activates lighting or CCTV (or both). Make sure any lighting you use meets the illumination requirements of any CCTV systems you have installed.


Security containers and cabinets

PHY031

Choose the right containers and cabinets to keep information and assets secure.

You must secure official information, valuable physical assets, and money in containers that are appropriate to their Business Impact Level (BIL).

When you’re selecting security containers and cabinets, evaluate the potential risks to the information or assets they will hold. Risks such as theft, damage, or unauthorised access.

Factors that will affect the class of security container you need include:

  • the level of protective marking on information or assets
  • the BIL
  • the location of the information or physical assets within a facility (refer to Zone requirements [PDF, 94 KB])
  • the structure and location of your building
  • your access control systems
  • other physical protection systems you use (for example: locks, alarms, and outer zone security).

More guidance on choosing secure containers

  • Table - Selecting security containers or rooms for storing official information

Whenever possible, avoid placing security containers against security zone perimeters with lower levels of protection. Doing so could allow an intruder to bypass the additional security features of the more secure zone.

Ensure valuable physical assets that contain official information, such as computers and other ICT equipment, are protected from whichever has the higher BIL:

  • the compromise of aggregated information in the physical asset
  • the loss of the physical asset itself.

When possible, store protectively-marked information separately from other physical assets. This separation will:

  • lower the likelihood of information being compromised if physical assets are stolen
  • help investigators determine the reason for any incidents involving unauthorised access.

More information:

  • Table - Selecting security containers or rooms for storing official information

NZSIS-approved security containers are designed for storing protectively-marked information. Use an approved container when the level of protectively-marked material requires it.

NZSIS-approved security containers provide:

  • a high level of tamper evidence from a covert attack
  • a significant delay in the event of a clandestine attack
  • limited protection from a forcible attack.

NZSIS-approved containers come in three classes according to the level of protection they give.

Class A containers

These containers are designed to protect information with a BIL of extreme or catastrophic in high-risk situations.

Class A containers are extremely heavy and may not be suitable for use in buildings with limited floor loadings.

Class B containers

These containers are designed to protect information with a BIL of:

  • extreme or catastrophic in low-risk situations
  • high or very high in higher risk situations.

Class B containers are broadly of two types:

  • heavy types suitable for use where there are minimal other physical controls
  • lighter models designed for use along with other physical security measures. 

Consider where you will position Class A and B containers, as weight may be an issue, particularly in older buildings.

Class C containers

These containers are designed to protect information with a BIL:

  • up to extreme BIL in low-risk situations and information
  • of medium in higher risk situations. 

These containers must be fitted with an NZSIS-approved restricted keyed lock or padlock.

When you don’t need an NZSIS-approved container

Your organisation should, where your risk assessments indicate, use lockable commercial containers for:

  • information with a low-to-medium business impact
  • higher level information within an NZSIS-approved secure room.

Secure rooms, safes, and vaults

PHY032

Consider using a secure rooms, safes, or vaults instead of containers to protect large quantities of official information or valuable physical assets.

Store unclassified material in commercial safes and vaults designed to give a level of protection against forced entry that matches the BIL of the assets.

Commercial grade security safes and vaults provide varying degrees of protection, so seek the advice of a qualified locksmith or manufacturer. They’ll tell you which criteria you need to use when you’re choosing a commercial safe or vault.

Safes and vaults can be fire-resistant (either document or data), burglary-resistant, or a combination of both. 

Seek advice from a reputable manufacturer before you install a commercial safe or vault for protecting valuable physical assets.

For items that you can’t secure in safes or vaults (such as large items), use other controls that give the same level of intrusion resistance and delay. Use this table.

Consider fitting vehicle safes to vehicles used to carry valuable physical assets or official information.

Vehicle safes provide some protection against opportunistic theft. However, they’re not designed to protect vehicles left unattended for prolonged periods (for example, overnight).

Vehicles safes are of similar construction to low-grade commercial security containers or NZSIS-approved Class C containers.

Your risk assessment may show that you need additional controls to mitigate some risks when vehicles are used to transport protectively-marked material or valuable assets.

To ensure the effectiveness of a vehicle safe, consider:

  • bolting the safe to the vehicle (preferably out of sight)
  • fitting anti-theft controls such as immobilisers and alarms.

Secure rooms are suitable for storing large quantities of official information. The minimum construction and security requirements for secure rooms are in the following classified documents (contact the PSR team for more information):

  • NZSIS Technical Note - Class A Secure Room
  • NZSIS Technical Note - Class B Secure Room
  • NZSIS Technical Note - Class C Secure Room.

When you’re selecting the minimum level of security for security rooms that will store official information, you must use this table [PDF, 99 KB].

The New Zealand Standard AS/NZS 3809:1998 Safes and strongrooms(external link) provides advice on design criteria for safes and strongrooms (secure rooms) used to protect valuable physical assets.

It categorises safes and vaults as:

  • basic — suitable for homes, small businesses, offices
  • commercial — suitable for medium retail, real estate agents
  • medium security — suitable for large retail, post offices
  • high security — suitable for financial institutions, clubs
  • extra high security (vaults only) — suitable for high-volume financial institutions.

The following international standards meet similar design criteria to the New Zealand Standard:

These international standards provide advice on testing for fire resistance in safes:


Visitor control

PHY033

Follow clear, consistent processes for controlling visitor access to your facilities.

A visitor means anyone in a facility or area who:

  • is not an employee
  • has been granted normal access to the facility or area as a visitor.

This definition may include employees from other parts of your organisation.

Whichever entry control method you use, people should only be given unescorted entry if they:

  • show a suitable form of identification
  • have a legitimate need for unescorted entry to the area
  • have the appropriate security clearance.

Also refer to the Management protocol for personnel security.

Visitor control is normally an administrative process. However, you can augment this process by using an electronic access control system (EACS). This allows you to issue visitors with EACS access cards enabled for the specific areas they may access.

In more advanced EACSs, it’s possible to require validation from the escorting officer at all EACS access points.

In security zones 3 to 5, you must issue visitors with visitor passes and record details of all visitors.

In zone 2, when you have no access controls in place, you should issue visitors with visitor passes and keep a visitor record.

Passes must be:

  • worn at all times
  • collected at the end of the visit
  • disabled on return if the passes give access to any of your access control systems
  • checked at the end of the day and, when the passes are reusable, disable and recover any that haven’t been returned.

One of your people should escort visitors.

You may, based on your risk assessment, record visitor details at the:

  • facility reception areas
  • entry to individual security zones.

Visitor registrations should be utilised by agencies.

  • Your visitor register should include the:
  • name of the visitor and their signature
  • visitor's agency or firm or, in the case of private individuals, their private address
  • name of the employee to be visited
  • times the visitor arrived and departed
  • reason for the visit.

A visitor register is normally kept at the reception desk, unless the desk is unattended, in which case it should be held by a designated employee within the facility.

If your organisation manages access into specific areas at the entry to the area, those areas should have their own visitor registration process.

Visitors into zones 4 and 5 or sensitive areas should provide government-issued credentials embodying photographic identity features and a signature.

You must have documented procedures for dealing with members of the public who behave unacceptably on your premises or who are present in a restricted area. Your people must be informed of these procedures.

If a member of the public behaves in an unacceptable manner, a duly authorised person should take the following steps when they consider it necessary for the person to leave the premises.

  • First seek the person's cooperation to cease the behaviour and/or to leave the premises.
  • Ask the person to stop the behaviour and warn them they could be required to leave the premises immediately.
  • If the person does not stop the unacceptable behaviour, advise them that due to their behaviour, they no longer have permission to be on the premises.
  • Ask the person to leave the premises immediately.
  • Warn the person the police will be called if they remain, and of the possible legal consequences of non-compliance with the request to leave.

In most cases the person will agree to leave. If it is safe to do so, the person should be accompanied until they have left. However, if they refuse to leave, contact the police immediately.

No employee or guard is to attempt to physically remove a person from your premises unless permitted to do so under legislation. This would normally be left to a police officer. The contact number for the police should be available to all employees.

Relevant legislation may include:

If anyone in your organisation is considering giving access to media representatives, they should consult your chief security officer (CSO) before they grant access.

Add the following procedures to your standard visitor control procedures:

  • a designated employee should accompany media representatives throughout the visit
  • protectively-marked information should be locked away (preferable) or at least protected from view
  • additional restrictions are considered when appropriate, such as handing in mobile phones and other recording and communications equipment
  • your media liaison unit or public affairs area is consulted about the arrangements.

Additional controls may be necessary for particular sites.

If your organisation grants permission for a visit to areas where protectively-marked information is being used or handled, the employee responsible for the media representatives should remind them that no photographs or recordings of any type can be taken at any time during the visit, except with specific approval.

Your organisation should develop policies to cover when children are allowed into areas where sensitive or protectively-marked material is held or used.

Parents or guardians are responsible for getting prior approval for children to enter official premises.

Remember to keep a log of children who enter in case there is an emergency situation.

Pre-school children

Pre-school children may be permitted short-term access if the parent or guardian (being a staff member):

  • has approval from the relevant manager
  • is with their child(ren) at all times.

Some pre-school children can read, but they’re less likely to fully understand protectively-marked material than older children. They’re also less likely to recall details, such as names and identities.

School-aged children

School-aged children are often able to understand written material and have well developed long-term memory.  They should only to be allowed access under extenuating circumstances and only at the discretion of your organisation’s chief executive or head.

Extenuating circumstances under which access may be granted are:

  • a staff member is called in for emergency duty and no childminding is available at short notice
  • a staff member is recalled from leave and a child requires unique parental care
  • a staff member is required to sign papers, arrange posting activity, or other administrative tasks while in sole charge of a child
  • normal childcare arrangements end without notice and a staff member, who is required to report for duty, is unable to make alternative arrangements
  • a staff member is required to attend for duty when a child is injured (but not suffering from infectious illness) and requires monitoring.

The parent or guardian is responsible for the safety, wellbeing, and behaviour of the child while on the premises (including emergency evacuations). They must not to leave the child unattended, noting:

  • children (as with any other uncleared individuals) must not be given access to corporate IT systems or protectively-marked material
  • work areas should, as much as possible, be cleared of any sensitive or protectively-marked material while children are present
  • children should not be present at meetings or during discussions where sensitive or protectively-marked material is discussed
  • children who are suffering from, or convalescing after, an infectious illness must not be granted access (in line with occupational health and safety requirements).

Receptionists and guards

PHY034

Control visitors and deter threats with receptionists and guards.

If your organisation has regular public or client contact, you should have receptionists or guards to greet, assist, and direct visitors.

Guards deter threats to information and physical assets and can provide a rapid response to security incidents.

Receptionists and guards:

  • should be able to easily lock all access to the reception and non-public areas in the event of an emergency
  • may only perform other duties, such as CCTV and alarm monitoring, if it does not interfere with their primary
  • task of controlling building access through the reception area. If performing other duties, they should be suitably trained and competent
  • must be able to lock away all valuable or sensitive material (for example, paperwork, keys) if they need to temporarily leave the vicinity
  • must have a method of calling for immediate assistance if threatened, for instance a duress alarm or radio, as they are most at risk from disgruntled members of the public
  • must hold security clearances (and briefings) at the highest level of information to which they may reasonably be expected to have incidental contact with and in line with the facility with which they work.

Your organisation must:

Guards and patrols may be used separately or along with other security measures.

Base your requirement for guards on the level of threat and any other security systems or equipment that are already in place. That will guide your decisions on what their duties are and how often they need to carry out patrols.

Security zone requirements

You can use out-of-hours guarding or patrols instead of alarm systems in zones 2 to 3. These guards may be permanently on site or visit facilities as part of regular mobile patrolling arrangements.

You must not use guards instead of an approved security alarm system in zones 4 and 5. However, guard patrols can be used as an extra measure.

You may use out-of-hours guard services in response to alarms in all zones. The response time should be within the delay period given by the physical security controls.

The highest level of assurance is given by 24 hours a day, seven days a week on-site guards who can respond immediately to any alarms.

Where guard patrols are used instead of an alarm system, patrols should be performed at random intervals. For zone 3, base the intervals on an your risk assessment but make sure they are within every 4 hours. For other areas, base the intervals on your risk assessment.

Guards should check all security cabinets and access points as part of their patrols.


Other physical security measures

PHY035

Work out which other physical security measures your organisation might need to address specific risks.

Use the following examples to help you work out which physical security measures will best meet your specific requirements. (Note: This list is indicative not exhaustive.)

Measure Used to
Hidden and/or fixed duress alarm Address personnel safety concerns for reception areas and meeting rooms. May be of value for home-based workers
Individual duress alarm Address personal safety concerns for personnel in the field or unpatrolled public areas
Individual item alarm and/or alarm circuit Provide extra protection for valuable physical assets in your premises or physical assets on display
Vehicle alarm Deter vehicle theft or theft of information and physical assets from vehicles
Two-person access system Provide extra protection for extremely sensitive information
Vehicle safes Deter theft of information and physical assets from vehicles
Vehicle immobilisation Prevent vehicle theft
Front counters, and interview or meeting rooms Restrict access by aggressive clients or members of the public. Allow regular meetings with clients or members of the public without accessing security areas
Mailrooms and delivery areas Provide a single point of entry for all deliveries
Prevent mail-borne threats from entering a facility without screening
Technical surveillance counter and audio security Reduce vulnerability to, or detect, the unauthorised interception of sensitive or protectively-marked information
Reduce vulnerability to electronic eavesdropping on sensitive conversations
Conference security Prevent unauthorised people gaining access to protectively-marked information and ensure the proceedings are conducted without disruption

Vehicle immobilisation can reduce the loss of vehicles to theft. Vehicle immobilisation can be broadly divided into two types: automatic and remote.

With automatic immobilisation, a vehicle can be immobilised when not in use and requires a key or electronic token to start the vehicle

With remote immobilisation, a vehicle can be immobilised while in use and this technique is normally used along with a remote tracking and alarm system.

If your people interact with the public or clients who may become agitated, your organisation must install measures to reduce the risks to their safety.

These measures might include:

  • a specialised front counter that limits or delays physical access
  • interview or meeting rooms monitored by guards or fitted with duress alarms (or both)
  • interview or meeting room desks that act as a barrier.

If your people regularly interact with clients or the public, consider establishing interview or meeting rooms that are accessible from your public areas.

Mailrooms and parcel delivery areas are areas of significant risk from improvised explosive devices, and chemical, radiological, and biological attacks.

Your organisation must assess the likelihood of mail-borne attacks and, if warranted, apply suitable physical mitigations. For example:

  • mail screening devices
  • a standalone delivery area
  • a commercial mail receiving and sorting service.

For help to select mail and parcel screening and handling equipment that meets your needs, try HB 328:2009 Mailroom Security [PDF, 250 KB].

Educate and train your people

Make sure your people are aware of your mail handling policies and procedures.

You must give your mailroom staff training – they must know your mail handling procedures and how to use any screening equipment you have.

Technical Surveillance Countermeasures (TSCM) is a process used to:

  • survey facilities and detect any surveillance devices
  • identify technical security weaknesses that could be exploited (including controls such as locks, alarms, and electronic access control systems).

TSCM provide a high level of assurance that sensitive information is free from unauthorised surveillance and access.

TSCM is mainly a detection function that seeks to locate and identify covert surveillance devices:

  • before an event
  • as part of a programmed technical security inspection or survey
  • because of a concern following a security breach (for example, the unauthorised disclosure of a sensitive discussion).

When you must carry out a TSCM survey

Your organisation must carry out TSCM surveys for:

  • areas where TOP SECRET discussions are regularly held, or the compromise of other discussions may have a catastrophic business impact
  • before conferences and meetings where TOP SECRET discussions are to be held. 

Seek advice from the Government Communications Security Bureau (GCSB)(external link) before you carry out a survey.

To protect discussions about content that is protectively marked, your organisation must meet the logical controls in the New Zealand Information Security Manual - Telephones and Telephone Systems(external link).

Carry out a risk assessment before holding a conference to identify risks and mitigate them. If warranted, develop a specific conference security plan.

The aims of conference security should be to:

  • prevent unauthorised people gaining access to official information, protectively-marked information, or physical assets
  • protect the people attending the conference
  • protect property from damage
  • ensure the conference is not disrupted.

Also refer to Event security.