The policy framework

Physical security (PHYSEC)

Every New Zealand Government organisation must have physical security measures in place to protect people, information, and assets

On this page

Physical security combines physical and procedural measures. These measures are designed to prevent or reduce threats to your people, information, and assets.

Physical security is multi-faceted and complements your security measures in other areas. Good physical security supports health and safety standards, and helps your organisation to operate more efficiently and effectively.

Take a risk-management approach to working out the right levels of physical protection for your organisation’s people, information, and assets.

Organisations must keep its people, information, and assets physically secure with robust risk-based physical security measures across the physical security lifecycle.

PSR Policy Framework — PHYSEC

The PHYSEC mandatory requirements help organisations to implement robust physical security across the lifecycle. The PHYSEC mandatory requirements are the core physical security requirements that mandated government agencies must follow, and other organisations should adopt as best practice.

This section provides a high-level overview of the PSR PHYSEC mandatory requirements. To understand, implement, and comply with the PSR PHYSEC mandatory requirements, please refer to the following documents:

PHYSEC 1

Understand what you need to protect

Identify the people, information, and assets that your organisation needs to protect, and where they are. Assess the security risks (threats and vulnerabilities) and the business impact of loss or harm to people, information, or assets. Use your understanding to:

  • protect your people from threats of violence, and support them if they experience a harmful event
  • protect members of the public who interact with your organisation
  • put physical security measures in place to minimise or remove risks to your information assets.

Knowing where your vulnerabilities are is the first step towards robust physical security. You may need to protect:

  • your people, information, and assets
  • the public and customers
  • cultural holdings.

Once you identify your risks, you must evaluate the likelihood and impact of each risk. Assessing your risks helps you understand where you need to take further action.

PHYSEC 1 includes the following requirements:

PHYSEC 1.1 Identify what you need to protect

To inform the required physical security measures, organisations must understand what it needs to protect, where they are located, their value and sensitivity to the organisation, and their health and safety obligations for everyone at their physical locations. See also Business Impact Levels (BILs) [PDF, 114 KB] for help in assessing the impacts of security breaches to your locations.

  • Understand how your facilities and work locations are used
  • Assess the impact of security breach

PHYSEC 1.2 Assess physical security risks

An organisation’s particular context and potential threats determine which physical security measures it needs. For physical security, these include your obligations under the Health and Safety at Work Act 2015.

  • Assess the risks of each site
  • Assess risks when selecting new sites.

 

Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the PHYSEC 1 mandatory requirement.

Guidance and resources

PHYSEC 2

Design your physical security

Consider physical security early in the process of planning, selecting, designing, and modifying facilities.

Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations.

To reduce costs and improve effectiveness, consider your physical security measures early in any process for planning, selecting, or altering sites or buildings.

You also need to design measures to address your physical security risks for people working away from the office, and for any shared facilities you use.

PHYSEC 2 includes the following requirements:

PHYSEC 2.1 Apply good practices for physical security design

When designing physical security measures, organisations must identify measures in line with its legislative, Government Property Group (GPG), and health and safety obligations.

  • Identify physical security measures needed to address your risks
  • Consider physical security design early
  • Use security zones to reflect business impact levels
  • Consider using multiple layers of security
  • Apply other good practices in physical security design

PHYSEC 2.2 Develop security plans

Organisations need to prepare site security plans for existing and new sites.

  • Prepare site security plans

PHYSEC 2.3 Implement specific physical security measures

An organisation needs to assess if it has sufficiently treated its risks in all the areas identified in the risk assessment before submitting its physical security plan for sign off.

  • Use NZSIS approved products
  • Implement the specific physical security measures required for each site
  • Manage specific scenarios
  • Build physical security into your business relationships and contracts
  • Maintain records

 

Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the PHYSEC 2 mandatory requirement.

Guidance and resources

PHYSEC 3

Validate your security measures

Confirm that your physical security measures have been correctly implemented and are fit for purpose.

Complete the certification and accreditation process to ensure that security zones have approval to operate.

The validation step provides senior executives with the confidence that the organisation’s physical security is well-managed, risks are properly identified and addressed, and governance responsibilities can be met. It also gives the organisations you work with confidence in your security.

An organisation needs to validate its physical security measures to determine:

  • If the security measures have been correctly implemented
  • what vulnerabilities remain
  • whether the security measures are fit for purpose to address the specified risks
  • which residual risks have been accepted.

PHYSEC 3 includes the following requirements:

PHYSEC 3.1 Ensure security zones are certified and accredited

 

Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the PHYSEC 3 mandatory requirement.

Guidance and resources

PHYSEC 4

Keep your security up to date

Ensure that you keep up to date with evolving threats and vulnerabilities, and respond appropriately.

Ensure that your physical security measures are maintained effectively so they remain fit for purpose.

Threats, vulnerabilities, and risks evolve over time. New technology, processes, arrangements, and objectives can all mean that your physical security needs to change.

An organisation needs to ensure that their physical security measures keep pace with changes to remain relevant and effective.
PHYSEC 4 includes the following requirements:

PHYSEC 4.1 Analyse security vulnerabilities and threats

PHYSEC 4.2 Keep physical security measures up to date

PHYSEC 4.3 Respond to physical security incidents

PHYSEC 4.4 Review security measures

PHYSEC 4.5 Retire securely

 

Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the PHYSEC 4 mandatory requirement.

Guidance and resources