Access control
Published 2 November 2020
© Crown copyright 2020
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/crowded-places-guidance/access-control
1. Introduction
It is important to ensure that your site is kept secure whilst remaining accessible to your visitors or customers. There will be areas within your site or venue that, for various reasons, should be kept closed to the public. There should be a clear demarcation between your public and private areas, with appropriate access control measures in place. Measures at crowded places will differ depending upon the conditions of entry. To be effective, any system requires active management, appropriately trained staff and a good security culture.
2. Appearance
Your access control system is a strong indicator of the security regime at your site and should be complimented with clear signage. A challenge culture by staff will also deter hostile reconnaissance. However, consider balancing the deterrent effect of appropriate signage with the possible assistance being given to an adversary carrying out hostile reconnaissance.
Go to the CPNI Control of Access webpage
3. Operational requirements
When planning your access control system, you should first carry out a risk assessment and conduct an Operational Requirement (OR). This will assist you to identify the problem you are trying to solve and the most appropriate solution.
Go to the CPNI Operational Requirements webpage
4. Ease of access
Examine the layout of your site and access control system. Ensure that your entry and exit procedures allow legitimate users to pass without undue effort and delay. You should consider how your access control system will work in busy areas at peak times. Access measures should be appropriate for the site and not be unnecessarily onerous.
Go to the CPNI Access Control and Locks webpages
5. Policy and procedure
You should have clear policies and procedures for how the access control system will be used and operated. You should consider how misuse of the system by staff, visitors and customers will be challenged. Staff should feel empowered to challenge anyone entering an area without the correct pass, or who looks in any way suspicious.
6. Training
Ensure your staff are aware of the role and operation of your access control system. If you have any access control equipment in place, your installer should provide adequate training. Training should include the action to take:
- if a pass is lost or stolen
- if a person needs to be challenged
- in response to suspicious behaviour
7. Security culture
An effective access control system should incorporate adequate training of staff and should highlight how to overcome bad practice such as tailgating and holding doors open, coupled with the promotion of a good security culture. Staff should feel safe to challenge or report suspicions.
Go to the CPNI Security Culture webpage
8. System maintenance
Your system should be regularly maintained and kept in good working order. Your installer should supply all relevant system documentation e.g. log books and service schedules. Be aware of the actions required in the event of a system failure. These failures must be dealt with immediately and a contingency plan put into place. This may be to secure a door, or provide a security officer at the point of failure, with all actions being recorded. You should ensure that you have a suitable maintenance agreement (Service Level Agreement) in place which will rectify problems quickly.
9. Manual access control
If after carrying out the OR, you decide that a manual locking system is appropriate, there should be a robust management process in place incorporating:
9.1 Key management
Key management is crucial in order to maintain the integrity of the system. You should keep a record of all keys issued and conduct regular audits. All keys issued should be returned as part of the exit procedure for staff leaving the organisation. If a key cannot be accounted for, there should be a contingency plan to deal with a potential compromise of access control.
9.2 Additional management control systems
An electronic lock may be appropriate. This offers a compromise between mechanical locks and a fully electronic access control system. If mechanical Personal Identification Number (PIN) code locks are used, you should have a plan in place to change PIN codes regularly. Best practice is to change them after a member of staff leaves, after a security breach or every 6 months.
10. Integration
Your access control system should support other security measures. Consider system compatibility between access control, alarms, Closed Circuit Television (CCTV) and text alert systems.
Go to the CPNI Physical Security webpage
10.1 Compliance
Your access control system should be compliant with:
- The Equality Act 2010
- The Human Rights Act 1998
- Health and Safety at Work Act 1974
- The Data Protection Act 1998 (superseded by the General Data Protection Regulation (GDPR) and Data Protection Act 2018 in May 2018)
- The Regulatory Reform (Fire Safety) Order 2005
- The Fire (Scotland) Act 2005
Your access control system will have a set response to fire alarms i.e. doors automatically unlock when an alarm sounds. For your critical areas such as control rooms, it must be remembered that fail-safe systems must be compliant with both health and safety and security requirements. Ensure that when you specify an access control system, you consider what areas may remain locked in an emergency, as security should never compromise safety. Procedures should be in place to maintain the integrity of any sensitive assets in the event of an emergency.
11. Lockdown procedures
Due to the potential for firearms or weapons attacks, or protest activity for example, it is important for you to consider the option of implementing a dynamic lockdown procedure. You should consider how your access control system aids or hinders this. There may be features within your access control system that can be utilised during a lockdown. These features should be quick and simple to activate and staff should be trained in their operation.
Read more about Evacuation Invacuation, Dynamic Lockdown & Protected Spaces
Go to the CPNI Marauding Terrorist Attacks guidance
12. Vetting procedures
You should consider how vetting procedures impact on access control. You will need to decide if staff have access to all areas, or if there are restricted areas to your site. Staff and visitors should only be given access to the areas required for their role. Passes may vary in type, dependent upon the area accessed.
The manager of the access control system has a critical role. Only this person or their deputy should issue passes. Passes must be signed for once the identity of the recipient has been confirmed. Out of hours, the security supervisor may be authorised to issue temporary passes, but this should be by exception and any visitor should be escorted. Any temporary passes issued must be of limited duration.
13. Search procedures
If your OR identified that searching is necessary at your site, then there are a number of considerations. The primary consideration relates to the nature of the threat you face. You must identify the aim of the search and the type of items you are searching for. You should use appropriately trained staff, use well maintained equipment and have sufficient space and a suitable environment to conduct the search.
Read more about Search Planning
14. Vehicle procedures
If your OR identifies the need for vehicular access control, then there are a number of considerations. Search procedures must be consistent with the threat. The ideal solution is to restrict the number of vehicles accessing your site and any search should be conducted as far away as is reasonably practicable. Ideally, access will be afforded only to vehicles that are booked in and expected, with the identity of the vehicle occupants confirmed.
14.1 Vehicle access passes
Certain vehicles may need to routinely access your site. It may be prudent to issue vehicle passes to identify vehicles and the management of these passes should be commensurate with all the other access control measures in place. Vehicles that need to gain access without a pass should only be by prior arrangement.
14.2 ANPR
Automatic Number Plate Recognition (ANPR) may be a useful addition to an integrated security regime, but will only provide information related to a registration plate and should not be relied upon alone. Any data or information that can lead to the identification of an individual should be stored in accordance with the GDPR.
15. Increased threat
At times of increased threat, further access control measures may be required for staff, vehicles, or both. This should be reflected in the site security plan. Vehicle access control may be enhanced by the application of Hostile Vehicle Mitigation (HVM).
Read more about Threat level and Building Response Plans
16. Summary
The OR process is fundamental to planning an efficient security solution and access control is no exception; whether controlling pedestrian or vehicular access into a site, the principles are the same. You should know who and what is allowed to go where and allocate passes to reflect this, with access suitably limited.
Any access control system is only as good as the procedures and the people that govern its use and a good security culture is paramount in ensuring your site remains secure.