2. What are the Mandatory requirements for
Physical Security by any organization?
PHYSEC1 - Understand what you need to protect
PHYSEC2 - Design your physical security
PHYSEC3 - Validate your security measures
PHYSEC4 - Keep your security up to date
3. What are the Mandatory requirements for
Physical Security by any organization?
PHYSEC1 - Understand what you need to protect
Identify the people, information, and assets that your organisation needs to
protect, and where they are. Assess the security risks (threats and
vulnerabilities) and the business impact of loss or harm to people, information,
or assets. Use your understanding to:
Protect your people from threats of violence, and support them if they
experience a harmful event
Protect members of the public who interact with your organisation
Put physical security measures in place to minimize or remove risks to
your information assets.
4. PHYSEC1 - Understand what you
need to protect
Before you can put the right physical security measures in place, you must understand what you need
to protect.
How will your facilities be used?
Are your people working away from the office?
Have you taken health and safety needs into account?
Is your organisation co-locating?
5. PHYSEC1-Assessing your physical
security risks
When you assess your organization's unique risks, you can work out which physical security measures you need
to reduce those risks to an acceptable level. You need to know where you are vulnerable and how your
organisation would be affected by breached security. Here are some questions to answer.
During what hours will be people be arriving, departing, and working at each site?
How many people will be working at each site?
Which third parties have access to your facilities?
What are the risks associated with collections of information and physical assets you hold?
What are the risks associated with higher concentrations of people in certain areas?
Which activities does your organisation undertake at each site?
Are there threats that arise from your activities?
What threats arise from your location and neighbours?
6. PHYSEC1-Assessing your physical
security risks
Evaluate the likelihood and impact of each risk to help you understand where you
need to take further action. For any risks you can’t accurately assess internally,
call on external sources such as local police or other authorities.
If you’re co-locating with other organizations, consider the combined security risks
and work together to assess them.
Remember to:
Assess the risks of each site you use separately, as you need to develop site-
specific security plans
Include physical security risks in your organization's risk register(s).
7. What are the Mandatory requirements for
Physical Security by any organization?
PHYSEC2 - Design your physical security
Consider physical security early in the process of planning, selecting,
designing, and modifying facilities.
Design security measures that address the risks your organisation faces and
are consistent with your risk appetite. Your security measures must be in line
with relevant health and safety obligations.
8. PHYSEC2 - Design your physical
security
Since physical security measures can be more expensive and less effective if they’re introduced
later, consider your physical security requirements at the earliest stages — preferably during the
concept and design stages. Apply this strategy any time you’re:
Planning new sites or buildings
Selecting new sites
Planning alterations to existing buildings.
9. PHYSEC2 - Design your physical
security
Evaluate the following factors to work out if a site is suitable:
The neighborhood
The size of the stand-off perimeter
Site access and parking
Building access points
Security zones
10. PHYSEC2 - Design your physical
security
While preparing site security plans; Use your site-specific risk assessments to help you:
Prepare site-specific security plans
Include security requirements within other site development plans.
Your organisation needs to have a site security plan for all new sites, facilities under construction,
and facilities undergoing major refurbishments. This plan should align with any minimum security
standards your organisation has agreed for specific types of facility.
11. PHYSEC2 - Design your physical
security
For each site security plan, ensure that your physical security measures:
Provide enough delay to allow planned responses to take effect
Meet business needs
Complement and support other operational procedures
Include any necessary measures to protect audio and visual privacy
Do not unreasonably interfere with the public.
12. PHYSEC2 - Design your physical
security
If your organisation faces increased threat levels, use your risk assessments to work out what extra
measures you need in each affected zone. Increased threat levels can be due to foreign interference,
politically motivated violence, criminal activity, or cyber-attacks.
Zone 1: Public Access Area --These are unsecured areas including out-of-office working arrangements.
They provide limited access controls to information and physical assets where any loss would result in a low to
medium business impact.
Zone 2: Work Area --These are low-security areas with some controls. They provide access controls to
information and physical assets where any loss would result in a business impact up to very high. They also
provide some protection for people.
Zone 3: Restricted Work Area --These are security areas with high security controls.
Zone 4: Security Area --These are security areas with higher levels of security.
Zone 5: High-Security Area --These are security areas with the highest level of security controls. They
provide access controls to information where any loss would result in a business impact up to catastrophic.
13. PHYSEC2 - Design your physical
security
Physical security measures aim to protect people, information, and assets from compromise or harm
by applying the ‘Deter, Detect, Delay, Respond, Recover’ model.
A key concept in physical security is ‘security in depth’ — a multi-layered system in which security measures
combine to support and complement each other. You can apply this concept by placing zones within zones. This
layering increases total delay times and creates additional barriers. Any unauthorized person trying to access the
higher zones will meet increasing levels of controls.
The following diagram shows a possible combination of security zones.
14. What are the Mandatory requirements for
Physical Security by any organization?
PHYSEC3 - Validate your security measures
Confirm that your physical security measures have been correctly
implemented and are fit for purpose.
Complete the certification and benchmarking process to ensure that security
zones have approval to operate.
15. PHYSEC3 - Validate your security
measures
Validating your organization's physical security measures means finding out if they’ve been
correctly implemented and are fit for purpose.
Your CSO decides whether the measures are right for the risks your organisation faces. These
risks may vary from site to site. The validation step gives senior executives confidence that
physical security is well managed, risks are properly identified and mitigated, and governance
responsibilities can be met.
16. What are the Mandatory requirements for
Physical Security by any organization?
PHYSEC4 - Keep your security up to date
Ensure that you keep up to date with evolving threats and
vulnerabilities, and respond appropriately. Ensure that your
physical security measures are maintained effectively so they
remain fit for purpose.
17. PHYSEC4 - Keep your security up to
date
An important part of maintaining security is providing security awareness training and support.
Communicate your physical security policies to your people and to the people your organisation
works with. Let them know when physical security arrangements change, and, when possible, say
why.
People should be encouraged to report emerging concerns or near misses, and be seen as good
corporate citizens rather than troublemakers.
Analyze evolving threats and vulnerabilities
Keeping your people, information, and assets secure involves ongoing activity to detect and manage
evolving threats and vulnerabilities.
Editor's Notes
Zone 1: Public Access Area
These are unsecured areas including out-of-office working arrangements. They provide limited access controls to information and physical assets where any loss would result in a low to medium business impact. They also provide limited protection for people.
Examples of public access areas are:
building perimeters and public foyers
interview and front-desk areas
temporary out-of-office work areas where the agency has no control over access
field work, including most vehicle-based work
public access parts within multi-building facilities.
Zone 2: Work Area
These are low-security areas with some controls. They provide access controls to information and physical assets where any loss would result in a business impact up to very high. They also provide some protection for people.
These areas allow unrestricted access for your people and contractors. Public or visitor access is restricted.
Examples of work areas are:
normal office environments
normal out-of-office or home-based worksites where you can control access to areas used for your business
interview and front-desk areas where your people are separated from clients and the public
military bases and airside work areas with a security fence around the perimeter and controlled entry points
vehicle-based work where the vehicle is fitted with a security container, alarm, and immobiliser
exhibition areas with security controls and controlled public access.
Zone 3: Restricted Work Area
These are security areas with high security controls. They provide access controls to information and physical assets where any loss would result in a business impact up to extreme. They also provide protection for people.
Access for your people and contractors is limited to those with a need to access the area. People with ongoing access must hold an appropriate security clearance. Visitors must be escorted, or closely controlled, and have a business need to access the area.
Examples of restricted areas are:
secure areas within your building that have extra access controls for your people (such as IT server rooms)
exhibition areas with very valuable assets
areas with high-value items or items of cultural significance when not on display.
Zone 4: Security Area
These are security areas with higher levels of security. They provide access controls to information where any loss would result in a business impact up to extreme, and physical assets where any loss would result in a business impact up to catastrophic. They also provide protection for people.
Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area.
Examples of security areas are:
secure areas within your building that have extra access controls for your people
exhibition areas with very valuable assets, with specific item asset protection controls and closely controlled public access
areas used to store high-value items or items of cultural significance when not on display.
Zone 5: High-Security Area
These are security areas with the highest level of security controls. They provide access controls to information where any loss would result in a business impact up to catastrophic.
Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area.
Examples of high-security areas are:
areas storing top secret, sensitive, compartmented information
Review your physical security measures regularly
Undertake regular reviews to ensure your security measures remain fit for purpose. Identify changes in your use of facilities, in your organisation, or your threat environment. Use this information to inform improvements.
Conduct periodic reviews and assure compliance
Regularly monitor, review, and audit your physical security measures. You need to know if:
your physical security policies are being followed
your physical security controls are working as planned
any changes or improvements are necessary.
Identify changes in your security environment
Be prepared to restart your physical security lifecycle whenever your security environment changes. Consider these questions to inform changes and improvements.
Are you using your information and assets in a different way?
Are you using your facilities in a different way?
Are your people working in a different way?
Are you planning improvements to internal or external security services?
Have you identified new security threats and vulnerabilities?
Retire securely
When your building, facilities, information, or assets are no longer needed, make sure you consider the security implications during the decommissioning phase.
Have a plan for destroying, redeploying, or disposing of your facilities, information, or assets securely. For example:
safes or filing cabinets containing classified information
printers / multi-function devices.
Destroy protectively-marked information and equipment properly
You must use NZSIS-approved destruction equipment or an NZSIS-approved destruction service to destroy protectively-marked information and equipment, so that the waste can’t be reconstructed or used.