Physical security


Assess your physical security

When you assess your organisation’s unique risks, you can work out which physical security measures you need to reduce those risks to an acceptable level.

PHYSEC1 - Understand what you need to protect

Identify the people, information, and assets that your organisation needs to protect, and where they are. Assess the security risks (threats and vulnerabilities) and the business impact of loss or harm to people, information, or assets. Use your understanding to: • protect your people from threats of violence, and support them if they experience a harmful event • protect members of the public who interact with your organisation • put physical security measures in place to minimise or remove risks to your information assets.

Know your vulnerabilities

You need to know where you are vulnerable and how your organisation would be affected by breached security.

Here are some questions to answer.

  • What hours will people be working at each site? When will they be arriving and leaving?
  • How many people will be working at each site?
  • Which third parties have access to your facilities?
  • What are the risks associated with collections of information and physical assets you hold?
  • What are the risks associated with higher concentrations of people in certain areas?
  • Which activities does your organisation undertake at each site?
  • Are there threats that arise from your activities?
  • What threats arise from your location and neighbours?

Evaluate the likelihood and impact of each risk to help you understand where you need to take further action. For any risks you can’t accurately assess internally, call on external sources such as local police or other authorities.

More information:

Build physical security into plans for sites and buildings

Consider physical security in the concept and design stages to make sure it’s cost-effective and robust. Apply this strategy any time you’re:

  • planning new sites or buildings
  • selecting new sites
  • planning alterations to existing buildings.

For high-risk sites or buildings, you might need to consult early with specialist organisations, such as the New Zealand Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB).

Evaluate physical security risks before you select a site

Evaluate the following factors to work out if a site is suitable:

  • the neighbourhood
  • the size of the stand-off perimeter
  • site access and parking
  • building access points
  • security zones.

Selecting sites

Identify risks to people

Under the Health and Safety at Work Act 2015, organisations must:

  • take all reasonably practicable precautions to minimise the risk of harm to employees, clients, and the public
  • ensure their physical security plans address the risk of harm to clients and the public.

To comply with the Act, identify any risks to people that could arise from your measures for protecting information and physical assets. For any risks you identify, put measures in place to reduce them to an acceptable level.

Protect clients and the public from harm

Under the Health and Safety at Work Act 2015 organisations must:

  • protect clients and the public from injury arising from their activities
  • take reasonably practicable measures to protect all people within, and in the immediate vicinity of, their premises.

Sometimes the security measures you use to protect your people may also protect your clients and the public.

If you’re a manager responsible for safety and emergency responses, seek advice from your security staff to ensure you design safety measures that complement your organisation’s security needs.

Identify risks to cultural holdings

If your organisation has culturally significant holdings, you may have to deal with security risks that are not present for other organisations.

As well as conducting a risk assessment, contact similar government and non-government organisations to check whether you’ve considered the full range of risks and controls.

Assess risks from co-locating with other organisations

If you’re co-locating or co-tenanting with other organisations, consider the combined security risks and work together to assess them. Then apply protective security measures collaboratively to address the collective risks. Remember to also consider the risks to your organisation.

Feed into your organisation’s security planning

Use your physical security risk assessments to inform the physical security components of your organisation’s overall security plan.

Remember to:

  • assess the risks of each site you use separately, as you need to develop site-specific security plans
  • consider the different threat profiles of separate business units within your organisation
  • include physical security risks in your organisation’s risk register(s).

More information:


Page last modified: 5/08/2019