Physical security


Locks, key systems, and doors

Choose the right hardware to protect your information and assets.

Your organisation must secure all access points to your premises, including doors and operable windows, using commercial grade or NZSIS-approved locks and hardware. These locks may be electronic, combination, or keyed.

You must give combinations, keys, and electronic tokens the same level of protection as the most valuable information or physical asset contained by the lock.

You must use NZSIS-approved locks and hardware in security zones 4 and 5 (refer to NZSIS Guidelines on equipment selection and the Approval Products List).

Use suitable commercial locking systems in other areas.


Locks can deter or delay unauthorised access to information and physical assets.

However, locks are only as strong as the fittings and hardware surrounding them. So assess the level of protection you need from doors and frames when you’re selecting locks.

Protecting lock combination settings

Your chief security office (CSO) should manage the security of your lock combinations.

Your people must memorise lock combination settings, and make sure you keep only one written record of each setting for use in an emergency.

Keep the record of the combination in an appropriately sealed envelope and protect it in a container. Protectively mark the envelope with the highest security classification of the material protected by the lock.

Follow the lock manufacturer's instructions when you use or service combination locks.

When to change settings

You must change lock combination settings:

  • when you first receive a container
  • after a lock is serviced
  • after a change of custodian or other person who knows the combination
  • when there is reason to believe the setting has been, or may have been, compromised
  • at least every 6 months
  • when a container is disposed of by resetting the lock to the manufacturer's settings

When to report a security breach

Your people must immediately report the compromise or suspected compromise of a combination setting to your CSO. For more information, go to Reporting incidents and conducting security investigations.

Using keying systems

If you use a keying system, design it to prevent unauthorised people from making duplicate keys or using common techniques to compromise it.

Keying systems should include security measures. For example:

  • legal controls, such as registered designs and patents
  • physical controls that make it difficult for people to get or manufacture blank keys or the machinery used to cut duplicate keys
  • controls that protect against techniques like picking, bumping, impressioning, and decoding.

Choosing a keying system

  • When you’re choosing a keying system, consider the following questions.
  • What level of protection does the system provide against common forms of compromise?
  • What is the length of legal protection the manufacturer offers?
  • What level of protection can the supplier provide for your keying data within their facility?
  • How transferable is the system and are there any associated costs?
  • What are the costs for commissioning and on-going maintenance?

Complying with security zone requirements

In zone 1, use restricted keying systems when there is a risk of theft.

In zone 2, you must use commercial restricted keying systems. That means using keys that aren’t easy to copy or combination locks.

In zones 3 to 5, you must use NZSIS-approved keying systems. If your risk assessment shows it’s necessary, use approved systems in other zones too.

For more information, go to the NZSIS Guidelines on equipment selection and the Approval Products List.

Using mastered key systems

If you use a mastered key system, it must have enough levels to allow you to have separate area master keys to control any:

  • locks within an electronic access control system (EACS)
  • alarm system control points.

The following image outlines how mastered key systems allow you to separate and protect different areas.

Image - indicative master keying tree

Managing your keys

You must maintain a register of all keys that you hold and issue. Ensure your key register is secure and only allow authorised employees to access it.

Your key register should include the following details:

  • key number
  • name, position, and location of person holding the key
  • date and time issued
  • date and time returned or reported lost.

Keeping master keys secure

Strictly control your master keys and limit the number of them.

Because grand master keys may give access to all areas of a facility, your CSO should control the issuing of them.

Audit your key register regularly to confirm the location of all keys. Losing a master key may mean you need to re-key all locks under that master.

Removing master keys from your facilities

Keys to security zones 4 and 5 should not be removed from your facilities.

Keys to security containers must not leave your facilities, except in cases of emergency.

For zones 1 to 3, base any decisions about allowing keys to be removed from your facilities on your risk assessment. Removing keys significantly increases the risk of loss.

When you allow a key to be removed, make sure:

  • a manager approves the removal
  • you increase the frequency of your key audits

Ensure everyone in your organisation knows and follows your key management policy.

Protecting your key cabinets

Locate key cabinets within your facility's secure perimeter and, where possible, within the perimeter of the zone where your locks are located.

Key cabinets may be either manual or electronic.

Commercial grade key cabinets provide very little protection from forced or covert access.

Electronic key cabinets

Electronic key cabinets may have an automatic audit capacity and replace the need to maintain a key register.

In some cases, electronic key cabinets can be integrated into an EACS. Most commercial grade electronic key cabinets are not suitable for high security applications. Guidance on selecting electronic key cabinets can be found in the NZSIS Security Product Guide - Electronic Key Cabinets. This guidance is classified. Contact the PSR team for more information.

However, there are currently no electronic key containers suitable for high security applications, unless they’re used along with other control measures, such as locating the key container within a security room or area covered by a security alarm.

Electronic key cabinets protecting keys in Zone 3 areas and above, or Class C security containers, must be listed in the NZSIS Approved Products List (APL). The information in the list is classified. Contact the PSR team for more information.


Select doors that provide a similar level of protection to the locks and hardware you’ve fitted.

Incorporate any requirements of the New Zealand Building Code and any disability access requirements.

Door types and thicknesses for zones 3 to 4 are specified in the NZSIS Technical Note - Physical Security of Secure Areas. Door types and thicknesses for zones 5 are specified in the NZSIS Technical Note - Physical Security of Zone 5 areas. Both these notes are classified. Contact the PSR team for more information.

Types of doors

Commercial office doors vary significantly. Some examples of different types are:

  • solid core timber
  • composite timber
  • metal framed insert panel
  • metal clad solid core or hollow core
  • glass swing opening
  • rotating glass
  • glass sliding: single and double.

Solid core wood or metal clad doors may have glass or grill insert panels. The panels and fixings must provide the same level of protection as the door.

Automatic sliding glass doors normally operate through an electric motor and guide fitted to the top of the door. Some of these doors, particularly when unframed, may be levered open either at the centre joint for double sliding doors or sides for double and single sliding doors. This can make them difficult to secure without fitting drop bolts, lower guides, and/or door jambs.

Domestic hollow core doors (used for most internal domestic doors) and domestic sliding glass doors provide negligible delay as they are easily forced. However, if you fit them with appropriate locks, they’ll give some evidence of an intrusion when broken.


Page last modified: 9/01/2020