Physical security


Visitor control

Follow clear, consistent processes for controlling visitor access to your facilities.

A visitor means anyone in a facility or area who:

  • is not an employee
  • has been granted normal access to the facility or area as a visitor.

This definition may include employees from other parts of your organisation.

Whichever entry control method you use, people should only be given unescorted entry if they:

  • show a suitable form of identification
  • have a legitimate need for unescorted entry to the area
  • have the appropriate security clearance.

Also refer to the Management protocol for personnel security.

Augmenting visitor control with an electronic access control system

Visitor control is normally an administrative process. However, you can augment this process by using an electronic access control system (EACS). This allows you to issue visitors with EACS access cards enabled for the specific areas they may access.

In more advanced EACSs, it’s possible to require validation from the escorting officer at all EACS access points.

Controlling access to security zones

In security zones 3 to 5, you must issue visitors with visitor passes and record details of all visitors.

In zone 2, when you have no access controls in place, you should issue visitors with visitor passes and keep a visitor record.

Passes must be:

  • worn at all times
  • collected at the end of the visit
  • disabled on return if the passes give access to any of your access control systems
  • checked at the end of the day and, when the passes are reusable, disable and recover any that haven’t been returned.

One of your people should escort visitors.

You may, based on your risk assessment, record visitor details at the:

  • facility reception areas
  • entry to individual security zones.

Keeping a visitor register

Visitor registrations should be utilised by agencies.

  • Your visitor register should include the:
  • name of the visitor and their signature
  • visitor's agency or firm or, in the case of private individuals, their private address
  • name of the employee to be visited
  • times the visitor arrived and departed
  • reason for the visit.

A visitor register is normally kept at the reception desk, unless the desk is unattended, in which case it should be held by a designated employee within the facility.

If your organisation manages access into specific areas at the entry to the area, those areas should have their own visitor registration process.

Visitors into zones 4 and 5 or sensitive areas should provide government-issued credentials embodying photographic identity features and a signature. Examples are listed in Proof of identity.

Removing people from your premises

You must have documented procedures for dealing with members of the public who behave unacceptably on your premises or who are present in a restricted area. Your people must be informed of these procedures.

If a member of the public behaves in an unacceptable manner, a duly authorised person should take the following steps when they consider it necessary for the person to leave the premises.

  • First seek the person's cooperation to cease the behaviour and/or to leave the premises.
  • Ask the person to stop the behaviour and warn them they could be required to leave the premises immediately.
  • If the person does not stop the unacceptable behaviour, advise them that due to their behaviour, they no longer have permission to be on the premises.
  • Ask the person to leave the premises immediately.
  • Warn the person the police will be called if they remain, and of the possible legal consequences of non-compliance with the request to leave.

In most cases the person will agree to leave. If it is safe to do so, the person should be accompanied until they have left. However, if they refuse to leave, contact the police immediately.

No employee or guard is to attempt to physically remove a person from your premises unless permitted to do so under legislation. This would normally be left to a police officer. The contact number for the police should be available to all employees.

Relevant legislation may include:

Managing access to your premises by the media

If anyone in your organisation is considering giving access to media representatives, they should consult your chief security officer (CSO) before they grant access.

Add the following procedures to your standard visitor control procedures:

  • a designated employee should accompany media representatives throughout the visit
  • protectively-marked information should be locked away (preferable) or at least protected from view
  • additional restrictions are considered when appropriate, such as handing in mobile phones and other recording and communications equipment
  • your media liaison unit or public affairs area is consulted about the arrangements.

Additional controls may be necessary for particular sites.

If your organisation grants permission for a visit to areas where protectively-marked information is being used or handled, the employee responsible for the media representatives should remind them that no photographs or recordings of any type can be taken at any time during the visit, except with specific approval.

Access by children to areas where protectively marked information is stored or processed

Your organisation should develop policies to cover when children are allowed into areas where sensitive or protectively-marked material is held or used.

Parents or guardians are responsible for getting prior approval for children to enter official premises.

Remember to keep a log of children who enter in case there is an emergency situation.

Pre-school children

Pre-school children may be permitted short-term access if the parent or guardian (being a staff member):

  • has approval from the relevant manager
  • is with their child(ren) at all times.

Some pre-school children can read, but they’re less likely to fully understand protectively-marked material than older children. They’re also less likely to recall details, such as names and identities.

School-aged children

School-aged children are often able to understand written material and have well developed long-term memory.  They should only to be allowed access under extenuating circumstances and only at the discretion of your organisation’s chief executive or head.

Extenuating circumstances under which access may be granted are:

  • a staff member is called in for emergency duty and no childminding is available at short notice
  • a staff member is recalled from leave and a child requires unique parental care
  • a staff member is required to sign papers, arrange posting activity, or other administrative tasks while in sole charge of a child
  • normal childcare arrangements end without notice and a staff member, who is required to report for duty, is unable to make alternative arrangements
  • a staff member is required to attend for duty when a child is injured (but not suffering from infectious illness) and requires monitoring.

The parent or guardian is responsible for the safety, wellbeing, and behaviour of the child while on the premises (including emergency evacuations). They must not to leave the child unattended, noting:

  • children (as with any other uncleared individuals) must not be given access to corporate IT systems or protectively-marked material
  • work areas should, as much as possible, be cleared of any sensitive or protectively-marked material while children are present
  • children should not be present at meetings or during discussions where sensitive or protectively-marked material is discussed
  • children who are suffering from, or convalescing after, an infectious illness must not be granted access (in line with occupational health and safety requirements).


Page last modified: 2/10/2018