Mandatory requirements

The core physical security requirements that mandated government agencies must follow and other organisations should consider as best practice.

PHYSEC1 - Understand what you need to protect

Identify the people, information, and assets that your organisation needs to protect, and where they are. Assess the security risks (threats and vulnerabilities) and the business impact of loss or harm to people, information, or assets. Use your understanding to:

• protect your people from threats of violence, and support them if they experience a harmful event
• protect members of the public who interact with your organisation
• put physical security measures in place to minimise or remove risks to your information assets.

PHYSEC2 - Design your physical security

Consider physical security early in the process of planning, selecting, designing, and modifying facilities. 

Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations.

PHYSEC3 - Validate your security measures

Confirm that your physical security measures have been correctly implemented and are fit for purpose.

Complete the certification and accreditation process to ensure that security zones have approval to operate.

PHYSEC4 - Keep your security up to date

Ensure that you keep up to date with evolving threats and vulnerabilities, and respond appropriately.  Ensure that your physical security measures are maintained effectively so they remain fit for purpose.

Page last modified: 4/05/2022