Physical Access Control Policy Template

Home / Services / Virtual CISO / Policies / Physical Access Control Policy Template

Physical Access Control Policy
The purpose of this Physical Access Control Policy (PACP) is to ensure the physical security of all information-holding assets owned by {{company_name}}, regardless of where (buildings, computers, files) or how they are stored (digitally, on paper).

The PACP aims to assist the business to operate effectively and efficiently, to comply with legislation, information standards (ISO/IEC27001) and good practice, and to safeguard information-holding assets against possible loss by theft, fraud, malicious or accidental damage, or breach of privacy or confidentiality. This policy is a requirement for the British / International Standard (on information security ISO27001: 2015),which the business is working to become compliant with.
This Policy applies to all employees, contractors, consultants, auditors, temporary workers and other workers employed by the Company, including all personnel affiliated with third parties who provide services for the Company (collectively the “Users”). It also applies to all equipment that is owned or leased by the Company.
Rights of physical access are balanced by responsibilities, with all individuals granted access that is appropriate for their role / designated duties, including privileged access requirements (i.e. secure rooms, cupboards).  

{{company_name}} will have supporting policies in place (which may include legal or regulatory requirements) and will define procedures and provide mechanisms (for specific business areas) to ensure that access to information-holding assets are handled within the appropriate laws and codes of practice. All individuals must operate within this policy and procedural framework, and are accountable for their actions.

Understanding access control requires the understanding of the three access elements:  

Physical – are actual objects that people can touch, see and use, manipulate or work with (i.e. a building, a computer or paperwork). 

Logical – is non-physical (in the form of software or data), but is required and manipulated by the physical/user objects, (i. e.  a computer password, application programs, information stored in the computer such as a database. 

Users - are the people that use and manipulate the two elements above.

{{company_name}}, shall implement measures to prevent unauthorised physical access, damage and interference to its premises, prevent loss, theft or compromise of any information-holding assets or interruption of the Company’s normal activities.
User Responsibilities:
  • Anyone who may access information-holding assets either directly or indirectly is responsible for following all appropriate procedures that relate to that asset.
  • Users are responsible for their actions and should not take any action which is outside the law or in breach of {{company_name}},  policies, procedures, guidelines or codes of conduct.
  • Users are responsible for authorising access to information-holding assets under their area of control or responsibility.
  • Users are responsible for clearly displaying their issued photo identification at all times while on {{company_name}} premises.
  • Users are responsible to swiping in and out of room areas where a card swipe is required. Failure to swipe in and out of protected areas, or tailgating another employee is a disciplinary offence.    
  • Users are responsible for the safety of their photo identification. All losses will be charged at {{amount}} per card.
Manager Responsibilities:
  • To ensure that the controls deployed are proportionate to the sensitivity of the information-holding assets being accessed.
  • To implement and monitor this policy within their areas of responsibility and for ensuring that those for whom they are responsible, including visitors and contractors, are aware of and comply with the policy and associated guidelines.
  • To ensure that only authorised users are granted access to information-holding assets under their area of responsibility and for the adherence to relevant security policies by all users.
  • To ensure that all future building plans for both new buildings and renovations should take account of the need to install entry systems that will allow access, whilst maintaining security.
  • To ensure that all users are appropriately educated so that when accessing / using information-holding assets, appropriate security measures are carried out.
  • To ensure that all users clearly display their photo identification at all times while on {{company_name}} premises.
  • To notify and seek guidance from the Chief Information Security Officer (CISO) or ITSD Help Desk of all breaches of this policy.
  • To notify Human Resources (via normal procedures) of starters, movers and leavers to ensure the security / return of information-holding assets (i.e. network access, keys etc) in accordance with the New Starters procedures.
Access Controls
Access to {{company_name}}'s premises must be restricted to ensure that only authorised users or visitors may gain entry. Sign in procedures for visitors at reception areas must be followed and where access is controlled via an electronic key entry system, the issue, configuration and disabling of access must be closely controlled and only granted where there is an imperative business requirement to do so.
Getting help
All questions relating to this Physical Access Control Policy should be directed to {{company_email}} in the first instance.
A breach of any part of this Policy may be dealt with under the {{company_name}} Disciplinary Policy.

It is essential that all individuals employed by the Company familiarise themselves with the content of this Policy and understand its disciplinary implications.
Compliance Measurement
The {{company_name}} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exceptions to the policy must be approved by the CEO in advance.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. In serious cases it may also give rise to civil and/or criminal liability.
  • Information Security Policy