0333 900 0101

A Guide to Access Control Policies & Procedures

Access Control Policies

A reliable access control system isn’t just readers and locks—it’s the policies and procedures that decide who gets in, where, when, and under what conditions. Get those right and the technology quietly does its job, doors behave safely in an emergency, and your audit trail stands up to scrutiny. Get them wrong and you’ll fight daily exceptions, compliance questions and frustrated users.

This playbook distils the policies we implement on UK estates to keep access control secure, safe and auditable—aligned to recognised guidance and standards.

If you’d like help converting this into a scoped design and operating pack for your building(s), we can handle survey, installation and handover.
 (See: Commercial Access Control Installation.)

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Start with an operational policy: outcomes before hardware

Write a one-page policy that states, in plain English:

  • Purpose: protect people, assets and operations.

  • Outcome: control who can go where and when, with an auditable trail.

  • Scope: sites, doors, zones and user categories (staff, contractors, visitors, tenants).

  • Assurance: factors required at each zone (e.g., card; card+PIN; biometric at high-risk rooms).

This outcome-led framing mirrors the UK protective-security approach to Automatic Access Control Systems (AACS) and keeps everything else—design, admin, training—pointing in the same direction. 

Define roles, zones and least privilege

Roles (e.g., employee, contractor, cleaner, receptionist) map to access groups with clear time schedules. Build least privilege in by default: people should only access the zones they need, during the hours they need. Review roles quarterly and whenever org charts change. For multi-site estates, document which doors belong to which site so permissions don’t bleed across by mistake.

Anchor your specification and acceptance testing to a recognised functional/performance baseline (e.g., EN/IEC 60839-11-1) so behaviour, logging and time schedules are predictable across the estate.

Joiners–Movers–Leavers (JML) and temporary access

Publish a short JML procedure:

  • Joiners: how identity is verified, credential issued (card/fob/mobile), and group assigned. 
  • Movers: how access changes are requested/approved and implemented (with audit). 
  • Leavers: how and when access is revoked (same day), including contractors and temps. 

Treat temporary access (e.g., project contractors) as time-boxed from the start. For receptions and deliveries, integrate video entry so manual releases are logged via the controller, not bypassed with a dry contact.
 (See: Entry Phone Installation.)

Life safety policy (non-negotiable)

Security must never impede escape. Your written policy must state that electronically controlled doors on escape routes release on fire alarm and on relevant fault conditions, with the interface to the fire system designed and witness-tested. Reference BS 7273-4:2015+A2:2023 and record test results at commissioning and drills; treat the “critical signal path” as a design line-item, not a late change. 

Administration & change control

Document who can administer the system (named roles), how changes are approved, and what is logged:

  • Role-based admin accounts; no shared logins. 
  • Strong authentication for admins (MFA) and secure admin paths (especially for cloud-managed systems) aligned with NCSC Cloud Security Principles—identity and secure administration. 
  • Time-synced logs; configuration backups after significant changes. 
  • A simple change form for new doors, integrations, schedules and holiday calendars.

 Credential policy: cards/fobs, mobile and PINs

Write down which credentials are allowed, where, and when to step up to two-factor (e.g., card + PIN for comms rooms). If you issue mobile credentials, set the BYOD ground rules (screen lock, current OS, immediate revocation on loss) and point to your IT device policy. NCSC’s BYOD and cloud guidance provide a vendor-neutral benchmark for identity, device assurance and admin hardening. 

For touch-free journeys at busy doors, specify where hands-free readers are permitted and how far they should trigger—then test them against your throughput and tailgating risk.
 (See: Hands-Free Access Control.)

Biometric policy (only if genuinely needed)

If you use biometric recognition (fingerprint, face, iris, vein) to identify people, you’re processing special category biometric data under UK GDPR. Your policy must cover:

  • Necessity & proportionality versus less intrusive options. 
  • A DPIA before deployment; a lawful basis and Article 9 condition. 
  • Alternatives for those unwilling/unable to enrol (e.g., card+PIN). 
  • Template security, retention and deletion; who can enrol/delete; how it’s audited. 

The ICO’s biometric guidance is explicit on these obligations—build them into your policy and supplier due diligence. 

Visitor and contractor procedures

Publish a reception SOP that covers pre-registration, verification, issuing time-limited least-privilege credentials (QR/mobile/card), and checkout. Pair your VMS with the access platform so every grant/expiry is an access event, not an unlogged relay. Keep privacy information concise and visible; the ICO’s surveillance guidance is a good yardstick for transparency and retention.
 (See also: CCTV–Access Control–Alarm Integration.) ICO

CCTV & alarm integration rules

Spell out which access events should trigger which actions: e.g., “forced door = bring up the associated camera; first-in disarms intruder zone; last-out arms.” Decide who reviews alerts and within what time. This turns “integration” from a wiring exercise into an operational playbook your team can follow and auditors can verify. The ICO’s video surveillance guidance will help you keep signage, retention and rights handling in order. 

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Network & power policy

Modern EACS are IP systems. Set rules for:

  • Network segmentation (dedicated VLANs for controllers/gateways), changed defaults, and firewall rules for any cloud links. 
  • Deterministic edge operation: controllers continue to enforce policy on cached permissions during WAN/server outages; events reconcile later (your standard under EN/IEC 60839-11-1 should expect this behaviour). 
  • Power & standby: supervised PSUs, UPS where required, and documented tests of fail-safe/fail-secure behaviour on power loss. 

For estates modernising multiple systems, align on a common security underlay (PoE budgets, VLANs, secure remote admin).
 (See: IP Security System Installation.)

Data protection & transparency

Publish a short privacy notice for staff, contractors and visitors that covers: what you collect (events, possibly images), why, retention, and rights. Keep retention proportionate and automated; avoid “keep everything forever”. The ICO’s CCTV/surveillance guidance includes practical checklists for signage, retention and subject access handling—apply the same discipline to your access logs. 

Training, drills and audits

Good policy is useless without practice. Schedule:

  • Admin training (add/remove users, reports, holiday tables, incident triage). 
  • Reception training (verification, issuing passes, visitor privacy). 
  • Life-safety drills that explicitly test door release on alarm and relevant faults in line with BS 7273-4 (record results). 
  • Quarterly audits of access groups, high-risk doors, CCTV correlations and admin accounts. 

Use a recognised code of practice (e.g., NSI NCP 109, current Issue 4) to structure documentation, commissioning and maintenance so acceptance tests are predictable and repeatable. 

Incident response (security and privacy)

Define what constitutes an incident (e.g., repeated forced-door alarms; credential cloning suspicion; controller compromise; privacy breach), who leads the response, and how you preserve evidence (access logs, CCTV exports). Include a route to your DPO for potential personal-data breaches so you can assess notification duties quickly. ProtectUK’s access-control guidance is a useful reminder to formalise policy, procedure and incident planning—not just technology. 

Procurement & acceptance

Bake these policies into your specification and acceptance tests so suppliers design for them from day one. Cite EN/IEC 60839-11-1 for system behaviour, BS 7273-4 for release on alarm/fault, and NSI NCP 109 for delivery discipline. Witness the tests; capture as-built drawings, configuration exports and admin training sign-offs at handover. 

Putting it all together

If you codify outcomes, least-privilege roles, JML, life-safety behaviour, admin security, and privacy into short, workable procedures—and test them—you’ll have doors that are safer, faster and easier to live with. The technology is important, but the policy is what turns it into a dependable control.

If you want this turned into a site-specific policy pack (door schedule, admin SOP, visitor flow, commissioning tests and a privacy bundle), we’re happy to help you design and implement it—plus integrate doors with alarms and cameras so operators get context, not noise.
 (See: CCTV–Access Control–Alarm Integration.)

 

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Get in touch today

Have a no-obligation chat with one of our data cabling experts, who can recommend a solution to suit your requirements and budget.

0333 900 0101 sales@network-data-cabling.co.uk Contact us