Access Control Technology – A Best Practice Guide
23 March 2020
Access Control Technology is employed by public and private
organisations up and down the country. It’s a proven way to secure premises and
keep people safe, as well as a way to help comply with legislation such as
GDPR. But while the benefits are clear, procuring a system can be complex as
there are numerous things to consider from budget and maintenance costs, through
the number of people and premises it must cover to the type of security you
This guide sets out a five-step approach to identifying and
adopting the best access control for a setting and the questions you should ask
of your organisation and your prospective supplier.
Step 1: Agreeing the purpose
It’s really important that you have a clear
vision for the solution. In essence, you need to answer two questions: what are
the organisational goals and therefore why does your organisation need a
Many access control implementations centre
around security. Generally, this relates to keeping unauthorised people out of the
whole or parts of a building, such as a computer room, or a drug storeroom in a
hospital. Safety will also include having an accurate picture of who is in a
building in case of an emergency.
There are generally six main areas your
procurement decision should focus on. These are:
But counting people in and out isn’t just
about headcount. It’s also important for the purposes of managing the flow of
people and ensuring there are no bottle necks at certain times of day. Any access
control system must support this and not add to the problem – you don’t want a
crush because a turnstile was in the way.
Then there are legislative compliance requirements
such GDPR, especially if you are integrating it with other systems like CCTV. For
instance, these elements come into play if you have a camera that starts to
record when it detects movement in an area that is generally out of bounds, or
if you always have a camera recording the main entrance.
Though you may have legitimate reasons for
making the recording, you still need to inform everyone in the building there
is the possibility you will, or that you are, recording them. But more than
that, if someone is identifiable in the recording then you are operating under
GDPR and the ICO would need to know. Anyone who is recorded would also have the
right to access the footage.
You also need to consider how the information
of visitors is stored on the system you use to grant access permissions, as
that also requires GDPR compliance.
Your partner will be well versed in all of this
so discuss this with them, so you get it right.
But whatever the scenario, you have to have a
clear understanding of how it would work with the existing infrastructure and
personnel. You may find you can achieve your goals by changing the scope of the
role of a receptionist. However, if managing the volume of people would be too
onerous or present a risk to that individual in this scenario, then technology
can lighten the load.
Another fundamental question is how much space
you have to allocate to your solution. Not all foyers are suited to large
turnstiles. Plus, you can add complications if the space is shared with other
tenants as they have to be prepared to share the installation.
As we’ve said, turnstiles, though highly
effective, do take up space and for that reason some companies will have
sensors by a door that recognise badges with specific access permissions
Management of the system
No matter the decision you take, there
is still always a need for a single point of contact for the system. This
person will be an administrator and facilitator for the system to ensure smooth
It’s worth thinking about this side of things as
you assess the technical solution because it may mean you need to alter job
specifications. We cover this in more detail in ‘Step 3’.
Finally, budget is a major influencing factor.
A turnstile is expensive compared to door sensors. Technologies like biometrics
add another dimension to budgets.
Ensuring you are adopting the right technology
and not technology for technologies’ sake is vital at this early stage. But
it’s also worth looking ahead. You may not need some technology today, but you
may need it in five years’ time. Your budget will go further if you factor in
this evolving need from the start and invest in technology that can grow with
Step 2: Making the right decision – which technology suits the
This really comes down to how you need to
validate access and the information you need to know.
Turnstiles and permission cards
If it’s a case of keeping people out, and/or
you only need to know how many people are in a building at any one time but not
necessarily who they are, then a turnstile or door reader that simply
recognises a valid permission card may be sufficient.
Specific access permission rights
However, if it’s imperative you know who is
coming through the turnstile then you’ll need a system that can configure cards
with specific access permissions. These can last for a set period of time or
If you need very high security that must
identify someone as an individual from a personal characteristic, then a biometric
reader is sensible. Common choices include optical or thermal fingerprint
Of course, you may find you need a combination
of solutions to suit the different ways a building operates. This is quite
common. A good technology partner will help you identify the best technology
combinations, so you meet your goals and budget.
Step 3: Managing the system
We’ve mentioned the importance of an
appointed manager for the system. That’s because there are a number of roles
they will need to perform:
Firstly there is a logistical element
to all of this – getting passes to people. So many companies overlook
‘peripherals’ and the associated overhead in time and money this can create. A
solution that considers this and minimises effort is worth seeking out.
It’s also worth looking at how
important reporting is to your organisation and how much or little of it you
want. This is where the conversation will move to look at what systems you have
already and how they can be integrated. Some technology providers are happy to
make their systems talk to existing HR and Payroll systems for example.
When it comes to reporting, you need
to establish if a daily report is necessary or if it’s better to have one
weekly or monthly, as well as consider the importance of real-time alerts for a
breach. Not only that, you need to consider how you want alerts and reports
delivered – is an email sufficient, or do you need an immediate pop up prompt
on a computer screen so your risk exposure is minimal?
Finally, we always say you can’t
manage what you can’t measure so speak to your technology partner about the
best practice they support at other companies as this can greatly inform how
you structure your implementation.
Step 4: Implementation standards
When you have high standards, high
levels of security are achieved and maintained. Look for accreditations like
NSI Gold, which means implementation are carried out to the NCP-109 standard.
Above all, it’s a sign that your partner is providing high quality technology
that meets exacting standards and will evolve as your business does.
It’s also recommended you look for accreditations
such as Safe Contractor and Contractor Line, which are industry construction ‘kite
marks’ and represent providers you can trust.
You also need to ensure you will have
dedicated people who will oversee the roll out to a high standard. It’s vital
they can build a quick rapport with everyone involved so make sure you meet
them and build a relationship early on.
They will also oversee testing and
ensure nothing is signed off until standards are met. This can be forgotten in
the race to get the system installed, yet testing is so vital to build early
credibility with employees and visitors.
Step 5: System support after implementation
How will the system grow and adjust as
your business needs change? What support can you expect from your supplier? Are
software updates included? Will there be people available the minute I need
them? These are fundamental questions for long-term success and scalability.
As part of this it’s imperative you
understand the difference between full support contracts and reactive incident
only management contracts as you could be left exposed.
Full support gives the assurances you
are covered if there is a fault or problem that prevents the system from
working, and software upgrades are included. This can’t be understated. Look
for providers that provide this level of cover and invest the full-service fees
into their team so there is UK support on hand.
It’s clear there is a lot to think about. But the five steps
outlined above break the challenge down and ensure you select the best solution
for your organisation. But not only that, they will also put you in the right
path to finding the best partner to work with too.