Physical and facility security

Overview

What is physical and facility security?

Physical and facility security protects an organisation’s people, assets and information through tangible controls: the way a site is laid out, how its perimeter is secured, who can enter which areas, and how intrusion is detected and responded to. It is a discipline in its own right and, in government settings, a domain of the Protective Security Policy Framework.

It works best as defence in depth: a series of layers, each adding a control, so that defeating one layer does not hand an intruder the objective. The diagram further down shows those layers, from the perimeter through to the critical assets at the centre.

The standards

The standards for base building security

Base building security in Australia is guided by SA HB 188:2021, the base-building physical security handbook. It addresses building risk from threat sources such as terrorism, civil commotion and malicious damage, and sets out how to assess those threats and apply suitable controls. It applies to public, private and not-for-profit buildings of any size, and is particularly relevant to commercial, industrial, retail and large residential properties. It was developed with the Australian Reinsurance Pool Corporation and ASIO, and builds on the ISO 31000:2018 risk process.

Some sectors have their own physical security standards. AS 4485:2021, Security for healthcare facilities, is one example: it sets requirements specifically for the security of healthcare facilities and is not a general physical security standard. Where a sector standard applies, it sits on top of the general approach rather than replacing it.

Security in design

Designing security in: layered defence and CPTED

Defence in depth arranges controls in concentric layers, from the perimeter inward, so that risk is reduced progressively rather than relying on a single barrier. CPTED, crime prevention through environmental design, designs security into the built environment through four principles: natural surveillance, natural access control, territorial reinforcement, and space management and maintenance.

Designing security at the planning stage is cheaper and more effective than retrofitting it later, which is why physical security should be integrated while a site or building is still on the drawing board.

The controls

Access control, perimeter and electronic security

The practical controls span several disciplines, each specified to the risk rather than to a product catalogue.

• Perimeter protection. Fencing, lighting, landscaping and, where vehicles are a threat, hostile vehicle mitigation.
• Access control. Controlling who can enter which areas, and zoning the site by sensitivity so that access matches need.
• Electronic security. CCTV, intrusion detection and alarms, and the wider electronic security systems that detect and record activity.
• Detection and response. The procedures and people who turn a detected event into a timely response.

Security incident response

Responding to a security incident

Physical measures reduce the likelihood of a hostile act, but an organisation also needs a planned response to incidents that can still occur, such as an active armed offender, an intruder, or a bomb threat. A clear response sets out how staff recognise a threat, take protective action and work with police, and how the incident is reported and managed.

For public-facing and crowded sites, the Australian reference point is the Active Armed Offender Guidelines for Crowded Places, developed by the Australia and New Zealand Counter-Terrorism Committee and published through the national crowded places resources.⁴ The guidance applies a prevent, prepare, respond and recover approach that organisations can adapt to their own sites.

A security incident can escalate beyond the immediate response. When it does, it is taken up by the crisis management team, and the response itself should be practised through the exercising and testing programme, so that people know what to do before an incident occurs.

The bigger picture

How physical security fits the wider framework program

Physical security is one layer of a wider program. The controls an organisation needs are set by its security risk assessment, which decides which physical measures the risk justifies. In government, physical security is a domain of the PSPF. For critical infrastructure, it is one of the hazard vectors a SOCI Act risk-management program must address.

Treating physical security as part of the framework program, rather than a standalone fit-out, keeps the controls proportionate and defensible.

How we help

How Agilient supports physical and facility security

Agilient assesses and designs physical security to mitigate the risk, independent of any product or installer. The work spans government, healthcare, aviation, defence and critical infrastructure.

Agilient works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.