1. All Resources
  2. Workspace Security

Why does your business need a workplace security audit checklist?

Workplace Physical Security Audit Checklist

The workplace security audit includes the verification of multiple systems and procedures – including the physical access control system – used for a comprehensive workplace security. 

workplace security audit checklist
A checklist should cover all major categories of the security audit

For easy use, download this physical security audit checklist as PDF which we've put together.

The main points include:

  • Is a documented workplace security policy covering the physical security aspects in place?
  • Is access to the building/place restricted?
  • Are all access points monitored manually or electronically?
  • Is ID based access control in place?
  • Do you maintain a visitor record/register?
  • Are employees easily identifiable due badges or other visual IDs?
  • Are access cards, fobs or passwords highly secure?
  • Is the surveillance system installed and up to date?
  • Is security light properly installed and maintained?
  • Is an alarm system installed and maintained?
  • Do you check access control, surveillance and lighting system regularly?
  • Is testing record available to show?
  • Are all documents related to physical access control procedures updated and available?
  • Is workplace staff trained for emergency egress?
  • Any other customized activity or items installed and updated?

How to Get Started with a Workplace Security Audit Template

Preparation of a workplace security checklist is a detailed oriented analysis of your workplace security system dealing with personal, physical, procedural and information security.

So you need to start with accessing security related to those categories. You can also get the help of security consultancy organizations to get created the customized workplace security checklist for your company. You can also get help from the examples of workplace security checklists.  

What Processes and Procedures Are Needed

  • Security system maintenance and improvement plan
  • Security policy and plan
  • Data management policy
  • Operational procedures
  • Security audit checklist
  • Privacy policy
Kisi Products
Regain Full Control the Easy Way

Discover what makes Kisi the most advanced cloud access control solution.

Proximity Readers

Reading RFID, Bluetooth (BLE) or NFC formats connected through a data protocol directly to the access control panel.

proximity reader
HID multiCLASS

Other than understanding a reader, you'll also need to know more about the different types of key cards.

IP Readers

This is a more modern reader type which can be integrated into IT systems.

The Kisi IP reader is connected to PoE and not wired back to an access control panel.

Kisi's IP connected reader - reads secure cards, iOS and Android Apps - PoE based reader with Bluetooth and NFC functionality

Here are details about the four types of proximity readers in more depth:

Standalone proximity readers

Sometimes those readers are called "panel free" because they are fully installed ina decentralized way. Think about it like programming a PIN code for each individual person on each individual reader - it's a great option for very small "quick fix" kind of installations but will generally increase the complexity: You have to go to each and every reader to test and activate the card, you cant control access in real time but would need to deactivate the card on each reader. That's why they often come with PIN pads. 

Kisi's opinion: We don't see anyone using these readers, however they are still being recommended by local locksmiths and integrators. Stay away. 

Wireless proximity readers

Think about hotels - those readers you see on the locks are wireless readers. This means they are not wired to power (battery operated) and you don't have a wired data connection. Typically in the hallways you might see some small access points made by the same brand as the wireless readers - and sometimes the locks itself. That's how the locks connect to an online environment: Via RF (radio frequency) they communicate on a power saving protocol to this access point which is itself connected to the internet. That way you don't have to physically connect each lock but at the same time have real time updated information.

Kisi's opinion: If you don't have 50+ doors, don't even think about doing it. Someone has to update all the batteries in the locks. 

Proximity readers (prox readers)

Proximity readers or commonly called "prox readers" are the most frequently used type of reader in commercial environments. They are universally compatible with pretty much any access control systems, since they typically communicate on a protocol invented around 1974, named "Wiegand Protocol". Conforming to the lowest possible standard comes with the problem that each of those prox readers have been hacked and can be hacked by anyone who follows instructions. Here are some examples: Hack HIDCopy a prox ID card or the Wiegand vulnerability.

Kisi's opinion: Proximity readers are a great "default" for standard environments. However they lack more advanced options which allow for scaleability, security and future readiness.

IP readers (IP connected proximity readers)

Currently the most advanced version of readers - due to their IP connectivity, they can be fully integrated into IT environments. Also data traffic to and from those readers can be controlled and secured easier. Think about the installation similar to any CCTV camera. 

Kisi's opinion: Well we decided to build an IP reader but the reason why we did it is because it is what proximity readers are not: integrateable, future proof, manageable at scale and secure.

IP readers are great for security because there is no direct connection between the reader and the panel. That means the line can not be intercepted / tampered with since everything has to run through your firewall on the switches first before talking to the other device.

Here is an example of how Kisi's IP based Pro Reader is connected. Notice how there is no connection between the reader and the controller.

How do proximity readers work with other components

We get it, you are planning a fancy office, how to specify electric door hardware is the last item on your mental to do list. Always remember, if you’d like to be in a nice office like below, you will always have to unlock the door!

Fancy Office Space

That’s why a lot of construction and architecture companies ask us how to specify electric door hardware into their project. Mostly it also includes swipe card readers from Kisi. When thinking about how to specify electric door hardware it is important to think about more than just the reader. This might be the only visible part to the user). That is exactly the reason why we came up with this guide to make your life as easy as possible.

Some of the hardware products covered in this overview are:

  • Card readers / Proximity readers
  • Controllers
  • Magnetic and mortised locks
  • Doors
  • Safety devices

You can use this guide also to specify electric door hardware that is not manufactured by Kisi, such as HID readers. However keep in mind the vulnerabilities that exist in those products, see posts:

  1. How HID Keycard Can Easily Be Hacked
  2. Wiegand Protocol Vulnerability

Timing: When to specify electric door hardware

The best phase to start looking at this is when your construction company is start drafting the plans. Typically they need to indicate wiring or cable runs. Once the walls are closed you can still install all hardware, but cables need to be pulled when walls are open.

The other critical part is specifying the doors. It is paramount to not specify a sliding door because they mostly do not work with electric door hardware.

Here are the ideal construction related installation requirements for Kisi or electronic door hardware in general. If Kisi comes in to install with a newly constructed space and those requirements are not met we can not guarantee for meeting project deadlines.

Using the floor plan for planning access control

Typically the architect or engineering consultant draws a schematic of the wiring plan including wire runs, where they are dispatched to and any hardware installed. Here are some schematic basics you might want to include:

  1. ReaderMotion sensorPush to exit buttonLockWire

Door planning: In the past it helped many companies to visualize the plans with the specific picture of the existing door. Here is an example:

Overview of Access Control Devices

Specify electric door hardware (locks) to use for swipe card reader compatibility

Any wired lock like electric strike, wired mortise lock or electromagnetic lock should work and can be included in the construction scope. To understand the difference between smart locks and commercial grade access control systems you can look at this comparison, which includes use cases for conntected lock manufacturers like Kevo, Lockitron and August.

Whatever lock you end up choosing, one cable needs to be dispatched to the lock position. This cable will connect the door security hardware AND the motion sensor or push to exit (if required). That’s why we typically recommend to pull CAT5e or CAT6 cable compared to regular low voltage cable. 

We also have a wiring diagram ready in our installation guide. Generally you might look for wiring diagrams for electric door hardware which are included in the document.

Electric strike wiring diagram

Diagram Electric Strike

If it’s for a regular door, installed on the door frame next to the lock.

 

Magnetic lock wiring diagram

Magnetic Lock Diagram

If it’s for a glass door with magnetic locks, installed on top of the door.

Wired mortise lock wiring diagram

Electric strike diagram

If you’d like to avoid an electric strike and wire the cable through an electric hinge to the wired mortise lock that replaces the regular lock.

Advise on other locks advise

One note about sliding doors: They are NOT recommended. They look very elegant but are absolutely not usable with wired electronic locks.

Generally all locks are wired to a power source. Typically the power source is in the IT – or communications room. However if it’s a small one door installation you could also wire the lock to a power source close to the door. Keep in mind this shouldn’t be accessible for the regular user, otherwise you might end up with manual interference.

Now let’s spec the swipe card reader – or proximity reader

Tap to Unlock by Kisi

Kisi's state-of-the-art swipe card reader is our Pro Reader. For ease of understanding we stick with the industry standard “swipe card reader”.

The first question we typically get is about mounting specs.

Mounting specs of the reader device

A Kisi swipe card reader is on-wall mounted. The Kisi readers come with set screws to mount. The reader cable needs to be dispatched to the reader height next to the door 48” from the floor, with minimum distance of 10” from the door frame.

Wiring diagram for swipe card reader

The next question typically evolves around cables: The Kisi pro reader works best with a wired CAT5e or CAT6 cable pulls from the future position of the swipe card reader to the IT room. Which CAT cable it is doesn’t really matter for us, your cabling company might have preferences depending on quality and distance.

The reader must be installed outside the door on the same side of the door as the door handle. IE: door handle is to the left of the door, install reader to the left of door.

Do you already think “that’s a lot of cable going on here”? I’ve recently been in an office buildout construction site where we took this picture:

CAT6 Cable

That’s around 80 boxes of CAT6 cable. If you ever looked at the price of one box, you know might as well be a small luxury sports car standing around. It’s what it costs. Cabling is not cheap and it shouldn’t be the place where you save, because most likely you will never have a chance to change or edit the cable runs during the entire time of you staying in the office.

Important: The beginning and end of the cable have to be labelled with the door name, so there is no confusion as to which cable to choose.

Option: Front desk wire – Most companies prefer to have a hardwired unlock button at the front desk, so there needs to be a signal cable run to the front desk from the IT room.

Installing access control panels in server / IT room

Ideally Kisi controllers are mounted on a wall mount wood board at a height of 5 to 6 feet above the ground. There needs to be 2 power outlets for every one Kisi controller. 

All wiring must be secured to the wall with a stable gun or wire tie downs. Ideal compatibility is a drop ceiling.

The Pro Controller needs an ethernet CAT5e or CAT6 cable for data connectivity, a twisted pair power cable and enough space for running up to four door signal cables as well as alarm panels and if needed backup power. More details about this in the next paragraphs.

To give you an idea how a very large installation could look like:

Access Control Panel

Sorry to disappoint, typically it never looks that nice, but just keep it in mind as a goal to strive towards.

 

Power and functionality backup

Very confusing for construction planning to understand are typically the failover power backup systems. Our first advise is always to check if the building has a backup generator for power. That saves all the trouble.  Otherwise for emergency requirements you’d need a 24h backup battery spec’d for the amount of locks you have.

The typical backup battery brand recommendation would be Altronix.

For functionality backup a physical analog backup must be installed in form of manual key override or pin pad.

Connecting fire safety and fire alarm to access control

The fire safety system can be connected with Kisi via dry contacts normally open or normally closed. The fire vendor / architect has to specify emergency push bars where needed. A typical brand used for fire / emergency panels is Bosch.

Starting a new project?
Download our Physical Security Guide

Get the full guide and other great security content from Kisi. 

Download Guide
Kisi Physical Security Guide