Font Size: A A A


NCP 109

Richard Jenkins, Chief Executive at the National Security Inspectorate (NSI) writes on the updating of the code of practice NCP 109 for access control systems.

Growth in demand for access control tools and systems facilitating ‘gate keeper’ activity follows inevitably from heightened security concerns, the General Data Protection Regulation (GDPR), and the benefits of monitoring presence of people and materials. Technological developments mean the cost-benefit equation of access control systems is compelling as facilities managers strive to deliver security where their clients, staff, employees, visitors, and indeed all users can go about their business. Wireless technology, the adoption of IoT-based security systems, cloud computing and enhanced functionality are all driving deployment. The choice facing buyers is staggering. Determining genuine needs and ensuring system design is fit-for-purpose is all the more challenging. NSI approval signals capable and competent providers well placed to interpret customer needs and deliver solutions that work. NSI approvals cover a wide range of international and British standards as well as ‘in house’ codes of practice.

What is NCP 109?
It draws on the Equality Act 2010, British Standard BS 7273-4 for fire protection (activation of release mechanisms for doors) and BS 7671 for electrical installations, all key to safe and well-designed systems. The latest edition, issue 3 embraces new technologies and methods, and helps ensure NSI approved access control installers remain at the forefront of the industry. It equips companies with robust capability to advise on the most appropriate system based upon the needs of each building or premises to be managed. It covers the assessed threat, determining points of higher exposure and expected people flows, means of escape in the event of a fire or security incident, and the most suitable type of recognition technology. A risk assessment is critical, to identify risks, the location of all access points to be secured and monitored, and any requirement for video surveillance and remote monitoring. The assessment is factored in to the design, which involves managing the risk classification for access points, how this may vary (inside-outside working hours, in daylight or hours of darkness, at weekends, or other open-closed periods. NCP 109 requires installers to assign each system access point with a risk classification: Class I (low risk), II (low to medium), III (medium to high) and IV (high risk).

Changes in Issue 3
NCP 109, Issue 2 is based on EN 50133 parts 1 and 7 published in 1999. Issue 3, embraces technologies now applied in access systems. Issue 3 draws on the more recent standard BS EN 60839 series, published in 2017. It defines procedures for communication between network clients and devices. This series of inter-operability standards makes it possible to build an access system with clients and devices from different manufacturers using common and well-defined interfaces. The standard classifies each access point (door, hardware and access components) based on the risk assessment. It also defines access functions that should be included based on risk levels, for example for higher risk access points anti-pass back, door forced alarms and door held open alarms, including the remote notification of emergency release operation. The standard outlines security measures in relation to access control. Where memorised credentials are used to gain access, for example, a code, the minimum number of possible code combinations should be increased in relation to the number of users with memorised credentials. Issue 3 also features use of IT networks and devices, including testing and cyber. Another key element of the new issue will be the reference of BS 7273-4 (code of practice for the operation of fire protection measures and the release mechanisms for doors) as a required standard.

Data storage
Record keeping and data security are key. Typically, ‘log-ins’ and permissions are a point of risk. Fail-safe system controls and procedures can ensure recognition log-ins are up to date, with permissions for staff or contractors who are given access added and withdrawn in a timely fashion – simple yet essential risk management. Access control systems store personal data which must be held securely, adhering to data protection including GDPR.

NSI is committed to making sure that well recognised codes of practice are relevant. The successful operation of access control systems is built on clear collaboration between specifiers, users and installers. Security can only be achieved with carefully developed and clearly understood specifications and usability in practice.

Customer perspective
From a client perspective choosing an NSI approved company provides confidence in the provider who is subject to an ongoing independent audit programme including sample inspections of installations, expressly focused on its competence and its business practices. All NSI Gold approvals include certification to BS EN ISO 9001 (for a company’s Quality Management System). Installers elect to adhere to the relevant standards – in this case NCP 109. NSI approval provides assurance to buyers that installers, operators and managers of access control systems deliver consistent best practice.

NSI approval provides assurance to buyers that installers, operators and managers of access control systems deliver consistent best practice with fit-for-purpose systems monitoring tagged materials and equipment and helping keep people safe.