Richard Jenkins, Chief Executive at National Security Inspectorate (NSI) writes on the updating of the code of practice NCP 109 for access control systems.
A recent market size and trends research report shows the global access control market is set to grow by a compound annual growth rate (CAGR) of over 8pc until 2022 (Source: Memoori – Market Size and Major Trends in the Access Control Market 2017 to 2022). This growth in demand for tools and systems facilitating ‘gate keeper’ activity follows inevitably from heightened security concerns, the introduction of the General Data Protection Regulation (GDPR), and the benefits of monitoring presence of people and materials.
Technological developments mean the cost-benefit equation of access control systems is compelling as facilities managers strive to deliver secure environments where their clients, staff, employees, visitors, and indeed all users – can go about their business safely and effectively. Wireless technology, the adoption of IoT-based security systems, cloud computing and enhanced functionality are all driving deployment. The choice facing buyers is staggering. Determining genuine needs and ensuring system design is fit-for-purpose is all the more challenging. NSI approval signals capable and competent providers well placed to interpret customer needs and deliver solutions that work. NSI approvals cover a wide range of international and British standards as well as ‘in house’ codes of practice.
What is NCP 109?
NCP 109 Code of Practice for the “design, installation and maintenance of access control systems” is NSI’s ‘in house code of practice expressly written for installers of access control systems, and against which NSI will routinely audit NSI Gold and Silver approved companies to verify compliance.
It draws on the Equality Act 2010, British Standard BS 7273-4 for fire protection (activation of release mechanisms for doors) and BS 7671 for electrical installations, all key to safe and well-designed systems. The latest edition, NCP 109, Issue 3 embraces new technologies and methods, and helps ensure NSI approved access control installers remain at the forefront of the industry.
It equips companies with robust capability to advise on the most appropriate system based upon the individual needs of each building or premises to be managed. It covers matters such as reviewing the assessed threat, determining points of higher exposure and expected people flows, means of escape in the event of a fire or security incident, and the most suitable type of recognition technology.
A risk assessment is a critical requirement within NCP 109 to identify risks and recognition needs, the location of all access points to be secured and monitored, and any requirement for video surveillance and remote monitoring. The risk assessment is then factored in to the design, which involves managing the risk classification for access points, how this may vary e.g. inside/outside working hours, during daylight/hours of darkness, at weekends, or during other open/closed periods. NCP 109 requires installers to assign each system access point with a risk classification according to the level of security required: Class I (low risk), Class II (low to medium risk), Class III (medium to high risk) and Class IV (high risk).
What are the changes in Issue 3?
NCP 109, Issue 2 is based on EN 50133 parts 1 and 7 published in 1999. The new Issue, Issue 3, embraces technologies now applied in access control systems. NCP 109, Issue 3 draws on the more recent standard BS EN 60839 series, published in 2017. It defines procedures for communication between network clients and devices. This series of interoperability standards makes it possible to build an access control system with clients and devices from different manufacturers using common and well-defined interfaces. The standard includes requirements that relate to current IT networks and classifies each access point (door, hardware and access control components) based on the risk assessment. It also defines access control functions that should be included based on risk levels, for example for higher risk access points anti-pass back, door forced alarms and door held open alarms, including the remote notification of emergency release operation.
The standard outlines enhanced security measures in relation to access control. Where memorised credentials are used to gain access, for example, a code, the minimum number of possible code combinations should be increased in relation to the number of users with memorised credentials. Issue 3 of NCP 109 also features a section on the use of IT networks and devices, including testing and cyber security. Another key element of the new issue will be the reference of BS 7273-4 (Code of practice for the operation of fire protection measures and the release mechanisms for doors) as a required standard.
Data storage
The management of record keeping and data security are key factors for consideration within access control systems. Typically, individuals ‘log-in’ and permissions are a point of risk. Failsafe system controls and procedures can ensure recognition log-ins are up to date, with permissions for employees or contractors who are given access added and withdrawn in a timely fashion – simple yet essential risk management. Access control systems store personal data which must be held securely, adhering to data protection requirements including GDPR.
Standards
NSI is committed to making sure that well recognised Codes of Practice, such as NCP 109 are relevant and designed to:
•Demonstrate the credentials of specialist security providers to buyers and users.
•Help ensure good practice by providers and operators in managing security risk.
•Provide a framework to assist specifiers, installers and users in establishing risk, needs and requirements.
•Assist specifiers and users in determining the appropriate level of security and sophistication required for a given application.
•Assist system designers in meeting specifier or user requirements.
The successful operation of access control systems is built on clear collaboration between specifiers, users and installers. Security can only be achieved with carefully developed and clearly understood specifications and usability in practice.
The customer perspective
From a client perspective choosing an NSI approved company provides confidence in the provider who is subject to an ongoing independent audit programme including sample inspections of installations, expressly focused on its competence and its business practices. All NSI Gold approvals include certification to BS EN ISO 9001 (for a company’s Quality Management System). System Installers elect to adhere to the relevant standards – in this case NSI Code of Practice NCP 109. They benchmark themselves against NSI approval schemes demonstrate commitment to the highest standards of competence in the design, delivery, operation, management and maintenance of access control systems. NSI approval provides assurance to buyers that installers, operators and managers of access control systems deliver consistent best practice with fit-for-purpose systems monitoring tagged materials and equipment and helping keep people safe.
About the NSI
The UKAS-accredited third party certification body covers the security, fire safety and guarding services sectors, helping to protect businesses, public organisations, homeowners and the general public through rigorous audit of more than 1800 security and fire safety providers nationwide.
The United Kingdom Accreditation Service (UKAS), is the UK’s sole National Accreditation Body, responsible for determining, in the public interest, the technical competence and integrity of organisations offering third party certification, in accordance with International Standards for Accredited Certification of Management Systems such as ISO 9001 (ISO 17021) and application Standards pertinent to security and life safety such as BS 7958 for CCTV (ISO 17065).
