New access control standards a welcome addition

Access Control Standard

Andrew Thorburn, Enterprise Security & Risk Manager at Atlas Gentech, provides insights into the new Australian/New Zealand access control standard, highlighting the importance of standards for the entire supply chain from manufacturers to installers to end users.

In the June-July 2018 edition of NZSM, immediate past New Zealand Security Association (NZSA) Board Chair, Doug McCormick wrote an insightful piece titled, “It’s time New Zealand caught up; Why we need standards for electronic security”.

In his article, Doug raised the issue of the absence of a standard for access control systems in Australia and New Zealand. However, he did acknowledge the existence of a series of standards for intruder alarm systems, albeit dated and requiring revision.

Almost two years later, Australian Standards and New Zealand Standards have adopted the proposed IEC (International Electrotechnical Commission) standard for access control. This joint Australian/New Zealand standard is comprised of two parts (which are, in effect, two distinct standards): 

  • AS/NZS IEC 60839-11-1:2019 Electronic access control systems – System and components requirements (Part 11-1), and 
  • AS/NZS IEC 60839-11-2:2019 Electronic access control systems – Application guidelines (Part 11-2)

The Standard was produced by a subcommittee, the Joint Technical Committee EL-031, Intruder Alarm Equipment and Installations, consisting of experts from several European countries, Canada and New Zealand.

As a member of the Committee, the NZSA was represented by immediate past chair, Doug McCormick, and current board member, Matt Stevenson. The Standard was approved by the New Zealand Standards Approval Board on 4 December 2019.

Why standards?  In the article Doug stated, “established standards are invaluable for manufacturers and suppliers as they set benchmarks for export and confirm to customers that their products are designed to and incorporate features to a recognised level”.

As many standards are voluntary, the debate of aligning to them or not is another topic and will not be covered within this article, but keep an eye out in the next issue of NZSM.  However, it is important to note that standards relating to safety are deemed mandatory by government. These include, but are not limited to, electrical, fire protection and building, but they don’t include security.

What is encouraging to observe in this new Standard is the use of a performance-based approach, aligned to the outcome of threat, vulnerability and risk assessments, thus identifying an organisation’s risk appetite and what solution or treatment is most appropriate and proportionate to their requirement(s).  The same model used in the HOSDB CCTV Operational Requirements Manual 2009 and as part of the NZSA Codes of Practice technology solutions audits.

It is important to note, however, that the Standard does not cover the methods or procedures for conducting a risk assessment.

This performance-based approach also ensures room for product innovation and interpretation for how to meet the requirement(s).

Where an electronic access control system includes functions relating to hold-up or the detection of intruders, the requirements in the Standards relating to intrusion and hold-up are also applicable.

Part 11-1: System and components requirements

The objective of Part 11.1, is to specify the minimum functionality, performance requirements and test methods for electronic access control systems (EACS) and components used for physical access (entry and exit) in and around buildings and protected areas. It is intended for the system manufacturer, hardware, firmware and software developer to ensure compliance and conformity to the standard, and it is comprised of the following sections:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Abbreviations
  5. Conceptual models and system architecture
  6. System performance functionality requirements
  7. Environmental and EMC (immunity) requirements
  8. Test methods
  9. Documentation and marking

With many manufacturers in the market, the use of proprietary terminology can confuse consultants, system integrators and end users.  Section 3 – ‘Terms and definitions’ provides standardised definitions. From the fundamentals of an access control unit to system self-protection, anti-pass back and identification information user identity, this section aligns the industry to a common language and simplifies understanding for end users – well, maybe some.

Section 6 focuses on System performance functionality requirements. The use of Grades 1 (low risk) to 4 (high risk) sit in parallel to risk level from low to high respectively. In addition, example definitions of skill/knowledge of adversaries/attackers and typical examples provide guidance to corresponding levels of protection. For those familiar with the New Zealand Government Protective Security Requirements (PSR), the grades are the same as Alert Levels – such as those recently seen in the COVID-19 response.

All requirements within Section 6 are available from market-leading access control brands currently available in New Zealand. It is worth reviewing the Standard to learn about these, their functionality and how system integrators can deliver those that are not necessarily understood to add more value to their system deployments.

Enjoying this article? Consider a subscription to the print edition of New Zealand Security Magazine.

Section 8 – ‘Test methods’ is very comprehensive, covering system performance from general conditions of installation and operation, such as atmospheric, access point interface, duress, and power supply requirements to environmental and EMC (immunity) testing. Also of note is that testing is aligned to the respective alert levels of where the EACS is being deployed.

The Standard is rounded off with Section 9 – ‘Documentation and marking’.  This section speaks to the installer and user documentation, which should be supplied along with the access control unit.  This information is used by the system integrator during the design and deployment, including the as-built documentation.  

Marking ensures components can be identified to whichever standard the component claims compliance to, the type of product, i.e. access control unit, card reader etc, the name of manufacturer, the grade, environmental class and date of manufacture, batch number and/or serial number.

Part 11-2: Electronic access control systems – Application guidelines

The objective of Part 11-2 is to define the minimum requirements and guidance for the installation and operation of electronic access control systems (EACS) and/or accessory equipment to meet different levels of protection.

It includes requirements for planning, installation, commissioning, maintenance and documentation based on the functions defined in Part 11-1, and it is comprised of the following sections:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Abbreviations
  5. System architecture
  6. Environmental and EMC considerations
  7. System planning
  8. System installation
  9. Commissioning and system handover
  10. System operation and maintenance
  11. Documentation

This part of the Standard is intended for the system designer, consultant and integrator to ensure appropriate design and planning occurs in compliance to and conformity with the Standard.

Sections 1 to 6 cover Scope to Environmental and EMC considerations, much of which is an extension to Part 11-1, but with additions in Sections 3 – ‘Terms and definitions’ and 4 – ‘Abbreviations’.

Section 7 covers system planning. ISO3100 Risk Management or the PSR framework is evident again here in that the end user’s risk appetite, aligned to the functionality/performance criteria, security grade and environmental classification will determine what treatment is deployed.  

This section also includes considerations for interfacing with other systems. Notably, where intruder alarm systems, video surveillance systems, elevator control and administrations systems etc, are desired or required by end users.

As more and more specialist solutions are developed, interfacing with best of breed third party offerings is more expected than ever. Consideration, therefore, should be given to aspects such as the type of communication links, availability, reliability and security of the communication with the respective integrations.

Section 8 identifies all aspects of installation from general planning of the system to equipment used to cabling. 

Section 9 covers system commissioning and handover – two areas that have traditionally been poorly executed in my experience. Their purpose is to ensure that the system installed meets the requirements of the system design and that documentation and training is undertaken in conjunction with a test period.

Of note in this section is the requirement that system design should be identified and agreed to between the end user and system integrator, including any other interested parties, such as independent consultants, that may have been commissioned to oversee the design and system deployment.

Section 10 defines system operation and maintenance. This section outlines the system owner’s responsibility to the system in respect to training of their people, and to ensure policies and procedures exist for ongoing training and preventative maintenance of the system.

Section 11 covers documentation, encompassing documentation for (i) planning, (ii) commissioning / system handover, and (iii) maintenance.

I suggest that all system integrators consider using the components of Section 11 as the basis of their as-built system handover checklist.  Whilst many would consider them standard practice, again my experience is that they are frequently omitted.

Part 11-2 is rounded out with Annex A – ‘Allowed exceptions for installed systems’ and Annex B – ‘Standby battery capacity calculations’.

Conclusion

All in all, a welcomed set of standards to both Australasian manufacturers and system integrators. It is evident that a significant amount of time has been spent by volunteers on this, including travelling to Australian meetings. 

What is also encouraging is the work that has gone into reviewing the current Alarm Systems AS/NZS 2201 standard. Section 2 – ‘Monitoring Centres’, is already under review, whilst Sections 1, 3 and 4 are overdue and next to be considered. Doug and Matt have again been spearheading this on behalf of the NZSA, albeit with a few road bumps now.

As the AS/NZS IEC 60839 preamble states, “standards are living documents which reflect progress in science, technology, and systems. To maintain their currency, all standards are periodically reviewed, and new editions are published.” The work done in reviewing standards is critical to ensure they remain current in an industry characterised by technological developments.

Based on the 60839 standard being adopted, I have the utmost confidence that they will again represent the New Zealand security community and deliver a more current interpretation.

Source: https://defsec.net.nz/2020/04/15/access-control-standards/