Management of keys and access codes

If thieves get hold of a key or access control code/card, gaining entry to a site or a sensitive and otherwise secure part of the premises becomes much easier.

As a result the detection systems may not be triggered letting them have more time to complete their activity.

Use of the word 'keys'

From here on, the word ‘keys’ refers not only to a physical key, but also swipe cards, key fobs and other devices used to unlock a door, gate, barrier or similar. We won’t use ‘keys’ when referring to access codes, biometrics and other intangible elements.

Key actions to manage keys and access codes

Check keys you have on site, what they’re used for and who has access to them, before making any decisions about what procedures to put in place.

- Don’t forget, it’s not only premises keys that need to be secure, think also about keys that open safes, and keys for vehicles like fork lift trucks.
Consider using a secure key cabinet for when keys aren’t in use. Place it where it isn’t accessible to the public/customers, and where it is protected by your intruder alarm system.

- Some key cabinets let you track which employee has which key by requiring a ‘peg’, unique to the employee, to be inserted into a corresponding ‘plug’ in the cabinet to release the key. More sophisticated computer controlled cabinets are also available.
Don’t forget to consider the location and security surrounding any spare keys.
Remind staff to ensure key cabinet doors are kept closed (with the key to open it removed) and locked, other than when keys are being deposited or removed.

Review which employees hold keys (if any) and which keys they actually need access to for their day-to-day jobs. The fewer keys in circulation and the fewer employees with access reduce the chances of keys going missing.
Have procedures in place for when a member of staff leaves your employment, so keys are collected, access codes changed and access privileges on computer systems are promptly deleted. You may also want to consider changing locks, especially if the employee was dismissed from their position. Review these procedures on a regular basis, or when changes are made to security.

Set up your access control system (if you have one), so each worker only has access to the areas they need access to. For example, only IT personnel should need access to the server room, so only their credentials should permit this.

- It should also be possible to set up temporary access, allowing access for a certain time period only.
Make it clear to all employees and provide reminders (in the form of signage), that when they’ve finished using a key, it should be returned to a safe location (e.g. a key cabinet) as soon as possible. Ensure they understand that leaving keys on desks, in drawers, or even in the locks themselves is a security risk.
Change access codes on a regular basis, even if you have no change in personnel, as a matter of policy. As part of your policy regarding access, staff should be reminded that codes shouldn’t be written down or shared with anyone outside of the organisation.
Change all the locks when moving into new premises. Similarly, if a key is lost then the corresponding lock should be changed as soon as possible.
Consider introducing a system of signing in and out keys, with the return of the keys always being required by the close of business.