Governments are starting to notice physical access

Cybersecurity frameworks have matured significantly over the past decade. Physical access controls have not received the same attention. That is starting to change.

What we heard

Over the past few months, I have been engaging Australian government at both state and federal level on how physical access to facilities is managed.

At the state level, I raised this during a Community Cabinet meeting with the Queensland Minister for Customer Services and followed up with a briefing paper mapping physical access controls against the IS18 policy framework and ISO 27001 requirements.

At the federal level, I put the same question to Andrew Wallace MP at a Defence Forum, specifically around AUKUS and allied personnel operating across shared Australian sites.

The responses were consistent. Core facilities tend to be well managed. But across the wider estate, including contractors, shared sites, and multi-agency environments, physical access management is uneven and not yet as mature as cyber security.

What the standards actually require

ISO 27001:2022 Annex A includes 14 physical security controls. The four most relevant to access management (A.7.1 through A.7.4) are clear: physical entry must be documented to individuals, access must be role-based and reviewed regularly, every entry and exit must be recorded and timestamped, and records must be retrievable on demand.

These are not aspirational targets. They are requirements that organisations attest to during audits. The question is whether the operational infrastructure supports them.

What typically exists

Four patterns show up consistently across large organisations.

The offboarding gap. When someone leaves, their electronic access may eventually be disabled. Mechanical keys almost never come back on the last day. Across sites with different access systems, there is no single view of what a departing person still holds.

Card as group key. Swipe cards treated like mechanical keys, handed from one person to the next without reprogramming. The door opens. The audit trail shows a card number, not a person.

Reconstruction takes days, not minutes. If a security event occurred last Tuesday at 2am and someone asks who had access to that area, the answer in most organisations is not immediately available. For electronic access, it requires pulling logs from multiple systems and cross-referencing with personnel records. For mechanical keys, the answer may not exist.

Audit as the trigger. Organisations rarely discover their physical access gaps through proactive review. The gap between policy and practice only becomes visible when someone asks a question the current systems cannot answer.

Where this goes

The pattern is familiar. IT, HR, and finance all went through a period where data lived in silos, processes were manual, and integration felt optional. Regulatory pressure and operational scale forced convergence.

Physical access is reaching that point. AUKUS is increasing the complexity of who needs access to what across shared facilities. Compliance frameworks like NIS2, DORA, and tightening ISO 27001 requirements are making it harder to justify disconnected systems. Government attention is following.

Addressing this does not require replacing physical access hardware. It requires connecting what already exists through a layer that can answer three questions consistently: who has access to what, is that access still justified, and can we prove it.