Corporate Office and Workplace Security

Corporate office security is a topic that receives sustained investment after an incident and consistent under-investment before one. The ASIS International 2024 Workplace Violence and Active Shooter survey found that 68% of organisations reported that their physical security measures had not been formally reviewed in the previous two years. The CPNI’s commercial premises audit programme consistently identifies the same small set of failures across hundreds of buildings.

This guide covers what a credible corporate office security programme looks like – from the physical infrastructure layer through visitor management, staff training, and emergency procedures.

The Layered Security Model

Physical security for a corporate office is most effective when it is layered: multiple independent controls, each of which protects progressively more sensitive areas and generates detection opportunities when defeated.

The standard layer model for a corporate office:

Layer 1: Perimeter. The building boundary – street-facing facades, car park access, loading bay, and any external areas. This layer is primarily about deterrence and early detection: lighting coverage, CCTV at all entry and exit points, vehicle barriers at ram-raid-vulnerable points, and clear sight lines to entry areas.

Layer 2: Lobby and reception. The primary point of control between public and private space. Reception staff are the human element of this control point; the physical infrastructure is the access barrier, visitor badging system, and CCTV coverage. The design should channel all arrivals through reception – any route that bypasses reception is a Layer 2 failure.

Layer 3: General office areas. Access-controlled entry from the lobby or stairwells/lifts, separating staff-credentialled from visitor-credentialled individuals. Visitor badges that cannot be confused with staff credentials, and that indicate the level of access the visitor has been granted.

Layer 4: Secure zones. Server rooms, executive floors, document storage areas, finance functions, and any location where the consequence of an unauthorised visitor is disproportionately high. This layer typically requires higher-assurance access control (biometric or dual-factor authentication rather than a single card).

The principle behind layering is that a single strong barrier, once defeated, provides unlimited access. Layered controls require an attacker to defeat multiple independent systems, and each defeat attempt generates a detection event.

Reception and Visitor Management

Reception is simultaneously the most operationally important control point and the most structurally vulnerable. It is where the pressure to be welcoming is highest, the social pressure to avoid confrontation is most acute, and the threat of social engineering is most present.

A functional visitor management process for a corporate office:

Pre-registration. Expected visitors should be registered in advance by the host employee – name, company, purpose, and expected arrival time. A visitor who arrives unannounced with no host pre-registration should be treated as a higher-risk arrival and the verification process should be commensurately more rigorous.

Identity verification. For any visitor beyond a clearly low-risk routine appointment, identity verification against a government-issued document (passport, driving licence, national ID) is standard. The entry in the visitor log should include the document type and number.

Visitor badge. Visitor badges should be visually distinct from staff credentials, should indicate the visitor’s permitted access level, and should be collected on exit. A visitor badge that is identical to a staff pass provides no additional control over movement once issued.

Escort. Visitors beyond reception should be escorted by a staff member for the duration of their visit, or should have their access physically limited to the specific area their host has authorisation for. An unescorted visitor in a corporate office is an uncontrolled variable.

Log management. Visitor logs – whether physical or digital – are both an operational security tool and a legal document. They should be retained for a minimum period consistent with the organisation’s data retention policy, and should be accessible to the security team in the event of an incident investigation.

Access Control

Access control infrastructure for a corporate office has two functions: denying access to unauthorised individuals, and creating a record of who was where and when. Both functions are important, and many organisations invest in the denial function while neglecting the audit function.

Key access control considerations:

Credential management. Promptly deactivating credentials when staff leave is the single most important access control hygiene practice. Credentials belonging to departed employees are a primary vector for insider threat actions and for social engineering attacks that begin by obtaining a lapsed credential. Access control reviews should be conducted at minimum quarterly, with immediate deactivation as a departure process step.

Piggybacking and tailgating prevention. Technical countermeasures include turnstile or mantrap entries at higher-security zones, video analytics that detect multiple persons per credential event, and door status sensors that trigger alarms for extended open events. Behavioural countermeasures are equally important: reception and security staff trained to challenge tailgating events, and staff across the organisation trained to feel empowered to politely challenge unfamiliar faces following through controlled doors.

Visitor access limitations. Visitor credentials should be time-limited (expiring at end of day or end of the specific appointment) and physically limited to the areas the visitor has legitimate access to. A visitor credential that grants floor-wide access provides less protection than one that grants access only to meeting rooms.

Mail and Deliveries

Mail handling and parcel delivery is an access vector that receives significantly less security attention than front-of-house access control, despite being the channel used in several high-profile incidents targeting corporate offices.

The NPSA ProtectUK guidance on mail security recommends: a designated mailroom area where all incoming items are processed before distribution; visual inspection of items for suspicious characteristics (unusual weight, leaking powder, unfamiliar sender, excessive sealing); and a documented protocol for suspected suspicious items that is known to mailroom staff and reviewed regularly.

For organisations in higher-risk threat environments – lobbying sectors, organisations with contentious operations, executives who have received threats – more formal screening capability (including X-ray screening for high-volume delivery environments) may be proportionate.

CCTV and Monitoring

CCTV installation provides forensic value after an incident. Active monitoring provides the real-time detection capability that forensic value cannot substitute for. The correct question for a corporate security programme is not “do we have cameras?” but “does anyone see what the cameras record while it matters?”

For most corporate offices, continuous CCTV monitoring is not proportionate during business hours. The practical standard is: alerts triggered by access events (door forced, tailgating detected, credential failure beyond threshold), security staff review of footage when incidents are reported, and after-hours monitoring of key areas (lobby, server rooms, fire exits).

Retention periods should comply with ICO guidance (the maximum period that can be justified by the purpose stated in the ROPA – typically 30 days for routine retention) and should be consistent with the organisation’s data protection policies under UK GDPR.

Emergency Procedures

Emergency procedures for a corporate office should cover at minimum: evacuation (fire and general emergency), lockdown (active threat within or approaching the building), bomb threat response, and medical emergency.

Each procedure should specify: who makes the decision to implement, what the trigger criteria are, the physical procedure for staff, and the communications sequence (internal staff notification, emergency services, building management, senior leadership).

Staff should know their evacuation route, the designated assembly point, and who the floor warden for their area is. Annual evacuation drills are the standard rehearsal requirement. For the lockdown procedure specifically – where the decision to shelter rather than evacuate is made in a rapidly evolving situation – a tabletop exercise involving the security team is appropriate annually.

For the corporate security programme framework that office physical security should sit within, see our corporate security programme design guide. For the active threat response protocols that the lockdown procedure should connect to, see our active shooter and workplace violence response guide. For organisations in the hospitality sector – where public-access design, high footfall, and Martyn’s Law obligations create specific security planning requirements – see our security guide for the hospitality and hotel industry. For university and research campus environments – where the combination of open-access ethos, residential accommodation, late-night social venues, Prevent duty obligations, and high-value research assets creates a security challenge distinct from standard commercial premises – see our university campus security guide. For offices and workplaces facing industrial action – where access control changes, credential audits, picket line management, and executive personal threat assessment require a coordinated security response – see our security during industrial action and labour disputes guide. For organisations operating commercial premises within luxury real estate developments – including show room and retail unit security, construction phase theft prevention (CESAR marking, GPS tracking, CCTV to BS 8418), property registration fraud controls, and void period squatting risk management – see our luxury real estate and development security guide. For counter-drone detection at corporate headquarters and campus environments – aerial surveillance of access routes and staff movements, RF monitoring systems, NPSA Drone Threat Guidance 2024, and the legal framework restricting private sector active countermeasures – see our counter-drone security guide. For hostile vehicle mitigation at corporate premises – IWA 14-1:2013 certified barrier selection, PAS 170:2023 temporary deployment standards, gap management planning, and Martyn’s Law Enhanced Tier obligations for vehicle attack threat assessment – see our hostile vehicle mitigation guide.

Source: CPNI (now NPSA): Physical Security in the Workplace – Common Failure Modes 2024. ASIS International: Workplace Violence and Active Shooter Survey 2024. NPSA ProtectUK: Mail and Delivery Security Guidance 2024. NPSA ProtectUK: Bomb Threat Response Guidance 2024. ICO: CCTV and Video Surveillance – Data Protection Guidance 2024. UK GDPR and Data Protection Act 2018. Health and Safety at Work Act 1974. Management of Health and Safety at Work Regulations 1999. Terrorism (Protection of Premises) Act 2024 (Martyn’s Law). NCSC (UK): Physical Security Fundamentals for Commercial Premises 2024.