National Security Inspectorate Sentinel House, 5 Reform Road, Maidenhead, SL6 8BY E: nsi@nsi.org.uk | W: nsi.org.uk Page 1 of 6 © NSI 2021 Date: 01 June 2021 To: All NACOSS Gold and Systems Silver approved companies and applicants TECHNICAL BULLETIN No: 0058 Publication of NSI NCP 109 Issue 3 – Code of Practice for Design, Installation, Commissioning and Maintenance of Access Control Systems NCP 109 “Code of Practice for Design, Installation, Commissioning and Maintenance of Access Control Systems” is now published at Issue 3. The content and structure differences between NCP 109 Issue 2 and Issue 3 are extensive. Consequently, in a departure from the usual format of NSI Technical Bulletins, this Technical Bulletin describes the differences between the two versions rather than include the actual new or amended text. This Technical Bulletin must therefore be read in conjunction with NCP 109 Issue 3. A colour scheme is assigned to denote the descriptions of new and amended sections. Please note that Parts 1 & 2 of Issue 2 are now combined in Issue 3. Text colour schemes within this document Descriptions of new or amended sections of NCP 109 are given in italics and the following colour scheme is used to denote which are new and which are amended. Where descriptions denote new sections, these are represented by Green italics. Where descriptions denote amended sections, these are represented by Blue italics. Please also note that this Technical Bulletin is not a definitive list of all the changes introduced in Issue 3 of NCP 109; only significant changes are listed. Implementation timescale for applicant companies New applicant companies to NSI NACOSS Gold and Systems Silver schemes will be audited against NCP 109 Issue 3 with immediate effect and any Improvement Needs recorded against clauses of the Standard will have to be satisfactorily addressed before approval can be granted. Where an application for approval was already in progress with the NSI before the date of this Technical Bulletin, then the approval will continue to progress against the appropriate standards. Technical Bulletin No: 0058 Page 2 of 6 © NSI 2021 Implementation timescale for existing approved companies NSI approved companies will need to be compliant with NCP 109 Issue 3 by the 31st May 2022. _______________________________________________________________________________________________ Introduction This section is a new addition and replaces the Foreword section. 1 Scope Section 1 now covers commissioning and maintenance. There is also added clarity for out of scope systems. 2 References Section 2 is a new addition. 3 Terms, definitions and abbreviations Section 3 was Section 2 and is amended to include abbreviations. 3.1.3 Access level Section 3.1.3 was Section 2.3 and is amended to improve clarity. 3.1.4 Access point Section 3.1.4 was Section 2.4 and is amended to improve clarity. 3.1.6 Adversary Section 3.1.6 is a new addition. 3.1.7 As-fitted document Section 3.1.7 is a new addition. 3.1.10 Commissioning Section 3.1.10 is a new addition. Technical Bulletin No: 0058 Page 3 of 6 © NSI 2021 3.1.14 Corrective maintenance Section 3.1.14 is a new addition. 3.1.16 Degraded mode Section 3.1.16 is a new addition. 3.1.22 Global anti-passback Section 3.1.22 is a new addition. 3.1.23 Hard anti-passback Section 3.1.23 is a new addition. 3.1.25 Maintenance company Section 3.1.25 is a new addition. 3.1.26 Normal mode Section 3.1.26 is a new addition. 3.1.27 Open time Section 3.1.27 is a new addition. 3.1.28 Operational needs Section 3.1.28 is a new addition. 3.1.33 Release time Section 3.1.33 is a new addition. 3.1.35 Soft anti-passback Section 3.1.35 is a new addition. 3.1.36 Structured cabling Section 3.1.36 is a new addition. Technical Bulletin No: 0058 Page 4 of 6 © NSI 2021 3.1.37 System Design Proposal Section 3.1.37 is a new addition. 3.2 Abbreviations Section 3.2 is a new addition. 4.1 General Section 4.1 was Section 3.1 and is simplified to improve clarity. 4.2 Risk assessment Section 4.2 is a new requirement to ensure security and operational needs are considered during the design stage. 4.3 Access point classification Section 4.3 was Section 3 and is amended. The access point classification is determined during the risk assessment and is based on the security risks and/or operational requirements. The specified access control reader(s) must meet as a minimum the requirements of Table 2 appropriate to the selected class of the access point. 5.1 Survey Section 5.1 was Section 4.1. Section 5.1 is amended to introduce minimum classification requirements for all interdependent system components and introduce requirement to meet recommendations of BS 7273-4. Additional aspects for consideration relating to networks and IT infrastructure access are included. 5.3 Functionality Section 5.3 is a new addition. Each access point will need to as a minimum to provide the functions outlined in sub clauses 5.3.1 to 5.3.7 appropriate to the defined class of the access point. 6.1 Control Section 6.1 was Section 4.3 and is simplified to improve clarity. Technical Bulletin No: 0058 Page 5 of 6 © NSI 2021 6.2 Access point hardware Section 6.2 was Section 4.2.3 and is amended to include access point classification and risk assessment details. 6.4 Power supplies Section 6.4 was Section 4.2.4 and is amended to provide access point classification. 7 Installation Section 7 is a new addition following restructuring of the document. It provides requirements for each phase; Design, Installation, Commissioning, and Maintenance. 7.1 Cables Section 7.1 was Section 4.2.5 and is amended to provide specific requirements for each defined cable type. 7.2 Network security Section 7.2 is a new addition. 8.1 Commissioning Section 8.1 was Section 5.1 and is amended so that commissioning checks align with classification dependant requirements and cyber security. 8.2 Handover Section 8.2 was Section 5.2 and is amended so that handover process requirements align with classification dependant requirements and cyber security. 8.3 Documentation Section 8.3 was Section 5.3 and is amended to state that documentation should include a risk assessment and define the duration of support for any standby power supply. 9 Maintenance Section 9 was Section 3 of Part 2 of NCP 109 Issue 2. 9.1.2 Test equipment Section 9.1.2 is a new addition. Technical Bulletin No: 0058 Page 6 of 6 © NSI 2021 9.2.2 Inspection Section 9.2.2 was Section 3.2.2 and is amended so that inspection checks now include checks relating to cyber security. 9.4.1 General Section 9.4.1 was Section 4.1 and is simplified to improve clarity. 9.4.2 As-fitted document Section 9.4.2 was Section 4.2 and is amended to include a requirement to ensure maintenance staff have access to details of the fitted system to aid maintenance activities. 9.4.3 Preventive maintenance record Section 9.4.3 was Section 4.4 and is amended to provide clarity relating to documenting any part of the system not tested. 9.4.4 Corrective maintenance record Section 9.4.4 was Section 4.5 and is amended provides clarity relating to documentation for any corrective maintenance work not completed.