Buyer's guide
Securing the perimeter, automating compliance, and preparing your estate for Martyn's Law, the Building Safety Act, and the next generation of building safety regulations.
Introduction
Most organisations think about access control the wrong way. They frame it as a security question: keep unauthorised people out. And yes, that matters. But the more important question in 2026 is different.
The question is this. Right now, at this moment, can you tell us exactly who is in your building, what floor they are on, whether their certifications are current, and what would happen if you needed to evacuate in the next five minutes?
For most organisations, the honest answer is no.
And increasingly, that is not just an operational gap. It is a compliance one.
Modern access control is about having a real-time, undeniable record of your building and everyone in it. The locked door is just the start.
One more shift is worth understanding upfront. The market has moved firmly towards Access Control as a Service, where the platform runs in the cloud rather than on a dedicated on-site server. That means no hardware room to maintain, no costly server refresh every five years, and the ability to manage every site in your estate from a single browser window. For multi-site FM directors and security leads, that shift changes the economics of the whole conversation.
Three forces are converging to make this a 2026 priority rather than a 2028 one. The Terrorism (Protection of Premises) Act 2024 introduces statutory duties for venues at capacity thresholds many operators will not realise apply to them. The Building Safety Act 2022 demands a golden thread of information for higher-risk buildings, including auditable records of who was on site and when. Keeping Children Safe in Education has tightened expectations on visitor and contractor screening, and Ofsted is asking pointed questions about how that is implemented in practice.
The recognisable position for most multi-site operators is some version of the same patchwork: a mix of inherited systems, paper visitor books, and door fobs from the early 2010s, none of which gives you a defensible answer to the question above. Closing that gap, methodically and at portfolio scale, is what the rest of this guide is about.
Chapter 1
Three pieces of legislation now shape what an access control system has to do, and how it has to evidence what it has done. If you are not across all three, this chapter is worth reading carefully. The summaries below are practical, not legal; confirm how each piece applies to your specific estate with your legal team or a competent advisor.
The Terrorism (Protection of Premises) Act 2024, known as Martyn's Law, introduces two tiers of duty for venues based on capacity. The exact duties and thresholds are set out in the Act and associated Home Office guidance, so your legal team should confirm how they apply to each site in your estate.
Standard Tier
Foundational obligations
Enhanced Tier
Everything in Standard, plus:
What this means practically: you need to be able to demonstrate, on request, that your building can execute a lockdown or invacuation procedure. That requires knowing exactly who is inside, being able to communicate with them, and being able to control entry points instantly. A paper visitor book and a fob-based door system do not give you that capability. Access control is now part of your legal compliance story, not just your security one.
The Building Safety Act 2022 introduces the concept of the "golden thread" of building information for higher-risk buildings, supported by detailed secondary legislation including the Building Safety (Golden Thread of Information) Regulations. Access records are one part of that picture.
Who was on site, when, and what were their competencies and certifications? For buildings with contractors coming and going, this is particularly significant. The days of a paper sign-in sheet and a photocopy of a Gas Safe certificate being sufficient are over.
A modern access control platform logs every entry and exit automatically, ties visitor records to pre-verified competency documentation, and makes that information retrievable without a filing cabinet search.
Schools and colleges sit in a category of their own. Keeping Children Safe in Education, latest edition, requires schools to have robust visitor and contractor controls as part of their safeguarding arrangements, and Ofsted routinely probes how these are implemented in practice. Weak perimeter management is a finding that attracts scrutiny.
In practice, this means every visitor should be pre-vetted before they arrive, every contractor should have their DBS status verified before they are given access, and there should be an auditable log of everyone who has entered the school grounds. That is not achievable with a paper visitor book and a buzzer.
Chapter 2
The reader on the wall is what most people picture when they think about access control. The technology in those readers has moved significantly in the past five years, and the options have changed in ways that matter both operationally and for compliance.
Facial recognition and other touchless biometric readers have become the default for higher-security environments. In healthcare, food production, and anywhere hygiene matters, eliminating the shared fob or card also eliminates a touch point.
Speed is the practical benefit alongside hygiene. A facial recognition reader processes an entry in under a second. No fumbling for a card, no shared fobs among colleagues, no tailgating because someone held the door for the queue building behind them.
The GDPR concern comes up regularly in these conversations, and it is worth being clear on the answer. Compliant biometric systems do not store photographs. They store an encrypted mathematical hash derived from the facial geometry, and the original image is discarded immediately. The stored value is closer to a coded lock combination than a picture of your face.
That said, biometric data remains special category data under UK GDPR. You still need a Data Protection Impact Assessment, an appropriate legal basis, and clear retention rules. A reputable supplier should support you with template DPIA documentation, not leave you to draft it yourself.
Two features matter a great deal here and do not get talked about enough. They sound technical, but they are the difference between a system that holds under pressure and one that does not.
Secure-side relays
The power supply to the lock is routed through the secure side of the door. If someone attacks the reader from outside, the door fails locked rather than open.
Anti-passback
The system tracks whether a credential is currently inside or outside, and rejects a badge-in from someone the system already believes is inside.
Both sound like obvious requirements. A surprising number of installations skip one or both, particularly on retrofit projects where the door hardware is reused and the architecture is never properly reviewed.
The question IT departments always ask: what happens when the network goes down?
The answer, on a properly designed system, is nothing bad. Doors continue to operate in offline mode using locally cached access permissions. Entry decisions are made at the reader. When connectivity is restored, all activity syncs back to the cloud. There is no gap in the access log, and at no point do doors default to open.
This matters more than it might seem. Under Martyn's Law or the Building Safety Act, "the network was down" is not an acceptable explanation for an uncontrolled access event. The system has to keep functioning, and it has to keep logging, even when the link to the cloud platform is gone.
Chapter 3
The reader is the visible part. The software is where the actual capability lives, and where the difference between a basic system and a properly engineered one becomes apparent. It is also where most of the multi-site value sits.
A modern access control platform gives you a live view of your building. Every door, every entry point, every zone, in real time. Who came in, when, and where they are now.
Alongside that, you get stateful alerts. A door forced open triggers an immediate notification to the relevant manager or security lead. A door held open longer than a defined threshold does the same. These are not end-of-day log reports. They are live alerts to whoever needs to know, in seconds.
For FM directors managing a multi-site estate, the value compounds. Every site, every door, every alert, in one browser window. You are not calling site managers for status updates, and you are not finding out about a forced door at HQ from a phone call ninety minutes after the event.
Estate access overview
Live status across the portfolio, updated in real time
The ability to configure precise access rules without calling your supplier every time is one of the things that separates a good platform from a frustrating one. IT staff can have 24/7 access to the server room. Contractors can be restricted to the ground floor between 9am and 5pm on weekdays. Cleaning staff can access office areas only after 6pm. A visiting auditor can be given temporary access to specific floors for the duration of their visit, with an automatic expiry.
These rules should be configurable by your team, in minutes, without a support ticket or a site visit. Every change should be logged automatically, so you can see who granted access to whom, when, and why. That audit trail matters both for internal governance and for any Building Safety Act review.
If a current or prospective supplier cannot demonstrate this clearly in a live environment, ask why. The most common reasons are not encouraging.
If you are uncertain whether your current platform produces this audit trail, the access control checklist includes it as one of the first questions.
Chapter 4
A door reader at the entrance is one part of a larger picture. Modern access control platforms extend well beyond the door, and the value of doing so usually outweighs the marginal cost of the additional modules.
The paper sign-in book is a liability. It does not verify identity. It does not check certifications. It cannot pre-screen visitors. And it is unreadable in an emergency, when somebody actually needs to know who is inside.
A proper visitor management module replaces all of that. Visitors are pre-registered before they arrive, with an email invitation that captures their details and any required health or travel declarations. When they arrive, they sign in at a kiosk, their host is notified automatically, and they are issued a time-limited access credential tied to their record.
For contractors, the same workflow can include competency verification. Does this person have a valid CSCS card? Is their DBS current? Has the site induction been completed? The system can check all of that before access is granted, and the record is stored automatically as part of your golden thread for the Building Safety Act.
For schools and colleges working under KCSIE expectations, this is where most of the safeguarding posture lives. A parent volunteer, a peripatetic music teacher, a contractor coming to fix a boiler, all of them go through the same screening before the system issues a badge. The audit trail is what an Ofsted inspector wants to see.
Automatic Number Plate Recognition extends your access control perimeter to the car park, which is often the weakest point in an otherwise tightly managed site. Barriers open automatically for registered staff and expected visitors. Unrecognised plates are logged and can trigger an alert.
Vehicle entry and exit times are recorded against staff or visitor records, giving you a complete picture of site occupancy that includes people who arrived by car and might otherwise have bypassed the main entrance. For a multi-occupancy building or a campus site, this is significant. The reception sign-in tells you who came through the front door. ANPR tells you who actually arrived on site.
For large sites and shared estates, ANPR also solves the long-running problem of reserved spaces being used by the wrong people, without anyone having to manage it manually.
Access control events can be linked directly to your Video Management Software. When a door access event is logged, the system tags the corresponding CCTV footage automatically. A forced door, a failed access attempt, a held-open alarm, all of them are linked to verified video the moment they happen.
If there is an incident, you do not need to search through hours of footage. You pull the access log for the door in question, click the event, and the relevant footage is queued. Incident investigation moves from a slow manual process to a five-minute task.
Access event
Tailgate detected, Loading Bay 2
Verified by
Camera 08, Loading Bay perimeter
Footage queued
07:13:45–07:15:15, 90 seconds, auto-tagged
This matters increasingly for insurer expectations around incident response, and for satisfying regulators who want to see that events can be reviewed promptly. Under the Building Safety Act, evidence that an incident was investigated, documented, and resolved is part of the golden thread. A platform that links access events to verified footage with timestamps makes that evidence trivial to produce.
Chapter 5
This is the capability that tends to change the conversation. Most FM directors agree the dashboard is useful and the visitor module is sensible, but mustering is where the room goes quiet.
Traditional fire evacuation procedures rely on a paper register, a fire marshal with a clipboard, and someone shouting names in a car park. In a building with fifty people, that is just about manageable. In a building with three hundred, with contractors on site, agency staff working shifts, and a visitor in the boardroom, it is chaos.
Paper registers go out of date between the moment they are printed and the moment they are needed. Contractors are not on the list. The fire marshal is on holiday and their deputy cannot find the clipboard. By the time you have established that everyone is out, the fire service has been waiting for ten minutes, and nobody is certain whether the person unaccounted for is genuinely missing or simply went home early.
That is the best-case scenario. For venues in scope of the Terrorism (Protection of Premises) Act 2024, being unable to confirm building clearance in a timely, documented way is not just operationally dangerous. It is a compliance failure.
Time to all persons accounted for
Typical multi-site office of 300 people, mixed staff and contractor occupancy.
When the fire alarm triggers, the access control system takes over automatically. All doors unlock to allow free evacuation. The system logs the last known location of every person in the building at the moment of the alarm, based on their most recent access event.
RFID readers at muster points register people as they arrive outside. Emergency coordinators get a live dashboard on a tablet, with three statuses applied automatically:
Instead of shouting names from a clipboard, you are looking at a live map. You know within seconds whether anyone is unaccounted for, which floor they were last on, and whether the building can be confirmed clear. For buildings operating under Enhanced Tier Martyn's Law duties, that is the difference between a defensible safety procedure and an indefensible one.
If you are not sure whether your estate could account for everyone in the building inside four minutes today, the access control checklist walks through it site by site.
For a single building, paper-to-electronic mustering is an upgrade. For a multi-site estate, it is a categorical change in what you can demonstrate. A central security lead can see, in real time, that every site in the portfolio has confirmed building clearance after a drill. The timestamped record is generated automatically, exportable for an audit, and consistent across every venue you operate.
None of that is possible with a fire marshal in a car park, no matter how diligent the marshal is.
Chapter 6
The technology in this guide is widely available. Most reputable suppliers can show you a polished demo and quote a sensible price. The difference between a good outcome and a frustrating one almost always comes down to who installs and supports it once the contract is signed.
The access control market has the same structural problem as time and attendance: software companies who do not properly understand the hardware, and hardware resellers who can fit a reader on the wall but do not have depth in the software configuration.
For most of the year this does not matter. The doors open, the dashboard works, the visitor log generates as expected. The split only becomes visible when something goes wrong. A door is not opening for a particular access group. An alarm is not triggering when it should. The dashboard is not reflecting reality.
At that moment you need one organisation to own the problem from reader to cloud. If your supplier cannot tell you, in one sentence, who is responsible for diagnosing and resolving a hardware fault end to end, that is a significant risk to understand before you sign anything.
There is a more subtle version of the same problem. A supplier who presents as fully integrated can still be subcontracting the physical install to third-party engineers who have never worked with the software and have no ongoing relationship with the support team that will look after you afterwards.
The questions to ask are straightforward. Are the engineers who install our system employed directly by you? Will the same team handle commissioning and ongoing maintenance? Who do we call if there is a fault on site six months after go-live, and is that person the one who will turn up?
The answers tell you considerably more about what working with the supplier looks like in practice than a product demonstration ever will. A polished demo is a marketing exercise. A clear answer about who turns up when something breaks is operational reality.
Under Martyn's Law and the Building Safety Act, your access control platform is no longer just an operational system. It is part of the evidence base you rely on if a regulator asks how you manage risk across your estate. The supplier who installs and supports it is, in practical terms, part of your compliance posture.
If a door fails to lock during a drill and your access control provider tells you it is a hardware issue while the company who fitted the reader tells you it is a software issue, with neither accepting responsibility, the gap between them becomes your problem. In a drill that is embarrassing. In an incident, or an audit, or an Enhanced Tier review, it is something else entirely.
Single-vendor accountability is not just a procurement preference. It is the structural decision that determines whether your platform supports your compliance story or undermines it.
Why this approach works best
If you are evaluating more than one option, four principles separate platforms genuinely built for the compliance era from those that have bolted it on.
One team responsible from reader to cloud means no accountability gap and no finger-pointing when a door does not behave as it should. A single contract, a single number to call, a single team that owns the outcome.
Employed engineers who understand both the hardware and the software configuration mean nothing gets lost between the team who installed it and the team who supports it. The system that goes in is the system that gets looked after.
Martyn's Law, the Building Safety Act, and KCSIE built into the platform's workflow rather than added as optional modules. Your audit trail is reliable from day one, not stitched together after the first regulatory enquiry.
Access Control as a Service with offline resilience gives you the operational simplicity of a single cloud platform, without the risk of doors defaulting open when the network has a bad morning.
Making your decision
Three things are worth being clear on before your first call.
A door-by-door audit of what hardware is in place, what is end-of-life, and what is simply absent is the foundation for any sensible specification. If you do not know what you have, you cannot evaluate what you need.
Martyn's Law tier, Building Safety Act duties, sector-specific requirements like KCSIE. Map these before you go to market. A supplier who does not lead with compliance in their first conversation with you is probably not the right partner.
Who is configuring access rules, handling visitor management, reviewing alarms? A system that requires a support ticket every time someone needs to change an access group is not the right system for an FM team.
Before your first call
Run the access control checklist
A short diagnostic that maps your current door hardware, visitor processes, and compliance readiness against Martyn's Law and the Building Safety Act. The same one used in our discovery sessions.
Forward this guide
Send it to whoever owns FM, security, and IT in your organisation, with three questions: are we Martyn's Law compliant today, can we confirm building occupancy in under two minutes, and who owns a door fault end to end?
Then book the audit
Speak with a UK-based specialist who will start with your estate, your compliance obligations, and your current gaps, and only then talk about what a modern access control platform could look like for you.
