Key & Access Management — E-commerce & Retail Edition
A controlled process for issuing, tracking, and recovering physical keys and electronic access credentials to maintain premises security and accountability.
Purpose
To prevent unauthorized access to the premises by maintaining strict control over all physical keys and electronic access credentials, with a clear audit trail of who holds what access at all times.
Scope
Covers all physical keys, access cards, key fobs, alarm codes, and electronic access credentials for the premises. Does not cover IT system passwords or digital application access, which are managed under the IT & Systems SOP.
Prerequisites
- Master key register documenting all locks and keys in the premises
- Electronic access control system configured and operational
- Key safe or lockbox for secure key storage
- Key and access policy approved and communicated to all staff
Includes Australian Consumer Law (ACL) compliance features, GST calculations, and product safety record management.
Step-by-Step Procedure
Maintain the Key and Access Register
Keep the master register of all keys and access credentials current, documenting every key or credential, who holds it, when it was issued, and its purpose.
- 1.1Review the key register monthly to verify all entries are current
- 1.2Update the register for any lock changes, new keys cut, or credentials created
- 1.3Cross-reference with the staff list to identify any ex-employees still listed
Process New Key or Access Requests
When a new key or access credential is needed, verify the request is authorized, determine the appropriate access level, and obtain approval before issuing.
- 2.1Receive the access request from the staff member or their manager
- 2.2Verify the request is appropriate for the person's role
- 2.3Obtain written approval from the designated authority
Issue the Key or Access Credential
Provide the approved key or credential to the staff member, record the issuance in the register, and have the recipient acknowledge receipt.
- 3.1Cut a new key or program the access credential as required
- 3.2Record the issuance in the key register with date and recipient details
- 3.3Have the recipient sign an acknowledgment of receipt and responsibility
- 3.4Remind the recipient of the key and access policy requirements
Manage Temporary Access
For temporary workers, contractors, or short-term needs, issue temporary credentials with defined expiry dates and monitor their return.
- 4.1Issue temporary credentials with a clear expiry date
- 4.2Log the temporary issuance in the register
- 4.3Set a reminder for the return date
- 4.4Follow up immediately if the credential is not returned on time
- Temporary credentials should automatically deactivate on the expiry date if using an electronic system
Recover Keys and Credentials on Departure
When a staff member leaves the organization, collect all keys and access credentials as part of the exit process and deactivate their electronic access.
- 5.1Review the key register for all items issued to the departing staff member
- 5.2Collect all physical keys and access cards during the exit team sync
- 5.3Deactivate their electronic access credentials in the system immediately
- 5.4Update the key register to reflect the return
Handle Lost or Stolen Keys
When a key or credential is reported lost or stolen, assess the security risk, deactivate the credential if electronic, and determine whether locks need to be changed.
- 6.1Record the loss in the key register with full details
- 6.2Deactivate the lost electronic credential immediately
- 6.3Assess whether the lost key poses a security risk requiring lock changes
- 6.4If lock changes are needed, schedule them urgently and reissue keys
- Err on the side of caution — if in doubt, change the locks
Conduct Periodic Access Audits
Regularly audit who has access to the premises and verify that access levels remain appropriate for each person's current role.
- 7.1Compare the key register against the current staff list
- 7.2Review electronic access logs for unusual patterns
- 7.3Revoke access for anyone who no longer needs it
Report on Access Management
Compile a periodic report on key and access management activities including issuances, returns, losses, and audit findings for management review.
- 8.1Summarize all key and access transactions for the period
- 8.2Report any security incidents related to access
- 8.3Highlight any audit findings or recommendations
Quality Checkpoints
Common Mistakes to Avoid
Expected Outcomes
Percentage of keys and credentials recovered from departing staff, targeting 100%.
Number of unauthorized access incidents per year, targeting zero.
Percentage of quarterly access audits completed on time with all findings resolved, targeting 100%.
Frequently Asked Questions
What should I do if I find an unattended key or access card?
Turn it in to the Facilities Manager or reception immediately. Do not attempt to use it or return it to the person you think it belongs to, as the register must be updated properly.
Can I lend my key or access card to a colleague?
No. Keys and access credentials are issued to individuals and must not be shared. If a colleague needs access, they should submit a formal access request.
How quickly should locks be changed after a key is lost?
Electronic credentials should be deactivated immediately. For physical keys, a risk assessment should be completed within 4 hours, and lock changes, if required, should be completed within 24-48 hours.
Who authorizes master key issuance?
Master keys require approval from the Operations Manager or General Manager. They should only be issued to senior staff with a documented business need.
Want this customised for YOUR business?
We'll tailor every step to your exact operations, tools, and team structure.