Strengthening Physical Security: What NZ Boards Need to Know About the PSR Framework 

21 November 2025 | Nextro Insight

Physical security is now a core component of organisational resilience, protecting people, information, facilities and critical assets. The New Zealand Protective Security Requirements (PSR) provide a comprehensive framework that government agencies must follow, and that private-sector organisations increasingly adopt as a proven best-practice model. 

For boards, the PSR’s physical security policy is especially valuable because it sets out a clear lifecycle of responsibilities under PHYSEC 1–4. This lifecycle helps New Zealand organisations understand what they must protect, how controls should be designed, how they should be validated, and how they must be maintained over time. 

Nextro regularly supports boards and executive teams to interpret and implement these requirements, particularly in environments where physical, cyber and operational security intersect. 

Why Physical Security Matters to Boards

Physical security intersects with health and safety, information security, business continuity and asset protection. It is not a facilities issue; it is an organisational risk domain that requires senior oversight. 

The PSR outlines clear expectations and provides a structured way to manage physical security risks.

Nextro sees consistent improvements in resilience when boards treat physical security as a strategic responsibility with dedicated reporting, budgets and clear ownership. 

PHYSEC 1 – Understand What You Need to Protect 

The first requirement demands a complete understanding of the people, information, assets and services your organisation relies on. This includes: 

  • Identifying where assets are located 
  • Assessing asset value, sensitivity and usage
  • Understanding threat likelihood and impact
  • Integrating health and safety obligations 
  • Embedding security considerations into site selection 

Directors must ensure the organisation maintains a current asset inventory and conducts regular physical risk assessments. Nextro frequently observes gaps where site selection or leasing decisions have been made without appropriate physical security input. 

PHYSEC 2 – Design Your Physical Security

PHYSEC 2 requires organisations to build physical security into the early stages of planning, design and facility decision-making. This includes: 

  • Establishing security zones (public, controlled, restricted etc.) 
  • Implementing layered physical controls 
  • Developing site security plans 
  • Aligning controls with business impact levels 
  • Using approved or certified physical security products 

Security must be intentionally designed, not retrofitted. Retrofitting increases cost, complexity and operational disruption. Nextro strongly recommends that boards require physical security design sign-off for all major initiatives. 

PHYSEC 3 – Validate Your Security Measures 

Controls must not only exist—they must work. PHYSEC 3 requires organisations to: 

  • Validate correct installation of physical security controls 
  • Identify vulnerabilities and weaknesses 
  • Complete accreditation of security zones 
  • Escalate and formally accept residual risks at senior levels 

Boards should expect structured assurance reporting rather than simple statements of compliance. Independent validation, inspection findings, accreditation status and remediation actions should be part of regular board or committee updates. Nextro often finds that organisations assume controls are working without having tested them independently. This is a key governance risk. 

PHYSEC 4 – Keep Your Security Up to Date 

Threats evolve, assets change and technology ages. PHYSEC 4 requires: 

  • Continuous vulnerability monitoring 
  • Regular maintenance and lifecycle replacement
  • Updated site security plans 
  • Incident response readiness 
  • Retirement of outdated or ineffective controls 

Effective physical security requires ongoing investment, not a one-time upgrade. Boards should ensure budgets cover maintenance, operational support, supplier oversight and periodic review cycles. Nextro’s assessments show this is the most common area where organisations fall behind.

 

What New Zealand Boards Should Do Next

Based on the PSR framework and Nextro’s experience advising organisations across New Zealand: 

1. Request a physical security roadmap: It should align to PHYSEC 1–4, include a gap analysis and be supported by an implementation plan.

2. Confirm clear executive accountability: One senior leader must own the physical security lifecycle and provide regular reporting. 

3. Ensure physical security is embedded into all major organisational changes: Projects relating to property, construction, technology, operations and procurement should reference PHYSEC requirements. 

4. Strengthen assurance and validation: Boards should require evidence of testing, inspections, accreditation and closure of identified risks. 

5. Require periodic review and maintenance: Maintenance plans, lifecycle schedules and threat reviews must be standard practice. 

6. Improve board reporting: Useful metrics include: 

  • Number of facility risk assessments 
  • Zone accreditation status 
  • Open vulnerabilities 
  • Supplier compliance 
  • Incident trends 
  • Maintenance, lifecycle progress and budget adherence 

Nextro can help develop these metrics and connect physical security oversight with broader risk and resilience reporting.

Risks of Inaction 

If physical security is not governed effectively, organisations face: 

  • Harm to staff or the public 
  • Compromise of sensitive information or assets 
  • Service disruption and operational downtime 
  • Legal, regulatory and financial consequences 
  • Reputational impact 

Many incidents stem from basic physical security weaknesses, making this a critical governance priority. 

Final Thought for Boards 

The PSR’s physical security requirements provide a clear, structured and practical framework that boards can rely on. By aligning governance to PHYSEC 1–4, organisations significantly strengthen their ability to protect people, information and assets. 

Nextro partners with boards and executive teams to assess current maturity, develop roadmaps, implement PSR-aligned controls and lift ongoing assurance. 

Please contact Nextro today to discuss how we can help you implement PHYSEC 1-4 for your business.