Why Physical Security Standards Keep Failing the IT Test

A common source of misunderstanding between physical security and IT is the use of the term “standards” in the context of physical security system technology.

Q: IT recently asked me for a copy of our physical security technology standards, which I provided. They called the document an acceptable products list, not a standard. Why?

A: This is a long-standing conceptual difference between the physical security and IT domains, which is important to understand.

The difference you are facing stems from the evolution of physical security technology—from proprietary, standalone products in the building controls and low-voltage domain to enterprise-scale systems composed of intelligent devices and software platforms. These systems are now based on information technology and are deployed on, or alongside, corporate information systems and networks. See this diagram: https://go-rbcs.com/eii-diagram-2026.

What “Standards” Means

In most organizations, “physical security technology standards” are not defined in the same sense that IT uses the term. The following sections describe current physical security practices, followed by a comparison with IT.

Current Physical Security Technology Standards and Practices 

In most organizations, what are called “physical security technology standards” are not, in a formal sense, standards. Instead, they are typically a combination of product preferences, design guidance, and vendor-driven practices.

These generally fall into three categories:

Acceptable Product Lists (APLs)

• Lists of approved manufacturers and models 
• Often, the primary mechanism used to “standardize” deployments 
• Driven by procurement efficiency, familiarity, and support considerations 

These define what can be purchased, not what must be achieved.

Design Guidelines and Best Practices

• Camera placement rules 
• Access control device configurations 
• Video coverage expectations 

Often derived from manufacturer recommendations or integrator experience, these are advisory and not tied to measurable outcomes or risk levels.

Standard Designs and Templates

• Predefined solutions for common facility types 
• "Typical” deployments reused across sites 

These assume uniform risk and can result in inconsistent protection effectiveness.

Underlying Issue

Across these categories, the term “standard” is used loosely. What is typically missing is:

• Clear definition of required outcomes
• Alignment to risk levels 
• Measurable performance criteria 
• Enterprise-wide consistency in application

These are necessary for stakeholder understanding, risk management, acceptance testing, and demonstrating uniform due diligence in risk mitigation and duty of care regarding personnel protective measures across locations.

As a result of these missing elements, many physical security “standards” function as tools for procurement and design rather than as enforceable control frameworks.

Increasingly, large enterprises submit proposed physical security technologies to IT review boards, which expect to see how solutions align with a defined standards framework.

Existing Physical Security Standards

Physical security does have established international standards, but they are not widely used as the foundation for corporate “technology standards.” A key example is the IEC 62676 series for video surveillance systems. It addresses system requirements, performance, testing, and application guidance across the full lifecycle.

Part 4, updated in October 2025, is particularly significant. It provides application guidelines for selection, planning, installation, commissioning, maintenance, and testing. The scope and implications of this update are well described in the Axis Communications article, “From DORI to Visual Performance in IEC 62676-4:2025” (https://newsroom.axis.com/en-za/blog/iec-62676-4-video-surveillance).

This update replaces the long-used DORI model (Detection, Observation, Recognition, Identification) with seven new visual performance categories, reflecting modern advances in camera resolution and image quality. To date, DORI has been widely used by the architecture and engineering (A&E) community to specify image quality in pixels per foot or meter. Updating the image standards for current-day high-resolution, high-performance cameras is especially important now that AI video technologies depend on video to develop real-time situational awareness across the surveillance landscape.

The updated IEC 62676-4 standard links image performance directly to operational objectives and site risk. It requires that the physical security risk assessment identify critical assets and their locations, define surveillance areas of interest, establish desired levels of camera image detail, and determine camera placement accordingly. Page 31 (of 96 pages) states:

“The location(s) of interest shall be established and documented on the site plan… The level of detail(s) desired… shall then be established for each location…”

This illustrates a performance-based standard in which system design is driven by defined objectives and measurable outcomes.

Organizations such as ASIS International have also published physical security standards. These focus primarily on risk assessment and risk management, governance, and operational practices, with less emphasis on detailed technical performance criteria.

How This Differs from IT Standards

In IT, standards are more clearly defined and consistently applied.

• Control-Based Requirements. They define what must be implemented—such as access control, encryption, and monitoring—independent of specific products.
• Framework Alignment. They align with established frameworks, providing structure and consistency for risk management.
• Measurable and Enforceable. They are designed to be assessed, audited, and enforced across the enterprise

In summary, the historical key differences are:

• Physical Security: product-driven and design-oriented
• IT: control-driven and risk-oriented

This is why a physical security technology acceptable products list is not recognized by IT as a standard.

Moving Toward a Standards-Based Model

The path forward for physical security is not to replace existing practices, but to structure them differently:

• Define control-based requirements and outcomes.
• Reference external standards (such as IEC 62676) as normative (i.e., required) guidance for defining and verifying performance.
• Use approved product lists to support compliance. 
• Apply design templates as implementation tools. 

This approach aligns physical security with enterprise risk management and IT governance expectations.

The Path Forward

The issue is not that physical security lacks standards. Comprehensive standards already exist. The issue is that corporate programs often do not structure their internal standards around them.

As physical security systems become fully integrated with enterprise IT environments, adopting a control-based, standards-referenced approach enables consistent due diligence, measurable performance, and alignment with enterprise governance. In that context, IT’s question is not criticism; it is an invitation to mature the way physical security defines and applies its standards.