How Does an Access Control System Work? A Guide for Northern Ireland Businesses

An access control system works by verifying a user’s identity — via keycard, PIN, fingerprint, or smartphone — against a database of permissions before granting or denying physical access to a door, gate, or area. At its core, every system consists of a credential, a reader, a control panel, an electric lock, and software that logs every access event. Businesses in Northern Ireland installing access control must ensure their system complies with BS EN 60839-11-1:2013 (the product and system standard) and should use an SSAIB-certified installer such as Advanced Overwatch to guarantee regulatory compliance and insurance recognition.

If you run a business in Northern Ireland — whether a retail shop in Belfast, an office in Derry, or a logistics depot in Lisburn — at some point you have probably asked yourself: how does an access control system actually work, and what do I need to have in place legally and practically?

The honest answer from our engineers in the field is that most business owners understand the concept (“a door that locks when it should”) but miss the underlying logic — the standards that govern how these systems must be installed, the credential options available, and the audit trail obligations that come with modern electronic access control.

This guide explains, in plain English, how access control systems function, what British Standards apply to commercial installations in Northern Ireland, and what you should look for when choosing a system and an installer.

Note: References to BS EN 60839-11-1:2013 and PD 6662:2017 in this article are based on publicly available British Standards documentation. Please confirm current applicability and clause references with Jim at Advanced Overwatch before quoting these standards in customer-facing materials.

What Is an Access Control System?

An access control system is an electronic security system that regulates who can enter specific areas of a building or site. Unlike a traditional lock and key — where anyone with a key can access any door that key opens — an electronic access control system makes access decisions based on identity and permission levels, and logs every attempt (successful or not) automatically.

This distinction matters for businesses for several reasons:

• Accountability: You know exactly who accessed which door and when. This is critical for regulated environments such as care homes, schools, pharmacies, and financial offices in Northern Ireland.
• Revocability: If an employee leaves or loses a card, you can revoke their credentials instantly. With a physical key, you must change the locks.
• Audit trails for GDPR compliance: Access control logs can constitute personal data under UK GDPR (retained post-Brexit via the Data Protection Act 2018). Businesses must manage this data responsibly, which means understanding what their system records and how long records are kept.
• Insurance and regulatory alignment: Many commercial insurers and regulatory bodies in NI require evidence of controlled access to sensitive areas.

The Core Components

Every electronic access control system — from the simplest single-door setup in a Coleraine shop to a multi-site enterprise deployment across Belfast — is built from the same five building blocks:

1. Credentials

A credential is something the user presents to identify themselves. The most common types installed across Northern Ireland are:

Credential Type	How It Works	Pros	Cons
Keycard / proximity card	Waved near a reader	Inexpensive, easy to issue/revoke	Can be shared, lost card not个人
PIN code / keypad	User enters a numeric code	No card to lose	Shared codes hard to track
Biometric (fingerprint, facial)	Reader reads a biological trait	Cannot be shared or stolen	Higher cost, slower in high-traffic scenarios
Smartphone / Bluetooth token	Communicates with reader via Bluetooth	Convenient, no physical token needed	App required, battery dependency
RFID fob	Similar to a card but in a compact fob	Rugged, fits on a keyring	Same limitations as cards

For most small-to-medium NI businesses, a proximity card or RFID fob system represents the best balance of cost, security, and convenience. Biometric systems are increasingly common in high-security environments such as pharmaceutical storage, data centres, and government-adjacent facilities.

2. The Reader

The reader is the hardware mounted at the door that accepts the credential. It communicates with the control panel via a data cable (in wired systems) or wirelessly (in systems such as Abloy Smart Air, which Advanced Overwatch installs for clients across NI).

Readers are rated by their credential compatibility. A Wiegand reader handles legacy card formats; an OSDP (Open Supervised Device Protocol) reader is the modern standard offering encrypted communication between reader and panel, which is better for security and easier to integrate with broader security systems.

3. The Control Panel

The control panel is the “brain” of the system. Usually installed in a secure cabinet or communications room, it:

• Stores the database of valid credentials and access permissions
• Makes the decision to grant or deny access when a credential is presented
• Communicates with the lock and the management software
• Logs all access events with a timestamp

In a larger building, multiple panels across different floors or zones can be networked together, with a central server or cloud platform providing unified management. For a single-site NI business with a handful of doors, a single standalone panel is typically sufficient.

Modern access control panels used by Advanced Overwatch engineers support IP connectivity, enabling remote management via smartphone apps or web dashboards — a feature particularly valued by property managers and business owners who need to grant temporary access to contractors or deliveries outside normal hours.

4. The Electric Lock

The lock is the physical mechanism that secures the door. Common types include:

• Electromagnetic lock (maglock): A powerful magnet holds the door closed when energised. Simple and reliable, but requires the door to be fail-safe (unlocks when power is cut) for fire safety compliance.
• Electric strike: A modified door strike plate that releases when the access control system authorises entry. Allows the door to remain locked from the outside even when power is lost, improving fire safety compliance over maglocks.
• Motorised lock: A lock with an integrated motor that extends and retracts the deadbolt. Quiet operation and battery backup make these suitable for internal office doors.

The choice of lock type has significant implications for fire safety compliance under BS 5839-1 (which you should also consider if you are installing fire detection in the same building) and for insurance requirements. Your installer should advise on the correct combination for your door type and risk profile.

5. Management Software

The software layer is what turns a collection of hardware components into a usable system. Modern access control platforms (such as Paxton Net2, which Advanced Overwatch installs across NI, and SALTO XS4, used for our commercial projects in Belfast and Lisburn) provide:

• User and credential management (add, edit, suspend, revoke)
• Door scheduling (e.g., card access only between 8am and 6pm, PIN outside hours)
• Zone and area grouping (e.g., staff can access the shop floor but not the stockroom)
• Real-time event monitoring and alarm management
• Audit report generation (who accessed which door, when)
• Integration with CCTV and intruder alarm systems for layered security

For businesses regulated by the Information Commissioner’s Office (ICO) or operating under GDPR obligations, the audit trail capabilities of your management software are particularly important — access logs may need to be produced during data protection audits or subject access requests.

How the Access Decision Works: Step by Step

Understanding the sequence of events demystifies the system for many business owners:

1. Credential presented: The user holds their card, enters their PIN, or presents a fingerprint to the reader at the door.
2. Reader transmits data: The reader sends the credential data to the control panel, usually via the Wiegand protocol (legacy) or OSDP (modern encrypted).
3. Panel verifies: The control panel checks the credential against its database. Is this card number registered? Has it been revoked? Is the current time within the card’s allowed access schedule?
4. Decision made: If the credential is valid, active, and within schedule, the panel sends a signal to the electric lock to release. If not, the door remains locked.
5. Event logged: The panel records the attempt — credential ID, door number, date, time, and result (granted or denied) — in its event log. This log feeds into the management software.
6. Door re-secures: On a maglock, power is restored and the door re-locks when the door closes. On an electric strike or motorised lock, the mechanism resets automatically.

This entire sequence typically takes less than one second. In high-traffic environments, the limiting factor is usually how quickly people move through the door, not the electronics.

British Standards That Apply to Access Control in Northern Ireland

⚠️ The following standards references should be verified with Jim at Advanced Overwatch before use in customer-facing materials.

BS EN 60839-11-1:2013

This is the primary product and system standard for electronic access control systems in the UK. It specifies requirements for the design, manufacture, installation, and performance of access control equipment, including:

• Readers and credentials
• Control panels
• Communication protocols between components
• Tamper detection and anti tamper features
• Environmental classifications (indoor vs. outdoor equipment)

The standard classifies systems by security grade (Grade 1 to Grade 4, where Grade 4 offers the highest level of tamper resistance and life safety protection). Most commercial access control installations in Northern Ireland fall within Grade 2 or Grade 3, depending on the risk profile and insurer requirements.

BS EN 60839-11-2:2015

This companion standard provides guidance on the application of BS EN 60839-11-1. It offers practical advice on system design, component selection, installation practices, and commissioning procedures. While it is guidance rather than a specification (it does not carry the same mandatory weight as the base standard), it represents current industry best practice for professional access control installers in the UK.

PD 6662:2017

PD 6662 is a Published Document that provides a framework for the application of the European alarm standards — primarily BS EN 50131 (intruder alarm systems) and by extension BS EN 60839-11-1 for combined security systems — within the context of UK certification and insurance requirements. It is the key document that SSAIB-certified companies such as Advanced Overwatch use to demonstrate that an installation meets the requirements of UK insurance companies and police response categories for monitored systems.

For access control specifically, PD 6662 is most relevant when the access control system is integrated with an intruder alarm or is part of a wider graded security system where the insurer or a police contract (such as SSAIB or NSI Gold certification) requires a specific security grade.

SSAIB Certification (NIRE127 / Schedule 13473)

SSAIB (Security Systems Inspection Board) certification is the primary third-party quality assurance scheme for security installers operating in the UK and Northern Ireland. Businesses that use an SSAIB-certified installer for their access control system benefit from:

• Insurance recognition: Most commercial insurers in NI will accept an SSAIB certificate as evidence of professional installation, potentially reducing premiums.
• Police recognition: SSAIB-certified companies are recognized by Police Service of Northern Ireland (PSNI) for the purposes of police response to alarm activations.
• Regulatory compliance: SSAIB’s certification scheme incorporates BS EN 60839-11-1 requirements as part of its audit process, giving customers confidence that their system was installed to the correct standard.
• Recourse mechanism: If an SSAIB-certified company fails to meet standards, the scheme provides a complaints and remediation process.

Advanced Overwatch holds SSAIB certification (NIRE127, Schedule 13473) and is also triple ISO-certified (ISO 9001:2015, ISO 14001:2015, ISO 27001:2019), meaning our access control installations are subject to independent audit against both product standards and our own quality and information security management systems.

Real NI Example: Access Control for a Belfast Office

A financial services firm in Belfast’s Titanic Quarter came to Advanced Overwatch with three concerns: their current system used legacy keypad technology with shared codes, there was no audit trail for who accessed the server room, and their previous installer had gone out of business.

The solution we designed and installed was a Paxton Net2 IP-based access control system with:

• Proximity card readers on six doors, including a high-security biometric reader on the server room
• Integration with the existing CCTV system (Dahua NVR) to automatically capture a snapshot whenever the server room was accessed
• Door scheduling: reception areas unlocked at 8am, locked at 6pm; server room accessible only during business hours with out-of-hours access requiring manager approval via the app
• Full audit trail exported monthly for the firm’s ICO compliance documentation

The system was designed in accordance with BS EN 60839-11-1 (Grade 3, appropriate for a financial services environment with sensitive data assets) and installed in two phases over three weeks with zero disruption to the firm’s operations.

Why Many NI Businesses Are Underprotected

From our experience installing and maintaining access control systems across Northern Ireland, we see three recurring mistakes:

1. Relying on legacy keypad systems
Shared PIN codes are common in small businesses because they are cheap. But they offer no accountability — if a code is shared among five people and something goes missing, you have five suspects and no evidence. A proximity card system costs marginally more but delivers a complete, tamper-proof audit trail.

2. Not planning for growth
We regularly see businesses install a single-door access control system and then discover, 18 months later, that they need to add three more doors and a CCTV integration. At that point, the original hardware may not support expansion, requiring a full replacement rather than an upgrade. At Advanced Overwatch, we always design access control systems with a minimum 3-year expansion roadmap.

3. Using non-certified installers
The security systems industry in Northern Ireland includes a wide range of providers, from SSAIB and NSI Gold-certified companies like Advanced Overwatch to one-person operators who may not carry professional indemnity insurance or be familiar with current standards. An uncertified installation may void your building insurance or fail to meet the requirements of your insurer. Always ask to see the installer’s SSAIB or NSI certificate and check the scope of what it covers before proceeding.

What to Expect from an Access Control Installation in NI

A professional access control installation from Advanced Overwatch follows this standard process:

1. Site survey: Our engineers visit your premises in Northern Ireland to assess door types, existing infrastructure, cable routes, and your security objectives. We provide a detailed proposal with equipment specifications, standards compliance notes, and a fixed-price quote — no hidden extras.
2. System design: We design the system to your specific requirements, including credential type selection, lock hardware, panel placement, and network architecture for IP-connected systems.
3. Installation: Our engineers install all hardware, run cabling where required (or install wireless where retrofit is preferable), configure the control panel and software, and test every door and credential.
4. Commissioning and handover: We test the complete system, demonstrate operation to your team, and provide documentation including as-fitted drawings, user manuals, and a commissioning certificate confirming BS EN 60839-11-1 compliance.
5. Ongoing maintenance: We offer annual maintenance contracts that include firmware updates, credential management, and 24/7 emergency callout — essential for businesses where a failed lock or reader could create a security vulnerability.

Related Questions

What is the difference between BS EN 60839-11-1 and BS EN 50133 for access control?

BS EN 60839-11-1:2013 is the current primary product standard for electronic access control systems in the UK, having replaced much of the earlier BS EN 50133 framework. BS EN 50133-1:1997+A2:2008 is the older standard that is now largely superseded but may still be referenced in legacy system specifications or older insurance schedules. For any new access control installation in Northern Ireland, BS EN 60839-11-1 is the standard that applies. If you have an existing system installed before 2013, it may have been designed to BS EN 50133 — a professional audit by an SSAIB-certified company such as Advanced Overwatch can establish which standard your current system meets and whether an upgrade is warranted.

Can access control systems integrate with CCTV and intruder alarms?

Yes — and this is increasingly the standard expectation from commercial clients in Belfast and across Northern Ireland. Modern IP-based access control platforms such as Paxton Net2 and SALTO XS4 support open integration protocols that allow them to trigger CCTV camera recordings on access events, arm or disarm intruder alarm systems based on door access (first person in / last person out functionality), and generate unified security dashboards. At Advanced Overwatch, we regularly design integrated security systems for commercial and educational clients across NI, combining access control, CCTV, and intruder alarm management on a single platform. This approach reduces management overhead, improves incident response, and aligns with insurance requirements for businesses with higher risk profiles.

How long do access control records need to be kept under UK GDPR in Northern Ireland?

There is no single legally prescribed retention period for access control logs under UK GDPR — the obligation is to retain personal data (which includes access card numbers linked to named individuals) only for as long as it is necessary for the purpose for which it was collected. For most businesses in Northern Ireland, a rolling 12-month retention period for access event logs is a reasonable starting point, though regulated sectors (financial services, healthcare, legal) may be subject to sector-specific requirements or codes of practice that mandate longer retention. Advanced Overwatch’s access control management software allows configurable retention periods and supports secure data export or deletion on request, helping NI businesses meet their data minimisation and subject access request obligations under the Data Protection Act 2018.

Standards Explained

BS EN 60839-11-1:2013 — The British and European standard that sets out product and system requirements for electronic access control equipment, including readers, control panels, credentials, and communication protocols. It grades systems from Grade 1 (lowest risk, domestic/residential) to Grade 4 (highest risk, high-security commercial and infrastructure applications). For most commercial installations in Northern Ireland, Grade 2 or Grade 3 is appropriate, with the grade determined by the risk assessment and insurer requirements.

BS EN 60839-11-2:2015 — A companion guidance document to BS EN 60839-11-1 that provides practical advice on applying the standard in real-world installations. It covers system design, component selection, installation practices, and commissioning. It is guidance rather than a mandatory specification, but it represents accepted industry best practice for professional installers in the UK.

PD 6662:2017 — A Published Document published by BSI that provides the framework for applying European alarm standards (primarily BS EN 50131 for intruder alarms and BS EN 60839-11-1 for access control) within UK certification schemes and for UK insurance purposes. It defines the security grades, environmental classes, and reporting protocols that SSAIB and NSI Gold certification schemes require their members to follow. For commercial access control systems in Northern Ireland where insurance or police response is a consideration, PD 6662 compliance is effectively mandatory.

SSAIB (Security Systems Inspection Board) — The primary UK certification body for security and fire alarm installation companies. SSAIB certification involves regular independent audits of a company’s equipment, installation procedures, documentation, and staff training. Businesses that use an SSAIB-certified installer (such as Advanced Overwatch, certificate NIRE127/Schedule13473) can demonstrate to insurers, police, and regulators that their security systems were installed to professional standards. SSAIB certification is widely recognised across Northern Ireland’s commercial insurance market.

ISO 9001:2015 — The international quality management system standard. Triple ISO certification (9001, 14001, and 27001) held by Advanced Overwatch means our processes, documentation, environmental management, and information security practices are independently audited to internationally recognised criteria. For commercial clients and public sector organisations in Northern Ireland, ISO certification is increasingly a procurement requirement.

OSDP (Open Supervised Device Protocol) — An access control communications standard that allows readers and control panels to communicate bidirectionally and with encryption, replacing the older Wiegand protocol which transmitted data in plain text. OSDP is the recommended standard for new commercial access control installations as it provides significantly better security against credential cloning and reader tampering.

Wiegand Protocol — The legacy communication standard used by most older access control readers and control panels. Wiegand transmits credential data in plain, unencrypted form, making it theoretically vulnerable to credential cloning with commercially available equipment. While Wiegand systems remain functional and are still installed, the security industry has moved toward OSDP for new installations.

Fail-safe vs. fail-secure locks — A fail-safe lock (such as a electromagnetic lock that unlocks when power is cut) is required by fire safety regulations for exits that must remain accessible in an emergency. A fail-secure lock (such as an electric strike that locks when power is lost) provides higher physical security but must be manually overridden or have a battery backup to ensure occupant safety in a fire. The choice between fail-safe and fail-secure is a critical design decision that must be made in consultation with your access control installer and with reference to BS 5839-1 fire safety requirements.

ICO (Information Commissioner’s Office) — The UK independent regulatory body responsible for enforcing the UK GDPR and the Data Protection Act 2018. For businesses in Northern Ireland operating access control systems, the ICO is the supervisory authority. Access control logs that can identify named individuals constitute personal data under UK GDPR and must be managed, retained, and disposed of in accordance with the law — the ICO has the authority to audit businesses and issue fines for non-compliance.