Key Control Policy: Issuance, Tracking, and Recovery Procedures
A comprehensive key management policy covering master key systems, electronic access credentials, key logs, and procedures for lost or unreturned keys.
Keys are a critical security asset. Uncontrolled keys create vulnerabilities that cameras and alarms can't fix. This policy establishes procedures for issuing, tracking, and recovering all physical and electronic keys.
Effective key control requires a master key system, strict issuance procedures, comprehensive logging, regular audits, and immediate action when keys are lost or employees depart. The cost of rekeying is always less than the cost of a breach.
Scope
This policy applies to:
- All mechanical keys (master, sub-master, individual)
- Electronic access cards and fobs
- Keypad codes and combinations
- Vehicle keys
- Equipment keys (cabinets, safes, machinery)
Key System Structure
Master Key Hierarchy
| Key Level | Access | Authorized Holders |
|---|---|---|
| Grand Master (GMK) | All locks in system | Security Director, Facility Manager only |
| Master (MK) | All locks in a building/zone | Building managers, security supervisors |
| Sub-Master (SMK) | All locks in a department/floor | Department heads, maintenance leads |
| Change Key (CK) | Individual lock only | Assigned employees, tenants |
High-Security Keys
The following require restricted/patented keyways:
- Server rooms and data centers
- Pharmaceutical storage
- Financial/cash handling areas
- Executive offices
- Security office and armory
Key Issuance
Authorization Requirements
| Key Type | Authorization Required |
|---|---|
| Grand Master | Executive approval + Security Director |
| Master Key | Security Director or Facility Manager |
| Sub-Master | Department Head + Security approval |
| Individual/Change Key | Supervisor + HR verification |
| Temporary Keys | Security Supervisor (24-hr max without extension) |
Issuance Procedure
- Receive authorized request form
- Verify employee identity and employment status
- Assign specific key by number from inventory
- Record in key log:
- Key number and type
- Employee name and ID
- Date issued
- Areas accessed
- Authorization reference
- Employee signs key receipt acknowledgment
- Provide key care instructions
Key Receipt Acknowledgment
Key Issuance Agreement
I acknowledge receipt of the following key(s):
Key Number(s): _______________
Key Type: _______________
Areas Accessed: _______________
I agree to:
- Keep this key secure and on my person or locked storage at all times
- Never duplicate, loan, or transfer this key to any other person
- Report loss or theft immediately to Security
- Return this key upon termination or when no longer required
- Surrender this key upon request by authorized personnel
I understand that violation of this policy may result in disciplinary action.
Employee Signature: _______________ Date: _______________
Employee Name (Print): _______________ ID #: _______________
Issued By: _______________ Date: _______________
Key Log Requirements
Information to Track
| Field | Required |
|---|---|
| Key number (unique identifier) | Yes |
| Key type/level | Yes |
| Lock(s) operated | Yes |
| Assigned to (name, ID, department) | Yes |
| Issue date | Yes |
| Authorized by | Yes |
| Return date | When applicable |
| Status (active, returned, lost, destroyed) | Yes |
Daily Key Control
For keys signed out daily (shift keys, patrol keys):
- Sign-out log with time and signature
- Sign-in log with time and signature
- Visual verification that all keys returned
- Discrepancy report if keys missing at shift end
Electronic Access Control
Card/Fob Management
- Each credential has unique identifier in system
- Access levels assigned based on job requirements
- Credentials expire automatically for contractors/temporary employees
- Lost credentials deactivated immediately upon report
- Replacement credentials issued with new number (not reactivated)
Access Code Management
- Shared codes changed quarterly minimum
- Codes changed immediately when employee with access departs
- No "easy" codes (1234, 0000, building address)
- Codes not written down or posted near doors
Lost or Stolen Keys
Immediate Actions
- Report to Security immediately (do not wait)
- Complete lost key report with circumstances
- Security assesses risk level
- Notify supervisor and Security Director
Risk Assessment
| Risk Level | Criteria | Action |
|---|---|---|
| High | Master key, known theft, high-security area access | Immediate rekey of affected locks |
| Medium | Sub-master, circumstances unclear | Rekey within 48 hours, increase monitoring |
| Low | Individual key, likely lost (not stolen) | Document, rekey at discretion, monitor |
Lost Key Report
Date/Time Discovered Missing: _______________
Key Number: _______________
Key Type: _______________
Last Known Location: _______________
Circumstances: _______________
Search Conducted: ☐ Yes ☐ No
Reported By: _______________
Action Taken: _______________
Key Return
Upon Termination
- HR notifies Security of termination (ideally 24+ hours advance)
- Key return required before final paycheck/exit
- Security verifies all assigned keys returned against log
- Employee signs return acknowledgment
- Log updated with return date
- If keys not returned, assess for rekey requirement
Role Change
- Keys for old role returned before keys for new role issued
- Access levels updated to match new responsibilities
- Documentation updated accordingly
Key Audits
Audit Schedule
| Key Type | Audit Frequency |
|---|---|
| Grand Master / Master | Monthly |
| Sub-Master | Quarterly |
| Individual keys | Annually |
| Daily-issue keys | Daily (at shift end) |
Audit Process
- Compare key log to physical inventory
- Verify each assigned key is in possession of assigned holder
- Check for unauthorized duplicates
- Document any discrepancies
- Update records as needed
- Report results to Security Director
Key Takeaways
- Every key must be numbered, logged, and assigned to a specific person
- Master keys require the highest authorization and oversight
- Lost keys must be reported immediately—delays increase risk
- Keys must be recovered before employees depart
- Regular audits catch problems before they become breaches
Written by
TeamMapTeam
TeamMap builds modern workforce management tools for security teams, helping companies track, communicate, and coordinate their field operations.
Continue Reading
Offline Mode Operations: TeamMap Procedures for Low-Connectivity Areas
Maintain security operations when connectivity is limited. Covers TeamMap's offline capabilities, data sync procedures, and contingency workflows.
Visitor Management Kiosk Setup: TeamMap Self-Service Check-In
Deploy TeamMap's visitor kiosk for self-service check-in. Covers kiosk setup, host notifications, badge printing, and visitor log management.
Team Channel Communication Guide: TeamMap Chat Best Practices
Set up and manage TeamMap channels for different sites, teams, and incident types. Includes communication protocols and channel organization strategies.