Key Control Guide: Developing & Managing Key Control Policies & Procedures

This guide, presented by Medeco and ASSA ABLOY, offers comprehensive strategies for developing and managing effective key control policies and procedures. It is designed to enhance the security, safety, and convenience of facilities by providing best practices and actionable steps.

The document represents years of expertise from ASSA ABLOY, a global leader in door opening solutions, and Medeco Security Locks, a market leader in mechanical and electronic locks.

Disclaimer: This guide is intended for reference and as a model. Facilities are encouraged to adapt recommendations to their specific needs. ASSA ABLOY does not warrant fitness for any purpose beyond reference; use is solely at the adopting facility's discretion and responsibility.

I. Introduction

This manual is brought to you by ASSA ABLOY, the world's leading group of manufacturers and suppliers of locking solutions, dedicated to satisfying end-users' needs for security, safety, and convenience. It represents hundreds of years of best practices developed and observed by providing the world's finest key systems.

This manual recognizes that providing key systems and associated hardware is only the beginning. For customers to successfully enjoy the benefits of the products furnished, and to extend the life and value of a key system, a proper key management system must be in place. The policies and procedures suggested in this manual can play an essential part in increasing the safety and security of any facility.

This manual should be used as a model or guide only. End users are encouraged to adopt all or part of the recommendations as appropriate to meet their individual needs.

II. Comprehensive Model Key Control Policy

A. Purpose

The purpose of this Key Management Policy is to help protect the life, property, and security of a facility and all its occupants. It serves as the framework by which all keys and access credentials will be managed, issued, duplicated, stored, controlled, returned, replaced, and accounted for by the Key Control Authority (“KCA”). This policy applies to all keys for spaces, office equipment, vehicles, padlocks, lockers, safes, etc., owned, operated, or controlled by the facility. It seeks to establish a recorded chain of accountability and access for all credentials, keyholders, and locations, and to implement and preserve a proper key control process.

B. Specification

A facility shall use a key control system and adopt administrative policies that facilitate the enforcement of Key Management Procedures. Key control specifications should include:

Appointment of a Key Control Authority (KCA) or Key Control Manager.
A defined policy and method for issuing and collecting keys.
Secure storage of keys and key blanks in a locked cabinet or container in a secured area.
Utilization of a key control management program, preferably a dedicated computer software application like Key Wizard® or equivalent.
Acknowledgement that all keys remain the property of the issuing facility.
Issuance of keys only to individuals with a legitimate and official requirement.
Requirement for keys to be returned and accounted for.
Employee responsibility to ensure keys are safeguarded and properly used.

C. Enforcement

The key control policy must be adopted by universal consent and administrative mandate. Keyholders have specific responsibilities:

Keys remain the property of the facility.
Keys no longer required must be returned to the KCA.
No unauthorized possession, borrowing, or use of keys is permitted.
Keys shall not be knowingly altered, duplicated, or copied without permission.
Administrators may impose a deposit for each key issued.
Keyholders must use assigned keys only for authorized locks.
Keyholders must protect and safeguard issued keys.
Keyholders shall not loan their keys or use them to grant access to non-authorized individuals.
Lost, missing, stolen, or damaged keys must be reported immediately.
Persons entering locked areas are responsible for re-securing doors.
Keys shall not be stored in unsecured areas like desk drawers.
Violations may result in disciplinary action, up to and including dismissal.

D. Elements of a Key Control Policy

Key Control Authority—“KCA”

The facility shall appoint a Key Control Authority with the power and authority to develop all policies and procedures related to the facility's key management system. The KCA may appoint or become a Key Control Manager responsible for implementing, executing, and enforcing these policies, issuing and returning keys, and supervising storage and key cutting.

Storage

Keys, credentials, and key records must be stored securely, protected by lock and key or vault. Keys should be in a locked cabinet or container in a secured area. Temporary use key rings should be tamper-resistant. Non-centralized storage options include sequence locks or emergency key storage boxes. Computerized key cabinets with access control are also an option. Key records must be stored securely against fire and theft, with data files password-protected and encrypted.

Key Management Formats

Key management systems can be maintained in either a manual or computerized format. Both formats require detailed information on keys (blind codes, serial numbers, authority), keyholders (name, ID, contact, deposit), locations (room/door numbers, security level), and hardware (locksets, cylinders, hinges). Computerized formats must use password-protected and data-encrypted software. Both formats must allow for fully searchable cross-referencing (e.g., Keys x Location, Keyholder x Keys).

Record Keeping

All key records must be kept current, secure, and confidential. Transactions must be recorded in a timely manner, and standardized forms should be used.

Policies and Procedures

1. Identifying Keys and Keying

Keys should be marked with a blind code number that does not reflect usage or level.
Standard key coding to mark cylinders or keys is not recommended.
Keys should not be marked with keying levels (M, MK, GMK, GGMK).
Issued keys must have an inventory or serial number for unique identification.
Keys should not be stamped with bittings.

2. Issuing Keys

Key orders require authorization from a signer and the keyholder.
Higher level keys may require higher authorization levels.
Keys should be issued based on need, not desire, granting only appropriate access.
Require signatures on a keyholder agreement and photo ID.
Keys are issued by duration of need, not term of employment.
Keys must be personally picked up; mailing is discouraged unless via certified carrier.
Keys should be individually serialized or numbered.
Individuals typically receive only one copy of each keyset, with exceptions for approved multiple keyholders.
The KCA establishes authorization levels based on key type.
Standardized key deposits may vary by keyholder type and key level.
Keys may only be duplicated or issued through the KCA or authorized locksmith.
Keys are issued by designated individuals, with exceptions for electronic key cabinets.
All keys, especially temporary ones, should be tracked with a return due date and time.
Shift keys/rings must be returned at the end of the work shift and should be sealed and tamper-evident.

3. Returning Keys

All keys must be returned to the issuing department by the keyholder.
Upon return, key deposits are refunded, and a receipt is issued.
Found keys must be turned into the KCA.
Final paychecks, records, or transcripts may be held pending key return.

4. Non-returned Key Policy

A fee for lost or stolen keys shall be established.
Cylinders accessible by lost/stolen keys must be recombinated immediately.
Re-keying charges are the responsibility of the party losing the key.
Charges are determined by the number of locks affected.
Repeated violations (two or more incidents in a year) may lead to revocation of key privileges.

5. Administration of the Master Key System

Update key schedules and bitting lists as new codes are issued.
Send periodic updates to the cylinder manufacturer if factory control is maintained.
Cross-keyed conditions should be minimized or avoided; if unavoidable, they must be fully recorded.

6. Audits

Keyholder: Annually, determine key accountability by conducting random checks of at least 25% of departmental keyholders.
Key System: Under normal circumstances, keys and cylinders should be changed or evaluated for change at least every five years. Audit key cutters periodically to check for unauthorized duplicates.
Reports should be generated and distributed, requiring written confirmation of accuracy.

7. Transfer/Temporary Use

Keys shall not be transferred between individuals without proper authorization and record-keeping from the KCA.

Forms

It is recommended that forms be developed to document all key transactions. Basic elements for forms include:

Key Request Form: For requesting one or multiple keys, including agreement, signature, deposit, issue type, and authorization.
Key Return Form: For recording key return and deposit refund.
Lost or Stolen Key Report Form: To document circumstances of loss and rekey fees.
Service Form: For cylinder recombination, specific keying requests (SKD/NMK), or lock opening requests.

All forms should include key holder information, signatures, key identification, location, transaction type, authorization, and date.

Servicing

Cutting Keys: Only facility-approved locksmiths using factory-approved code cutting machines are permitted.
Pinning/Recombinating Cylinders: Must be performed by a facility-approved locksmith department, on the facility's key system, and with KCA approval for specific combinations (e.g., SKD).
Installing Locks: Must be performed by a facility-approved locksmith department on the facility's key system.
Preventative Maintenance: Regular maintenance ensures proper operation and security. Worn keys/cylinders should be replaced. Key machines require monthly calibration.
Locksmithing Work: Must be performed by an in-house locksmith department or a facility-approved outside locksmith business.

III. Condensed Model Key Control Policy

This section provides a condensed version of a key control policy, serving as a guide for formatting and developing a facility-specific policy. It emphasizes protecting life, property, and security, requiring a key control system, appointing a KCA, and defining responsibilities for key issuance, return, and storage.

Policy and Procedures

Issuing of Keys

All keys remain the property of the facility. Keys must be authorized by signature before issuance by a designated individual, based on defined policies and procedures. Keys should be issued only to those with a legitimate need, and the number of master keys issued should be limited.

Returning Keys

All keys must be returned to the issuing department by the keyholder. Lost or stolen keys must be reported immediately to the KCA, and affected cylinders recombinated. Found keys must be returned to the KCA.

Employee Responsibilities

Employees shall use keys only for assigned work areas, lock doors when leaving secured areas, and ensure keys are safeguarded and properly used. Unauthorized possession, use, or reproduction of a key may constitute theft or misappropriation and may lead to disciplinary action.

IV. Specific Applications

Key control policies need to be tailored to specific environments. The following sections provide considerations for different types of facilities:

1. Educational K-12

K-12 facilities require heightened management due to vulnerable populations. Policies must restrict key distribution and ensure retrieval. Access through entrance doors must be tightly controlled. Threats include drugs, kidnappings, vandalism, terrorism, violence, and abuse. Considerations include lockdown procedures, managing keys during school year extensions or closures, community usage requirements, and unique keyholder types (teachers, substitutes, administration, maintenance).

2. Healthcare Facilities

Healthcare facilities (HCFs) have unique demands, protecting vulnerable populations like children, the aged, and those with infectious or mental impairments. A strong KCA is crucial. HIPAA privacy requirements must be met. Different departments have varying security needs (e.g., Obstetrics, Pediatric Wards, Psychiatric areas, Emergency Rooms, Pharmacy). HCFs often allow broad access for visitors but require strict control within the building. Unique keyholder types include doctors, nurses, administrators, cleaning staff, and researchers.

3. Colleges and Universities

These institutions require heightened security for faculty, staff, and students. Policies must balance physical security with other access control measures. Different security needs exist for academic buildings, housing, administrative areas, and contracted services. Threats include theft, vandalism, and protests. Keyholders include administrators, staff, professors, students, and contracted services. Managing keys during extended breaks or closures is also a consideration.

4. Office Buildings

Key control for office buildings involves managing tenant space versus core space. Tenant spaces change frequently, while core spaces (mechanical, public areas) are foundational. Tenants may request independent key systems. Key structure can be floor-based or tenant-based. High traffic flow during the day requires different controls than limited after-hours access. Vacant spaces and high tenant turnover also present challenges.

V. Glossary of Terms and Definitions

This glossary defines terms related to key control policies and systems. Definitions adopted from ALOA's publication are indicated by an asterisk (*).

Bitting*: The dimensions of the key cuts or the actual cuts/combination of a key.
Blind Code Number*: A designation assigned to a key combination for future reference, unrelated to the bitting.
Change Key: The lowest level key in a key system, sometimes referred to as “Day Key.”
Credential: See key.
Controlled Cross Keying*: A condition where multiple different keys of the same level operate one cylinder under a higher-level key.
Cross Keying: The process of combinating a cylinder to operate with two different keys not normally expected to work together.
Control Key: A key used to remove or install an interchangeable or removable core.
Grand Master (GM): The TMK in a 3-level Master Key system, or a GM key in a higher-level system.
Great Grand Master (GGM): The TMK in a 4-level Master Key system, or a GGM key in a higher-level system.
Great Great Grand Master (GGGM): The TMK in a 5-level Master Key system, or a GGGM key in a higher-level system.
Key: A token, credential, or device used to grant or deny access (mechanical or electronic).
Key Control*: Methods or procedures limiting unauthorized key acquisition and controlling authorized key distribution; a systematic organization of keys and records.
Key Control Authority (KCA): The individual or group responsible for creating, enforcing, and administering key control policies and procedures.
Key Symbol*: A designation used for a key combination in standard key coding systems (e.g., A, AA, AA1).
Keyed Alike (KA)*: Two or more locks or cylinders that operate with the same combination.
Keyway (Kwy): The pattern of milling or groove configurations on a key blank.
Key Section: A single grooved pattern milled onto a key blank, part of a factory keyway family.
Master – Key Sections: Groove patterns representing individual key sections on a key blank, part of a pre-defined group within a keyway family.
Master Key (MK): The TMK in a level 2 Master Key system, or an MK in a higher-level system.
Multiple Keyholder: An individual authorized to receive multiple copies of a single key.
Multiplex Key Blank: A key blank with side milling or wardings part of a manufacturer's specific key sections.
Multiplex Master Key System: A master key system utilizing sectional keyway families for large systems.
NMK - Not Master Keyed: Suffix indicating a cylinder operates only by the change key, with no master keys functioning.
Sequence Lock: A lock designed to retain keys captive until another key is inserted and turned.
Shift Keys: Keys or key rings issued only for the duration of a work period, to be returned at the end of the shift.
TMK * - Top Master Key: The highest level master key in a particular key system.
Uncontrolled Cross Keying*: A condition where different keys under different higher-level keys operate one cylinder.
VKC - Visual Key Control System: Stamping of cylinders/key bows with the "Standard Key Coding System" identification symbol.
UL437: The Underwriters Laboratory Test Standard for High Security Cylinders.

Some definitions are adapted from ALOA's "The Professional Glossary of Terms Relating to Cylinders, Keys, and Master Keying." Non-asterisked terms represent terms evolved at ASSA ABLOY AMERICA.

	Medeco Key Control Guide: Developing and Managing Policies & Procedures A comprehensive guide from Medeco (ASSA ABLOY) on developing and managing effective key control policies and procedures for facilities, covering purpose, specifications, enforcement, elements, formats, record keeping, and specific applications.
	Medeco Key Control Guide: Developing and Managing Policies & Procedures A comprehensive guide from Medeco Security Locks and ASSA ABLOY on establishing and managing effective key control policies and procedures for facilities, covering purpose, specifications, enforcement, and specific applications.
	Medeco XT Key System User Manual Comprehensive user manual for the Medeco XT key system, covering key import, assignment, audit settings, generations, status, LED indications, and firmware updates. Learn how to manage access control with Medeco XT keys.
	Medeco Key System Conversion Guide: Enhance Security & Efficiency A quick reference guide from Medeco (ASSA ABLOY) detailing common reasons for key system failure, emerging threats like 3D printing, challenges in system conversion, and a step-by-step implementation process. Includes planning considerations and product highlights.
	Medeco 2020 Product Catalog: Comprehensive Security Solutions Explore the Medeco 2020 Product Catalog, featuring a wide range of high-security locks, intelligent key systems, and mechanical solutions. Discover key control programs, ordering information, and online tools designed for enhanced security and efficiency.
	Medeco 2020 Product Catalog: Comprehensive Guide to Security Solutions Explore the Medeco 2020 Product Catalog, featuring a wide range of high-security locks, key control systems, and intelligent access solutions from ASSA ABLOY. Discover detailed product information, ordering guides, and key management tools.
	Medeco 2019 Product Catalog: Comprehensive Security Solutions Explore the Medeco 2019 Product Catalog, featuring a wide range of high-security locks, key systems, and access control solutions from ASSA ABLOY. Discover Medeco's advanced technologies including Medeco³, Medeco X4, and CLIQ systems for enhanced key control and security.
	Medeco 2025 Product Catalog: Comprehensive Security Solutions Explore the Medeco 2025 Product Catalog for a wide range of high-security locking systems, intelligent key solutions, and mechanical products. Discover key control programs, ordering information, and technical specifications.