- Every visitor must register, wear a visitor badge, and be escorted in security-sensitive areas.
- The access log captures name, company, internal contact, entry and departure times, and must be retained in compliance with GDPR.
- ISO 27001 (A.7.2) and BSI IT-Grundschutz require documented visitor rules as part of physical access control.
- Digital visitor management systems replace the paper logbook, offering pre-registration, automatic notifications, and audit-proof records.
- Escort rules must be differentiated: reception area freely accessible, office areas with escort, server room and archive only with explicit authorization.
Why visitor management is more than a guest book
Visitors are part of everyday business: clients, suppliers, job candidates, maintenance technicians, auditors, government officials. They all enter your premises and move through areas where confidential information is processed. A visitor walking unaccompanied through office corridors can read documents on desks, overhear conversations, view screens, take photos, or in the worst case steal or tamper with hardware.
This may sound dramatic, but it happens regularly. Social engineering — the manipulation of people to obtain confidential information — often begins with a "visit." Penetration testers consistently report how easy it is to pose as a tradesperson, delivery driver, or IT technician and walk through buildings uncontrolled.
A structured visitor management system prevents these risks without turning your company into a fortress. It is about keeping track: Who is currently in the building, why, and who is responsible for them?
What the standards require
ISO 27001:2022 requires in control A.7.2 (Physical Entry): "Secure areas shall be protected by appropriate entry controls and access points." The associated implementation guidance in ISO 27002 specifies that visitors must be monitored, escorted, and their access logged.
Control A.7.1 (Physical Security Perimeters) further requires that physical security zones be defined and access to these zones controlled. Visitors must know which areas they may enter and which they may not.
BSI IT-Grundschutz addresses the topic in module ORP.1 (Organization), INF.1 (General Building), and specifically in the measures for access control. It requires, among other things, a visitor policy, escort of visitors in sensitive areas, and logging of visits.
DSGVO (GDPR) comes into play because visitor management involves processing personal data: name, company, timestamps, possibly ID copies. You need a legal basis (legitimate interest under Art. 6(1)(f) GDPR), an appropriate retention period, and a privacy notice for visitors.
The visitor process from A to Z
A complete visitor process comprises five phases: pre-registration, reception, escort, stay, and departure.
Phase 1: Pre-registration
Ideally, every visitor is pre-registered. The internal contact person informs reception (or the designated office) who is coming, when, from which company, for what purpose, and which areas will be visited. For regular visitors such as maintenance technicians, pre-registration can be done on a blanket basis for recurring appointments.
Pre-registration has several advantages: reception is prepared and the visitor does not have to wait. The visitor badge can be prepared in advance. Unannounced visitors are immediately noticed and receive extra scrutiny.
Phase 2: Reception and registration
At reception, the visitor is registered. The minimum you should capture is the visitor's first and last name, company or organization, internal contact person, purpose of visit, and time of entry.
The visitor receives a badge that must be worn visibly. This badge serves two purposes: first, employees can immediately recognize that the person is a visitor; second, it makes the visitor aware they are in a controlled area.
Visitor badges should be clearly distinguishable in color from employee badges and must be returned after the visit. Lost or unreturned badges must be documented and, for electronic badges, immediately deactivated.
Optional but recommended: present the visitor with a brief summary of your security rules for signature. This can include points such as "I will only enter the areas assigned to me," "I will not photograph without permission," and "I will follow the instructions of my escort." For visitors who will have access to particularly sensitive information, an additional non-disclosure agreement (NDA) may be required.
Phase 3: Escort
Not every visitor needs an escort in every area. Differentiate by zone:
Public area (reception, waiting area, conference rooms in the entrance area): No escort required. These areas are designed so that no confidential information is visible.
General office areas: Escort by the internal contact person. The visitor is collected and taken to the meeting room rather than walking through corridors alone.
Security areas (server room, archive, development department, executive offices): Access only with explicit authorization and constant escort by an authorized person. Access is logged separately.
Restricted areas: Fundamentally not accessible to visitors. Exceptions only with approval from executive management or the ISO.
The escort requirement must be known to employees and enforced by them. If an employee encounters an unescorted visitor in the corridor, they should politely ask if they can help and escort the visitor to their contact person.
Phase 4: During the stay
During the visit, the following ground rules apply: the visitor stays only in the areas designated for their visit, the visitor badge is worn visibly, the internal contact person is responsible for the visitor and ensures security rules are followed, and during technical work (e.g., air conditioning maintenance in the server room), an authorized person remains present.
Phase 5: Departure and sign-out
At the end of the visit, the visitor is escorted back to reception. They return the visitor badge, and the departure time is recorded in the visitor log. The internal contact person confirms that the visit has been properly concluded. For visitors who performed work (e.g., maintenance technicians), what was done is additionally documented.
The visitor log: Content and retention
The visitor log is the central document of your visitor management. It must contain the following information:
Mandatory fields: Date and time of entry, visitor's first and last name, company or organization, internal contact person, purpose of visit, and time of departure.
Optional fields: Areas visited, vehicle license plate (for site access), badge number, and visitor's signature.
Retention period: Retention must be proportionate. A storage period of three to six months is appropriate in most cases. Longer periods must be justifiable. Align the period with your Data Protection Officer.
Access: The visitor log contains personal data and may only be viewed by authorized persons (reception, ISO, executive management, auditor when needed). It does not belong on the reception desk where every subsequent visitor can read the names of previous visitors.
GDPR-compliant privacy notice: Inform visitors at registration that you are collecting their data, for what purpose, on what legal basis, how long the data will be stored, and what rights they have. A notice posted at reception or a note on the registration form fulfills this obligation.
Paper versus digital: Choosing the right system
The classic paper visitor book has had its day — at least from a data protection and information security perspective. When visitors write their name in an open book, every subsequent visitor can see who was there before. This is both a GDPR violation and an information leak.
Paper solution with individual sheets
If you prefer a paper solution, use individual sheets or cards instead of a continuous book. Each visitor fills out their own form, which is then stored in a locked container. This prevents visitors from seeing other visitors' data.
Digital visitor management systems
Digital solutions offer significant advantages: pre-registration via email or app with automatic invitation and directions, self-check-in at a reception terminal (tablet or kiosk), automatic notification of the contact person via email or chat, automatic recording of entry and departure times, audit-proof records with automatic deletion after the retention period expires, and optional printing of visitor badges with photos.
Many of these systems can be coupled with electronic access control so the visitor badge simultaneously serves as an access card for defined areas. This simplifies the process and increases security because the visitor can only open the doors that are authorized for their visit.
Selection criteria
When selecting a digital system, pay attention to the following: GDPR compliance (server location, data processing agreement, deletion concept), integration with your existing access control system, ease of use for reception staff and visitors, offline capability (what happens during an internet outage?), costs (licensing model, hardware costs for terminals), and reporting functions for audits.
Special cases and frequently asked questions
Tradespeople and maintenance technicians
Tradespeople and maintenance technicians come regularly and often need access to sensitive areas (server room, utility rooms). Treat them like any other visitor: registration, badge, escort in sensitive areas. If a technician comes regularly, a framework agreement can simplify registration but does not exempt from the escort requirement in the server room.
Delivery drivers and parcel services
Delivery drivers who only enter the goods receiving area generally do not need the full visitor process. However, define a clear boundary: up to here the delivery driver may go, from here the controlled area begins. Simple documentation (delivery note with timestamp) is usually sufficient for goods receiving.
Visitors outside business hours
Visits outside regular business hours require approval as a matter of principle. Ensure that reception or access control also functions outside office hours — for example, through an electronic registration system, an on-call service, or a video intercom.
Large events
For company events, open days, or larger client events, individual registration is often impractical. Define separate rules for such occasions: cordoned-off areas that may not be entered, reduced data collection (e.g., only an attendee list instead of individual registration), additional staff in sensitive areas, and temporary access restrictions for critical rooms.
Visitors not signed out
What happens when a visitor is still listed as "present" in the visitor log at the end of the day? This could mean they left the building without signing out — or that they are actually still in the building. Define a process: at the end of the working day, a responsible person checks whether all visitors have been signed out. For missing sign-outs, the internal contact person is contacted.
Integration into the ISMS
Visitor management is not an isolated measure but part of your overall security concept. Integrate it as follows:
Risk assessment: Assess the risk from uncontrolled visitors in your risk analysis. Consider social engineering, information leakage, and physical threats.
Policy: Document the visitor rules as a standalone policy or as part of the physical security policy — in ISMS Lite, you can capture access regulations and visitor processes in a structured way and link them to your security zones. Ensure it is known to all employees.
Training: Include visitor management in your security awareness training. Especially important: employees must know that they may and should approach unescorted visitors.
Audit: Check compliance with visitor management during internal audits. Review the completeness of logs, the return of visitor badges, and actual escort compliance in sensitive areas.
Metrics: Collect metrics such as the number of visitors per month, the rate of unreturned visitor badges, the number of visitors not signed out, and the results of spot checks on escort compliance.
Typical weaknesses in practice
Tailgating: A visitor follows an employee through a secured door without authenticating themselves. Countermeasure: turnstiles or mantraps in sensitive areas and sensitization of employees not to hold the door for unknown persons.
Badge misuse: A visitor badge is not returned and is used for a later unauthorized entry. Countermeasure: electronic badges that are automatically deactivated after the visit, and a check at the end of each day.
Perfunctory escort: The internal contact person "escorts" the visitor to the server room but then leaves them alone because they have something else to do. Countermeasure: a clear rule that escort means constant presence, with monitoring by the ISO.
Social engineering: An attacker poses as a delivery driver, technician, or job candidate to gain access. Countermeasure: verify pre-registration, call the internal contact person when in doubt, and never grant access "because they must have an appointment."
Visitor management may sound like administrative overhead. In practice, it is a process that, once set up, requires little effort but makes a significant contribution to physical security. And at every audit, you will be glad to have a clean log to present.
Checklist for implementation
If you are building visitor management from scratch or improving an existing one, the following sequence helps:
Step 1 — Zoning: Define the security zones in your building: public area, general office areas, security areas, and restricted areas. Mark the boundaries clearly.
Step 2 — Visitor policy: Create a written visitor policy covering pre-registration, reception, escort, stay, and departure. Define special rules for tradespeople, delivery drivers, and large events.
Step 3 — Infrastructure: Procure visitor badges, registration forms, or a digital visitor management system. Set up a reception area that enables registration.
Step 4 — Training: Train reception staff and all employees on the visitor policy. Especially important: employees must know that they may and should approach unescorted visitors.
Step 5 — Communication: Inform all employees about the new policy. Post a summary of visitor rules at reception.
Step 6 — Monitoring: Conduct regular spot checks. Verify whether visitor badges are worn, escort rules are followed, and the visitor log is kept completely.
Step 7 — Improvement: Evaluate results and adjust the policy. If certain rules are regularly not followed, investigate the causes rather than insisting on stricter controls.