Do you know exactly who is in your building right now? If a visitor or contractor walked past your front desk this morning, could you prove who they were and when they arrived?
A simple visitor register answers both questions. It is also a requirement if you want to reach SMB1001 Gold.
The good news is that a visitor register is one of the easiest controls to put in place. You do not need new software or a big budget. You just need a clear process and a document that people actually use.
In this guide, we explain what a visitor register is, why SMB1001 Gold requires one, and exactly what it needs to record. We also share a free template you can download and make your own.
What is a visitor register?
A visitor register is a record of everyone who comes to your premises and is not a staff member. This includes clients, suppliers, contractors, tradespeople, job candidates and delivery drivers who go beyond your public reception area.
The register captures who the person is, who they work for, and when they arrived and left. It can be a paper book on the front desk or a digital form on a tablet. Either way, the goal is the same. You always know who is on site.
This matters for safety and security. In an emergency, you need an accurate list of everyone in the building. From a security point of view, a register also discourages unauthorised access and creates a clear trail if something ever goes wrong.
Why SMB1001 Gold requires a visitor register
SMB1001 is a cyber security certification built for small and medium businesses. It uses five levels: Bronze, Silver, Gold, Platinum and Diamond. Each level adds more controls. Gold is Level 3, and it is the tier most growing SMBs aim for.
The standard is maintained by Dynamic Standards International, and it is updated every year to keep pace with new threats.
So why does a register sit in the Gold requirements? Because physical access is part of cyber security. Strong passwords and firewalls mean little if a stranger can walk in, plug into your network, or photograph a screen. Controlling who enters your restricted areas closes that gap.
If you want a plain English overview of the framework first, read our SMB1001 certification guide. It explains each level and what certification involves.
What your visitor register must record
To meet the SMB1001 Gold requirement, your register needs to capture set details for every visitor and contractor. Record the following before they enter any staff only or restricted area:
- Full name
- Organisation name
- Contact details
- Signature
- Check in time
The standard also requires visitors to sign out when they leave, so record the check out time as well. Together, these details give you a complete picture of each visit.
Capture the reason for the visit
We also recommend recording two extra details. They are not part of the minimum standard, but they make your register far more useful in day to day life:
- Reason for visit
- Who they are visiting, meaning the staff member they are here to see
These let your reception team confirm a visit with the host before they let anyone through. They also give you a clear trail if a visit is ever queried later.
Give every visitor a badge
Once a visitor finishes signing in, hand them a visitor or contractor badge. They must receive the badge before they move past your publicly accessible area. The badge shows your team that the person has registered and is approved to be on site.
Ask visitors to wear the badge clearly at all times. A quick glance then tells any staff member whether a person belongs in a restricted space.
Sign out and return the badge
When the visit ends, the visitor signs out of the register and returns the badge. This step is easy to forget, so build it into your process. Signing out confirms the person has left. Returning the badge keeps your stock under control and stops old badges being reused.
Keep your register for at least six months
SMB1001 Gold also sets a retention rule. You must keep your visitor register for no less than six months. This applies whether your register is paper or digital.
Keeping records this long means you can look back if you ever need to. For example, you might need to confirm who visited on a certain day after an incident or an insurance query.
Should you escort visitors on site?
The visitor register control does not require escorting, so it is not a strict part of the standard. It is still smart physical security though, and it works hand in hand with your register and badges.
How far you take it depends on your risk. A sensible approach for most small businesses looks like this:
- The host meets the visitor at reception and stays with them while they are in non public areas.
- Visitors are never left to wander staff only spaces on their own.
- For sensitive areas such as a server room, or anywhere with client data or hardware, escort visitors at all times with no exceptions.
This keeps things practical for a normal office while locking down the spots that really matter.
Paper or digital: which visitor register suits your business?
Both formats meet the SMB1001 requirement, so the right choice depends on your business.
A paper book is cheap and simple. It works well for a quiet office with few visitors. The downside is privacy. If each visitor can read the names above theirs, you are exposing other people’s details. A paper book can also be lost or damaged.
A digital register solves the privacy issue. Each visitor only sees their own entry. Many tools also capture a photo, print a badge, and store records securely for you. The trade off is that a digital system costs more and takes a little time to set up.
If you are just starting out, a tidy paper register is fine. You can always move to a digital system as your business grows.
Protect the personal information you collect
Your visitor register holds personal information such as names, phone numbers and signatures. You have a duty to look after it.
Store the register securely and limit who can access it. Do not leave a paper book open on the counter where anyone can read past entries. For a digital system, use strong access controls and keep the data encrypted.
The Office of the Australian Information Commissioner offers clear guidance on handling personal information responsibly. Following good privacy practices protects your visitors and your reputation.
Your visitor register checklist
A policy only works when people use it. Too often, a register sits on the desk and no one fills it in. Use this checklist to make yours stick:
- Place the register at every entry point that visitors use.
- Assign one person or role to own the process, such as your reception staff.
- Record who each visitor is here to see, so reception can confirm the visit with the host.
- Escort visitors in staff only areas, and escort them at all times in sensitive spaces.
- Brief your whole team so everyone understands the why, not just the how.
- Cover the register in your staff induction and ongoing cyber awareness training.
- Keep a supply of clean badges and a simple sign out routine.
- Store completed registers securely for at least six months.
- Review the process every few months and fix anything that is not working.
- Add a short privacy notice so visitors know why you collect their details.
Treat the register as a living part of your security culture, not a form that gathers dust. When your team understands its purpose, they will use it properly.
Download our free visitor register template
To make this easy, we have created a free visitor register template you can download and adapt. It includes all the fields SMB1001 Gold requires, plus space for the reason for the visit, the host, badge numbers and check out times.
Download the visitor register template
Open it, add your logo, adjust the wording to suit your business, and put it to use. You can print it as a paper book or use it as the basis for a digital form.
Need help with your SMB1001 policies?
A visitor register is one small piece of SMB1001 Gold. There are many other policies and controls to put in place, and it can feel like a lot to manage on your own.
That is where we come in. At Sentry Cyber, we help Australian SMBs work through SMB1001 from Bronze to Gold and beyond. We can review your current setup, write the policies you need, and guide you to certification. Explore our compliance and certification services, or see how our security consulting and CISO as a Service can give you expert support without hiring a full time security leader.
Ready to take the next step? Get in touch with our team for practical, no pressure advice on your SMB1001 journey.
Frequently asked questions
Is a visitor register required for SMB1001?
Yes. A visitor register is a requirement at SMB1001 Gold, which is Level 3 of the standard. Every visitor and contractor who enters a staff only or restricted area must complete it.
What information should a visitor register include?
At a minimum, record each visitor’s full name, organisation name, contact details, signature and check in time, plus the check out time when they leave. We also recommend capturing the reason for the visit and who they are here to see, as these make the register more useful.
How long do I need to keep my visitor register?
SMB1001 Gold requires you to keep your visitor register for no less than six months. This rule applies to both paper and digital registers.
Can I use a paper visitor book, or do I need software?
Either is fine. A paper book meets the requirement and suits low traffic offices. A digital register adds privacy and convenience, since visitors only see their own entry and records are stored securely.
Do visitors really need a badge?
Yes. SMB1001 Gold requires you to assign a visitor or contractor badge once registration is complete and before the person moves past your public area. Visitors wear the badge while on site and return it when they sign out.
Do visitors need to be escorted?
Escorting is not a strict requirement of the visitor register control, but it is good practice. As a rule, have the host stay with visitors in non public areas, and escort visitors at all times in sensitive spaces such as a server room.