Access Control System Buying Guide.

01 / What Is an Access Control System

A managed entry system that replaces keys with credentials.

A commercial access control system is the set of hardware and software that controls who can enter which doors, when, and under what conditions — replacing physical keys with electronic credentials (cards, fobs, phones, biometrics) that can be issued, revoked, and audited centrally. A door access control system specifically refers to the per-door hardware portion: the reader at the door, the electric lock, the request-to-exit device, and the controller that ties them together.

At minimum, every business access control system includes five layers:

• Credentials — what the user presents (key card, key fob, mobile credential, PIN, fingerprint).
• Readers — the device that reads the credential at the door.
• Controllers — the decision-maker that compares the credential against permissions and energises the lock.
• Electric locking hardware — maglocks, electric strikes, or electrified mortise locks.
• Management software / platform — where credentials, schedules, alarms, and reports live (on-premise server or cloud).

For the deep technical walkthrough on each layer, see the installer-spec access control hardware spec guide. This guide covers the layer above that — the buying decision itself.

Most commercial buyers reach this guide because the existing key system has stopped working at scale — keys get copied, terminated employees keep access, the audit trail is “ask the office manager who saw what,” and adding or removing access means a locksmith visit. A modern key card entry system or key fob system for business solves all of that in software.

03 / Commercial Use Cases

Who actually buys these systems.

Different businesses approach access control with different operational pressures. The use cases that drive most procurement decisions in the Ottawa and Eastern Ontario commercial market:

• Office buildings & professional services — front entrance, server room, executive suite, file storage. Time-of-day rules, role-based zones, after-hours audit. The default office access control system.
• Warehouses & logistics — main personnel entrance, dispatch office, secure stock cage, loading bay overhead doors. Driver and contractor credentials with strict expiry. Often paired with PTZ surveillance.
• Multi-tenant commercial property — building entrance plus per-tenant suite doors, managed from a single platform with per-tenant credential pools. Tenant onboarding/offboarding through a property-management workflow.
• Healthcare clinics & medical offices — controlled access to medication storage, records, after-hours clinical areas. Audit trail aligned with provincial health-records compliance.
• Schools, colleges, faith-based facilities — controlled lockdown capability, weekend and event scheduling, visitor processing. Lockdown-on-event is a defining feature for K-12 and post-secondary.
• Multi-site retail & franchise operations — same credential set across multiple locations, store-manager-only after-hours access, integration with alarm arm/disarm to reduce false-alarm fees.
• Manufacturing & industrial — production-floor access by role and certification, mechanical-room and chemical-storage segregation, contractor and inspector credentials with hard expiry.
• Government, municipal, defence contractors — NDAA-compliant hardware, federal procurement requirements, full audit retention and credential lifecycle controls. See the NDAA Section 889 checklist.

If you don’t see your use case here, it almost certainly maps to one of the above with a small variation. The architecture decisions in section 04 cover what changes.

05 / Components & Sub-Systems

What goes into the order.

A complete commercial access control bill of materials usually spans six categories. The right answer in each is driven by the use case and the architecture from sections 03–04.

Component-level deep dives, sized to the buying decision:

• Credential selection — prox vs DESFire vs iCLASS vs mobile, clone resistance, platform compatibility, and migration patterns. See the credential selection guide.
• Reader and door hardware — Wiegand vs OSDP, mullion vs wall vs keypad, fail-safe vs fail-secure, compatibility traps. See the access control hardware spec guide.
• Controller architecture — standalone vs networked vs cloud-hosted, by business pattern. See the controller architecture guide.
• Power and battery backup — per-device current draw, sizing math, distribution, runtime requirements. See the power supply sizing guide.
• NDAA & federal compliance posture — Section 889 covered entities, brand reference, per-SKU screening. See the NDAA compliance checklist.

For the full procurement catalog by category, see the access control catalog.

07 / Buying Considerations

What to evaluate before you sign.

Beyond price, the criteria that consistently separate a good commercial access control buy from a regrettable one:

• Total cost of ownership over 5 years — hardware + per-user license + cloud subscription + service contract + credential replacement. Cloud platforms with low upfront cost can exceed on-premise TCO at 24–36 months for large user counts.
• Scalability path — can the controller and platform add 50% more doors and 100% more users without a forklift upgrade? Is there a documented migration path to higher security tiers (DESFire EV3, mobile credentials, biometrics)?
• Vendor lifecycle & stability — Kantech, Lenel, Brivo, Openpath, ProDataKey, HID-based Mercury platforms all have stable parent companies, multi-year roadmaps, and broad installer ecosystems. Avoid orphan platforms with single-distributor support.
• NDAA / federal procurement posture — if your business sells to government, defence, or any federally-funded entity, NDAA Section 889 compliance must be locked at the credential, reader, and controller level. Not optional, not retrofittable cheaply.
• Integration with surveillance and intrusion — if you already run a VMS (Milestone, Genetec, Hanwha Wave, DW Spectrum) or an intrusion panel (DSC, Bosch, Honeywell), confirm bidirectional integration with the access platform shortlist. Cross-system event correlation is what makes the security stack useful, not just installed.
• Local field support availability — for Ottawa and Eastern Ontario buyers, response time on a failed controller or stuck door is the difference between an inconvenience and a Monday-morning shutdown. Confirm local certified support, not 1-800 phone-only.
• Warranty, service-level terms, and parts availability — hardware warranty (3–5 years typical), platform uptime SLA for cloud, advance replacement terms, and the realistic lead time on the most common failed components (power supplies, readers, controllers).

A buyer who can articulate answers to all seven of these before signing typically gets a system that’s still serving them five years later — and that’s the only outcome that matters.