The Digital Daily Occurrence Book: Why Your Security Team Needs One
A complete guide to security log best practices, shift logging, and what a modern occurrence book should do for your team.
In this guide:
- What the occurrence book is – and what it isn’t
- Security log best practices: what to record, and how
- Shift logging for security teams: handovers, patrols, and the gaps in between
- Why paper can no longer support modern logging requirements
- What a capable digital occurrence book should do
- The scenarios where good logging protects your organisation
- Regulatory context: Building Safety Act, Martyn’s Law, and duty of care
- How to build a business case for going digital
- Evaluation criteria and your DOB scorecard
What the occurrence book is – and what it isn’t
Every security team has one. The daily occurrence book, sometimes called an ops log, duty log, or shift log, is the running written record of everything that happens at a site during a shift.
It captures the fabric of daily operations: handovers, access requests, patrol notes, contractor sign-ins, minor incidents, maintenance observations, and anything the next shift needs to know. It is not an incident management system. Incidents are discrete events requiring investigation, escalation, and resolution. The occurrence book is the operational thread running underneath all of that, the constant, cumulative record of normal activity and minor events across every shift, every day.
That distinction matters. Conflating the two is one of the most common mistakes in security operations. Your incident system handles the exceptions. Your occurrence book handles everything else.
Both need to be digital. But for different reasons.
Note
The occurrence book isn’t becoming less important. The opposite is true. As buildings become more regulated and more scrutinised, the quality of daily logging is under more pressure than ever.
Security log best practices: what to record, and how
Most security teams record something. Fewer record the right things, in the right way, at the right time. Here is what good logging practice looks like in 2026.
Record in real time – not at end of shift
This is the single most important discipline in occurrence logging. An entry made at 09:15 about something that happened at 09:10 is reliable. An entry made at 17:55 covering eight hours of activity is a reconstruction, and it will be challenged.
Real-time logging isn’t just about accuracy. It creates a timestamped record that demonstrates events were observed and recorded as they occurred. That matters enormously when a log entry is later used as evidence in a dispute, an investigation, or a regulatory inspection.
Use structured categories, not free text
Unstructured entries are a search problem waiting to happen. When an incident occurs three months from now, you need to find relevant entries fast. That requires structure: entry types, locations, officer names, and timestamps that can be filtered and searched.
Good practice is to categorise every entry at the point of creation, access, patrol, observation, maintenance, handover, communication, and so on. This takes seconds to apply but saves hours when retrieval matters.
Name names and note specifics
Vague entries create gaps that are exploited in disputes. ‘Contractor on site’ is less useful than ‘JC Electrical, two engineers, arrived 10:23, escorted to plant room by Officer Davies, departed 13:47.’ The effort is minimal. The evidentiary value is significant.
The same applies to any observation or minor incident. Record who, what, where, and when. If an action was taken, record what it was and by whom. If something was reported to management, log the name of the person notified and the time.
Log what didn’t happen, as well as what did
This is counterintuitive but important. A completed patrol with no findings is still a log entry. An access request that was refused is still a log entry. A quiet overnight shift with no incidents is still a shift that needs to be documented.
Gaps in a log are as damaging as inaccurate entries. An uninspected period, especially one that precedes an incident, becomes a liability. Consistent, complete logging protects you. Selective logging doesn’t.
Don’t use the log to record what belongs in an incident report
The occurrence book is not the right place for a full incident record. Minor observations go in the log. Events that require investigation, escalation, or formal response should be escalated to an incident report, with the log entry serving as the first-notification record.
A capable system should make this easy: one action to escalate a log entry into a formal incident, carrying the timestamp and context across without duplication.
Note
The occurrence book earns its value not in quiet periods, but in the moment someone asks what your team knew, when they knew it, and what they did about it.
Shift logging for security teams: what good looks like
Shifts are the natural unit of occurrence logging. But most guidance focuses on what to log during a shift. Equally important is what happens at the boundaries, handovers, patrol completion, and end-of-shift reporting.
Shift start: set the context
Every shift should begin with a structured start record. Who is on duty, what their assignments are, any outstanding items from the previous shift, and any known events or considerations for the period ahead. This takes two minutes. It creates a baseline that everything else in the shift is measured against.
Patrols: log checkpoint by checkpoint
Patrol records and the occurrence book should be linked. Every patrol completion, with timestamp, route, officer name, and findings, should appear in the occurrence log as well as the patrol management record. If a patrol finds nothing, that is still a finding. If a patrol is missed or delayed, that needs to be logged with a reason.
The integration between patrol records and the occurrence log is one of the clearest indicators of operational maturity. Teams that maintain both separately, or worse, only one, create gaps that are difficult to defend.
Incidents and observations: log as you go
Anything that warrants attention during a shift should be logged at the time it occurs. Access requests, contractor arrivals, tenant interactions, maintenance observations, and any security-related observation. The threshold for logging should be low. The threshold for not logging should be very high.
If in doubt: log it. An entry that turns out to be irrelevant costs nothing. A missing entry that turns out to be critical is a problem that cannot be fixed retrospectively.
Shift handover: the highest-risk moment in every shift cycle
Handovers are where information is lost. An officer working a 12-hour night shift passes responsibility to a colleague who has not been on site for 24 hours. In a paper world, that handover is a verbal conversation and a few notes, unreliable, unverifiable, and incomplete by design.
In a digital system, the incoming officer reviews the full shift log before they arrive on site. They see what happened, when, and who dealt with it. Outstanding items are flagged. The handover becomes a structured record, not a conversation that neither party can reproduce a week later.
End of shift: close the loop
A shift-end record should confirm that all assigned patrols were completed, all outstanding items have been passed over, and the site status is documented. This creates a closed loop between shift-start and shift-end that supports accurate reporting, performance management, and compliance evidence.
Why paper can no longer support modern logging requirements
Paper works in a narrow set of circumstances: a single officer, a low-risk environment, no regulatory pressure, no multi-site visibility requirements. Outside that scenario, paper is a liability.
| Paper logging | Digital logging |
| Handwritten entries โ legibility varies | Structured, typed entries with consistent formatting |
| One copy, stored on site | Cloud-stored, accessible from any authorised device |
| Searched by flicking through pages | Searched instantly by keyword, date, officer, or category |
| Handover is a conversation | Handover is a timestamped, searchable record |
| No backup โ lost, damaged, or destroyed | Automatically backed up with full version history |
| No audit trail on entry timing | Every entry timestamped and linked to a named user |
| Invisible to head office until retrieved | Real-time visibility for authorised stakeholders |
| Cannot link to incidents or patrols | Integrated with incident management and patrol records |
| Difficult to verify for regulators | Exportable, timestamped compliance evidence |
That last row is what matters most in 2026. The Building Safety Act 2022, Martyn’s Law, and increasing scrutiny from insurers and courts all demand more than a handwritten record. They demand verifiable, auditable evidence. Paper cannot provide it.
What a capable digital occurrence book should do
Moving to digital is not about replacing a notebook with a screen. It should fundamentally change what the occurrence book can do.
Timestamped, structured entry logging
Every entry automatically timestamped and linked to a named, authenticated user. Categorised by type. Searchable by date, officer, category, keyword, or location. Accessible from mobile devices as well as desktop, because officers are moving through buildings, not sitting at terminals.
Real-time shift handover
Incoming officers review the full shift log before they arrive on site. Outstanding items flagged. Nothing communicated verbally that won’t be reproducible later. The handover is a record, not a conversation.
Integration with incident management
A log entry should be escalatable to a formal incident report with a single action, carrying timestamp, context, and officer details across without duplication. The occurrence log becomes the foundation of the incident record. Nothing is lost in translation.
Linked patrol and task records
Patrol completions, checkpoint scans, and assigned tasks should link directly to occurrence log entries. The result is a connected operational record, not a series of disconnected logs that tell an incomplete story.
Multi-site and portfolio visibility
Managers operating across multiple sites need consolidated visibility. A capable system allows authorised managers to view occurrence logs across an entire portfolio, filtering by site, date, or entry type. Patterns that would never be visible in site-specific paper books become immediately apparent.
Immutable audit trail with export
Every entry, edit, and review produces a timestamped record. Amendments create new entries rather than overwriting originals. The full audit trail is exportable in standard formats for regulators, insurers, legal teams, and senior management.
Key distinction
A digital occurrence book doesn’t just store information more efficiently. It creates a verifiable, searchable, and exportable operational record that paper cannot replicate โ and that regulators, insurers, and courts increasingly expect to see.
The scenarios where good logging protects you
The occurrence book earns its value not in normal operations, but when things go wrong.
Insurance and liability claims
A slip, trip, or fall. A contractor injury. A tenant alleging that a security officer failed to respond. In each case the question is the same: what happened, when, and who knew about it?
A digital occurrence log provides a timestamped, user-attributed, searchable answer, with an audit trail showing whether entries were made in real time or added retrospectively. That difference can determine the outcome of an insurance claim or a legal dispute.
Regulatory inspection and audit
Local authority inspections, fire authority audits, and HSE visits all require evidence that your operations are managed properly. Inspectors increasingly expect digital records, timestamped, searchable, and comprehensive. A well-maintained digital log demonstrates operational maturity. A stack of handwritten notebooks signals the opposite.
Security incidents and investigations
A theft. An access breach. A physical altercation. When a formal investigation begins, investigators need to reconstruct what happened and establish a timeline. Log entries from the hours and days before an incident are often critical. A digital system makes this reconstruction fast and reliable. Paper makes it slow, incomplete, and easy to challenge.
Staff conduct and performance
Occurrence logs are also an HR tool. They record shift activity, officer observations, and handover quality. Where patterns emerge, missed entries, inconsistent reporting, gaps in the log during a specific officer’s shifts, a digital system makes those patterns visible in a way that paper never could.
Business continuity and knowledge transfer
When an experienced officer leaves, their knowledge leaves with them, unless it has been captured in structured log entries. A digital system builds institutional knowledge over time. The officer joining a site in six months can search historical records to understand recurring issues, access patterns, and site-specific context. That is invisible in a paper log. In a digital one, it persists.
Regulatory context: what compliance now requires
The regulatory environment has shifted. Daily occurrence book records now sit at the intersection of several significant obligations.
The Building Safety Act 2022
The Building Safety Act places new responsibilities on those managing higher-risk buildings, with implications across the commercial sector. It creates a duty to maintain safety cases and demonstrate ongoing compliance through documented operational evidence.
Occurrence logs are part of that evidence base. Buildings with digital, timestamped, searchable records are better positioned to meet these obligations than those relying on handwritten notebooks.
Martyn’s Law (The Terrorism (Protection of Premises) Act 2025)
Martyn’s Law requires qualifying premises to have public protection procedures in place and to demonstrate preparedness for a terrorist incident. That demonstration depends on documentation- evidence that procedures are followed, tested, and recorded.
Shift records capturing patrol activity, access management, and security checks provide the operational evidence that underpins a credible compliance position. A paper log cannot be easily searched, verified, or presented to the Security Industry Authority. A digital one can.
Duty of care and due diligence
Beyond specific legislation, organisations have a general duty of care to those on their premises. In the event of harm, the question asked by courts and insurers is whether reasonable steps were taken. Operational records are central to answering that question.
Due diligence now means demonstrating what you did, not just asserting it. Timestamped, user-attributed digital records are the standard that courts and insurers have come to expect.
Note
Martyn’s Law enforcement begins from Spring 2027. Buildings that have already embedded digital operational records will be in a fundamentally stronger position than those still relying on paper when the SIA starts inspecting.
Building the business case
The move to digital occurrence logging is rarely blocked by logic. It is usually blocked by inertia, or by an inability to quantify the return. Here is how to make the case.
Operational efficiency
Calculate the time your team spends on shift handovers, log retrieval, and monthly reporting. In a medium-sized building with a two-shift operation and three officers per shift, manual logging and retrieval typically consumes two to three hours per shift across the team. Structured digital entries, automated shift reports, and instant search eliminate the majority of that overhead.
Risk reduction
A single undefended liability claim, legal fees, insurance excess, management time, reputational damage, frequently exceeds the annual cost of a digital occurrence platform by an order of magnitude. The insurance argument alone often closes the business case.
Compliance readiness
With Martyn’s Law enforcement from 2027 and the Building Safety Act already in force, the cost of non-compliance is no longer theoretical. SIA enforcement action, prohibition notices, and reputational consequences are real risks. Investing now gives you the runway to embed, test, and evidence your approach before enforcement begins.
Talent and retention
Security officers increasingly expect modern tools. Teams still operating on paper logs in 2026 face a recruitment disadvantage. A digital system signals investment in your team’s working environment. That matters in a competitive labour market.
What to look for when choosing a platform
There is no shortage of platforms claiming to do this well. Here is what actually matters.
Mobile-first design
Officers move through buildings. They don’t sit at desks. A platform requiring desktop login to make an entry is not a field tool, it is a spreadsheet with extra steps. The platform must be fully functional from a mobile device, with fast entry, voice-to-text capability, and offline mode for poor-connectivity areas.
Speed of entry under pressure
If an entry takes more than 30 seconds, it will not be made consistently. Categorised entry types, quick-fill fields, and minimal steps between opening the app and completing a log are non-negotiable. Test with your team under realistic conditions, not in a boardroom demo.
Integration with your operational ecosystem
A standalone log is useful. A log integrated with incident management, patrol tracking, task management, and visitor records is transformative. Integration is what turns a collection of separate logs into a connected operational record.
Audit trail integrity
Every entry must be timestamped, user-attributed, and immutable once submitted. Amendments create new entries, not overwrites. The audit trail must be exportable and verifiable. If a vendor cannot demonstrate clearly how this works and how it holds up under legal scrutiny, move on.
Access controls and permissions
Not everyone should see everything. Role-based, site-based, and time-limited access controls. A site officer sees their site’s log. A regional manager sees their region. An auditor sees what they need and nothing more.
Scalability across a portfolio
If you manage more than one site, you need more than a site-level solution. Centralised configuration with site-level operation, consistent standards across all locations, with site-specific customisation where needed.
Note
Red flags: platforms where entries can be deleted rather than amended. Systems with local-only storage and no cloud backup. Vendors who cannot explain their data hosting or security certifications. Solutions requiring a separate login for mobile access.
Implementation: making the transition work
Moving from paper to digital is straightforward in principle. It fails when treated as a technology project rather than an operational change.
Phase 1: Foundation
- Audit your current logging practice. Map what is being recorded, by whom, when, and where. Identify the gaps before you start.
- Define your entry categories and mandatory fields. This structure is the foundation of your future search capability.
- Establish your access hierarchy. Decide who can see what, officers, supervisors, managers, FM leads, senior stakeholders.
Phase 2: Configuration and rollout
- Build entry templates for common entry types: handover, access, observation, maintenance, patrol. Pre-built templates reduce friction and improve consistency.
- Train on the device, not the slide deck. Officers must practise on the platform they will actually use, under conditions that resemble a real shift.
- Run a parallel period. Keep paper logs running alongside digital for two to four weeks. This surfaces gaps in the setup and builds officer confidence before paper is retired.
Phase 3: Embed and improve
- Use the data. Monthly review of log patterns, frequency, category distribution, officer activity, generates operational insight and reinforces the value of good practice.
- Review every incident against preceding log entries. This closes the loop between occurrence logging and incident management.
- Audit log quality regularly. Consistent, structured entries take practice. Regular feedback keeps standards high as teams change.
Your digital occurrence book scorecard
Use this framework when evaluating platforms.
| Evaluation Criteria | Questions to Ask | Priority |
| Mobile-first design | Can officers make entries from a mobile device with no desktop login required? | Critical |
| Speed of entry | Can a new officer make a structured entry in under 30 seconds? | Critical |
| Entry categorisation | Can entries be categorised by type, sub-type, and location? | Critical |
| Timestamp and attribution | Are all entries automatically timestamped and linked to a named user? | Critical |
| Search and retrieval | Can entries be searched by date, officer, category, keyword, and location? | Critical |
| Audit trail integrity | Are entries immutable after submission, with amendments creating new records? | Critical |
| Export capability | Can logs be exported in standard formats for legal, insurance, and regulatory use? | Critical |
| Data hosting and security | Where is data hosted? What certifications does the vendor hold? | Critical |
| Incident integration | Can a DOB entry be escalated directly into an incident report? | High |
| Patrol integration | Can patrol records and DOB entries be linked? | High |
| Shift handover | Does the system support structured digital handovers visible to incoming officers? | High |
| Multi-site visibility | Can managers view occurrence logs across multiple sites from one interface? | High |
| Access controls | Does the platform support role-based and site-based permissions? | High |
| Offline capability | Can entries be made without internet connection and synced on reconnect? | High |
| Ongoing support | What training, onboarding, and support are included? | Medium |
Making the right decision
The occurrence book is not going away. It is becoming more important, not less, as buildings become more regulated, more scrutinised, and more complex to manage.
The question is not whether you need one. You do. The question is whether your current log meets the standard that regulators, insurers, courts, and your own operations now require.
Good logging practice, structured, real-time, integrated, and auditable, is the foundation of a defensible operational record. It protects your organisation when something goes wrong. It supports your team with better tools and better information. And it demonstrates, to every stakeholder who needs to know, that your operation is run properly.
That starts with the daily occurrence book. Done well, it becomes the operational backbone of your security and FM function, connecting daily logging to incident management, patrol records, task completion, and compliance evidence.
That is worth getting right.
+44 (0)20 3989 4859 
info@zinc.systems 