Last reviewed 22 January 2018
Mike Sopp looks at the purpose and benefits of a good security management system with reference to BSI6000 and the new SABRE scheme.
Despite falling levels of crime in the workplace environment, a recent survey conducted by the BRE Group found that two out of three respondents were more concerned about crime today than they were five years ago.
With the majority of respondents indicating that proactive management of security would make them feel more secure, the need for a security management system that is appropriate and proportionate to the workplace security risks is gaining importance.
To assist in this, BRE Global launched in 2017 a security assessment and certification scheme standard that “recognises and rewards good practice in security risk management”.
SABRE purpose and benefits
BS 16000: Security Management: Strategic and Operational Guidelines, states that “security management is a vitally important strategic capability for a modern organisation that supports the achievement of the organisation’s objectives by protecting the organisation’s reputation and financial well-being”.
As with other “resilience disciplines” many organisations will seek to establish security management systems using current best practice.
In support of this aspiration, BRE Global Ltd has introduced a Loss Prevention Standard in the form of SABRE: Security Assessment Standard for Buildings and Built Infrastructure Assets.
In summary, SABRE offers the opportunity for an organisation to have “an independently assessed security risk management rating” that will help to “deliver appropriate and proportionate security, obtain value for money in their investment decisions, improve transparency and communicate security credentials to interested parties”.
SABRE identifies technical requirements that are assessed to evaluate the security risk management at a facility based on the level of conformity with the technical requirements presented in the Standard, demonstrated through the submission of acceptable evidence.
According to BRE Global Ltd, SABRE offers benefits to various parties, not least building owners, occupiers and facilities managers. In respect of the latter group, they state that the framework for SABRE and assessments results can be used to “ensure they have an in-depth understanding of the facility security requirements, establish a holistic plan for security risk management and evidence successful implementation and management of their plans”.
The SABRE standard can be used for single properties but where an organisation occupies multiple sites it can be used to compare one facility against others within the property portfolio.
Within scope are all types of built assets (buildings and built infrastructure assets) both new and existing facilities and includes “requirements at each stage in the life cycle of a built asset” from design to disposal of an asset.
The SABRE assessment process follows a risk-based framework incorporating nine technical criteria sections and 70 assessment issues.
Under Section 1: Facility Security Requirements, there are two technical sections, these being “understanding the facility and context” and “facility security risk”. The aim of this section is to assess whether management has established and maintained an understanding of their facility security requirements.
Both technical sections contain a series of criteria (the assessment issues) that include the identification of relevant parties, legal requirements, security dependencies and security assessment procedures.
For facilities managers responsible for the application of management systems standards in other disciplines including quality and environmental management, these requirements and how to achieve them will be familiar as they reflect certain clauses contained in these standards.
Under Section 2: Planning for a Secure Facility, there are three technical sections covering facility security strategy, design and risk management planning. The goal of this section is to “assess whether management adopt a strategic and holistic approach to the identification and specification of appropriate and proportionate facility security controls”.
The above sections reflect the current good practice in security planning, for example by basing the strategy and subsequent design and planning on the principles of deterrence, detection, delay and disruption and unwanted adversarial activity.
In doing so, the Standard recognises the need to integrate security measures with other design elements such as those in relation to safety and fire safety.
Section 3: Facility Security Implementation and Management aims to assess whether there is “strong leadership and commitment to security risk management at a facility” and contains three technical sections on the development and operation of a security risk management system, incident management and project management.
Again, many of the requirements reflect those found in other management system standards including the need for demonstrable leadership and commitment from the responsible person, adequate resources, competency and performance monitoring.
This section also includes a requirement to develop and exercise procedures for incident management and recovery.
The final technical criterion is a requirement for innovation and is cross-cutting in all the other criteria and aims to encourage “innovation and an aspirational approach to facility security management”. It covers innovation in various areas including the use of technology to improve the security performance of the facility.
Assessment, certification and competency
Independent assessment and certification by a SABRE Registered Assessor is a key element of the standard application.
BRE Global states that successful assessment results in a SABRE Rating and LPCB certification, which can be used to:
communicate the security credentials of the facility to internal and external stakeholders
measure facility performance and target areas for future improvement and investment
benchmark performance across a portfolio of assets
demonstrate that a project has delivered on contractual requirements.
All SABRE Registered Assessors have undergone a robust competency assurance procedure prior to becoming registered and must abide by the process detailed in the SABRE Operations Handbook.
The assessment process includes a number of activities such as a review of all relevant documentation and the completion of site visits. On completion of the assessment, a report will be developed that details current levels of conformity with the relevant parts of the standard and (at the assessor’s discretion) recommendations for improvement.
Once the level of quality assurance is met, a certificate will be issued to the organisation detailing the assessment score, assessment stage, valid dates, etc.
Prior to undertaking assessment and certification, organisations will need to determine if they are in a position to move forward in this respect. BRE Global have developed a “SABRE Readiness Checklist” to help those either involved in the procurement of new facilities or operating existing facilities to determine whether they are ready to move forward with SABRE assessment and certification.
The checklist aims to assist the responsible person to understand whether the values and objectives of the SABRE scheme are aligned with those of the organisation. On completion of the checklist, BRE will provide a recommendation based upon the information provided.
Within the SABRE scheme, there are some technical criteria which can only be met if delivered by a competent person that a SABRE Assessor will check for against the competent person criteria defined in the SABRE Scheme Document.
As part of this process, BRE Global has created a register of recognised competent persons known as “SABRE Registered Professionals”. These are individuals who are deemed to meet the competency requirements of the various deliverables within the scheme including those for threat assessment, risk assessment, security strategies, technical design and engineering and operational security plans.
The list is also intended to act as an indicator of professionalism for the benefit of the wider security industry. As with other disciplines, competency is based upon a combination of experience, skills and qualifications along with membership of appropriate professional bodies.
BRE Global Ltd: bregroup.com/sabre
LPS 2082: SABRE — Security Assessment Standard for Buildings & Built Infrastructure Assets
SABRE Essentials — How SABRE works for you
SABRE Operations Handbook