Last reviewed 12 April 2021
While we are familiar with formal standards in health and safety, information, environment and quality management, they are not so common in security management. They can be very beneficial to an organisation, argues Mike Sopp.
In the security sector, the use of management system standards is common in certain areas such as information security but not within the wider field of security management.
However, a corporate-wide protective security management system standard can bring various benefits and help align security management with the wider organisational resilience requirements of an organisation.
Drivers for a security management system
All organisations, whatever their size and complexity, face various security threats that can impact on organisational assets including people, property and information.
There are many specifications and standards that can help identify and control specific security threats. However, as organisations face multiple security threats, roles, responsibilities and authorities are often delegated to specific departments or specialist services, creating silos.
Here, each department or service tends to focus on its own primary objective rather than the wider organisational security goals. This means insufficient cooperation, communication and coordination which in turn limits intelligence sharing and increases confusion over where ultimate responsibility rests. This can reduce organisational security resilience as resources and attention are not necessarily focused on the most significant security threats.
By applying a formal protective security management system standard, a business can take an “organisational” approach to security management. Benefits of this include:
security becomes a visible board level matter
security is linked to wider organisational objectives
adequate and proportionate resources, targeted at the most significant risks
a robust “architecture” to manage security matters
a collaborative approach to security risk control
a consistent approach to security threat and risk assessment
assurance for relevant stakeholders
a means of monitoring security management
flexibility and resilience to adapt to changing security risk profiles.
When to apply a system
The primary factor is whether the organisation needs a corporate or strategic approach to security management.
This may be the case where an organisation has:
a large or complex organisational structure with multiple geographical sites or divisions
a range of significant security threats and risks that can impact on the corporate business and reputation
a strict regulatory compliance regime where assurance requirements are mandatory requirements
business continuity risks that require a high level of risk avoidance, elimination or mitigation so as to maintain operations.
As part of the decision-making process, an “initial status review” may be undertaken. The information from this can influence decisions on the scope, adequacy and implementation of a system.
This process can be completed by completing a PESTLE study to understand the organisational context for security and reviewing the current organisational security arrangements and practices against available best practice.
It may be worth using the services of an external (competent) third-party to complete the status review where internal competency is not available. This would also give a higher level of impartiality to the process.
There are a number of options for a protective security management system standard, some of which or sector/discipline specific. See Further information below.
The majority of these standards are structured around the Plan-Do-Check-Act cycle model (PDCA). The continuous loop of the PDCA cycle model ensures that the process to which it is applied is frequently revisited.
This enables the necessary change to be undertaken of any particular aspect of the loop when it is unsatisfactory (ie not meeting the standard necessary). The PDCA stages are as follows.
Plan: establish management system policy, objectives, processes, and procedures relevant to managing risk and improving security.
Do: implement and operate the management system policy, controls, processes, and procedures.
Check: assess and measure performance against management system policy, objectives, and practical experience, and report the results to management for review.
Act: take corrective and preventive actions, based on the results of the internal management system audit and management review, to achieve continual improvement.
This approach potentially allows your security management system to be integrated with management standards related to other risk disciplines including fire, health and safety, business continuity and quality management, for example.
Leadership and arrangements
An organisation may already be applying a number of the elements that make up the PDCA cycle, particularly “doing, checking and acting” stages.
The introduction of an organisation-wide protective security management system standard will most likely impact on the planning stage ― as this will require significant action in terms of leadership and organisational arrangements.
A key element of a security management system is the need for leadership from top management, which will involve:
taking accountability for and showing commitment to security management
aligning security with overall strategic business planning and processes
ensuring that the appropriate organisational resources needed are available
communicating the importance of effective security management
promoting and leading organisational culture with regard to the management system.
This approach to security management may be new to an organisation and it is essential that whoever is responsible for the overall management of security is capable of “selling” the above approach to the senior management team.
The application of a security management system may also require making adjustment to the current organisational arrangements for security management, ie by creating new roles and responsibilities.
The governance and architecture required for security management will also need to be considered. Interestingly, a number of standards recommend the establishment of security “working groups” responsible for application of the system and in particular:
ensuring security risk control measures are implemented
monitoring performance of the system and reviewing non-compliance
reviewing resource allocation to specific security risk control requirements.
Most organisations will have a governance structure that enables the senior management team to have appropriate oversight of risks within the organisation. It is likely that this can be used for security management governance.
The British Standards Institution states that “security management is a vitally important strategic capability for a modern organisation that supports the achievement of the organisation’s objectives by protecting the organisation’s reputation and financial well-being”.
Organisations are facing a range of likely security threats and associated risks that can create wider business threats including business continuity issues and reputational damage.
By adopting a corporate-wide protective security management system standard, an organisation can apply a cost-effective approach to managing security threats by focusing resources on the most significant risks.
Applying such a system from a baseline where there is no such system will entail costs and will require investment in time, effort and finances. It will also require changes to organisational structures, arrangements, governance and most likely culture to achieve success.
Success, however, can bring benefits to the organisation in terms of effective organisational resilience and reputation.
For more detail, see the topic Security Management System Standards.
The following is available from the Centre for the Protection of National Infrastructure.
Protective Security Management Systems (PSeMS). Guidance, Checklist and Case Studies.
The following are available from the British Standards Institution.
BS 16000: 2015 Security Management. Strategic and Operational Guidelines.
BS ISO 28002: 2011 Security Management Systems for the Supply Chain. Development of Resilience in the Supply Chain. Requirements with Guidance for Use
BS EN ISO/IEC 27001: 2017 Information Technology. Security Techniques. Information Security Management Systems. Requirements.
The following is available from the International Organization for Standardization.
ISO 28000: 2007 Specification for Security Management Systems for the Supply Chain.
The following is available from the Loss Prevention Certification Board.
SABRE: Security Assessment Standard for Buildings and Built Infrastructure.