Insights |Security

7th December 2021

Benefits and limitations of regulatory and standards-based compliance

In physical security, as in other realms, compliance can be divided into 2 broad categories.

First, there’s compliance with standards, certifications and codes of practice that offer assurance that best practices have been followed.

Whether around products or procedures, complying with non-binding guidance can secure better deals with insurers and reassure stakeholders, as well as bolster security.

Alternatively, compliance can be about following the law, with regulations invariably relating to areas other than security, such as data protection and health and safety.

However, security professionals must convince boardrooms that bare-minimum compliance alone is not necessarily ‘job done’ when it comes to executing their obligations to protect personnel and assets.

And regulations, such as around fire safety or data privacy, must be adhered to in a way that doesn’t inadvertently undermine security measures.

Consolidated wisdom

Physical security standards and codes of practice provide a framework, developed by governments and independent bodies, for judging whether products or practices robustly protect people and property against theft, vandalism, terrorism, natural disasters and so on.

They consolidate wisdom drawn from rigorous testing, academic research and the input of experts from government, law enforcement, and the insurance, architecture and risk consultancy industries, among other sources.

These frameworks, which are refreshed periodically, effectively liberate security professionals from having to conduct due diligence and establish best practices from the ground up.

Secured by Design

For instance, Secured by Design, a police initiative, works with fire and security test houses like the Building Research Establishment (BRE) and its subsidiary, the Loss Prevention Certification Board (LPCB), in fulfilling its mission to ‘design out crime’ for homes, commercial premises and public spaces.

The Secured by Design’s product accreditation scheme, the Police Preferred Specification, makes certification contingent on demonstrating that a product has been designed with security as a priority.

Products are independently tested before being certified by the UK Accreditation Service (UKAS).

Necessary – but not sufficient

But might compliance with minimum standards potentially risk fostering complacency among security professionals and a false sense of security among stakeholders?

Having a product that is ‘secure by design’ is necessary – but not sufficient – to ensure that people and property are adequately protected.

A product’s suitability to the environment, and how it’s installed and used are vital too – and there are standards and guidance for these area, also.

Security teams should therefore find out which guidance and standards are relevant for their use case.

And they should be willing to go above and beyond minimum standards where relevant. For instance, if they’re protecting a busy public space at high risk of terror attacks and other criminality, then there’s a strong case to procure the highest calibre systems – not just the cheapest solutions that comply with baseline security standards.

Tiered security ratings

While binary standards – i.e. you either comply or you don’t – are easy to administer and understand, graded or tiered security ratings offer a more nuanced framework for choosing a system that meets your risk profile.

As such, compliance provides assurance that your system is appropriately secure for the environment in which it is installed, without being needlessly feature-rich (and thus expensive).

For example, EN 50131, a European standard outlining performance requirements for intruder alarm systems, sets out four security grades that scale up feature sets, resilience to tampering, and availability of police response, according to the likelihood of attacks and sophistication of likely attackers.

Set according to a risk assessment conducted by installers, they range from grade 1 – the lowest risk category used for domestic properties – to grade 4, assigned to high-risk premises like banks, museums or energy facilities that may be targeted by organised criminals.

Insurers will generally make conformity with the appropriate grade a prerequisite of providing cover.

LPS 1175

LPS 1175, which relates to ‘intruder resistant building components, strongpoints, security enclosures and free-standing barriers’, is also ratings-based.

Overseen by the LPCB, 1 of 7 security ratings is assigned based on how effectively a product – for example, fencing and security doors – can withstand assaults from tools such as drills, hammers or wire cutters.

Naturally, an airport will typically need perimeter fencing with a much more stringent security rating than an office carpark, for instance.

Access control regulatory compliance

According to the UK government, your access control system should be compliant with The Equality Act, Human Rights Act, Health and Safety at Work Act and General Data Protection Regulation (GDPR).

Vendors and their customers must accommodate these regulatory requirements when designing, installing and using security systems and policies, and ensure that, say, fulfilling a health and safety requirement does not undermine a security need.

For instance, to comply with UK fire safety laws your access control system should automatically unlock when a fire alarm sounds. Similarly, health and safety legislation necessitates that control rooms and other critical areas have fail-safe systems. Security teams should think about how to mitigate the security risks created by the activation of these functions.

CCTV regulatory compliance

The GDPR and – especially for local authorities and the police – the UK Surveillance Camera Code of Practice are pivotal to the appropriate specification, installation and usage of CCTV systems.

A data controller’s obligations under GDPR are broadly similar in regard to CCTV images – which count as personal data if the individual can be identified – as they are to text-based personal data like names, dates of birth or national insurance numbers.

This includes having a legitimate reason for processing personal data, protecting data during storage, transmission and processing, and keeping footage no longer than is strictly necessary.

The Surveillance Camera Code of Practice is also – rightly – focused on protecting data subjects’ privacy, and is useful in terms of bolstering both data security and physical security.

The newly revised code (pending parliamentary approval) has 12 guiding principles, including asking end users to establish:

  • the purpose of their system;
  • clear policies and procedures;
  • adherence to approved and relevant operational, technical and competency standards;
  • clearly defined rules on who has access to systems and when;
  • and that images will have evidential value if used by the criminal justice system.

Advice and support from ESA Risk

For Security advice and support, contact Liam Doherty, Security Consultant at liam.doherty@staging.esarisk.com, on +44 (0)843 515 8686 or via our contact form.

For support with regulatory compliance, contact Mike Wright, Risk Management & Investigations Consultant at mike.wright@esarisk.com, on +44 (0)843 515 8686 or via our contact form.

contact us online or by phone

Get the advice you need

Contact us for security advice and support, or support with regulatory compliance.

What are you looking for?

Get the advice you need

Deep dive for the answers you need
Or contact us on +44 (0)843 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name it, we help them find the answers
they need. Ready to discover how we can help you?