• Contact us
• Help

Section Navigation

• Information security
• Personnel security
• Physical security

The most effective way to secure a business is to use a combination of physical, information and personnel security measures. An expensive swipe-card and PIN access control system, for example, is of little use if recruitment checks are not properly assessing who is issued with a pass in the first place.

However, when combined, these three disciplines working together create a ‘multi-layered’ regime with each layer reinforcing against the weaknesses of the next, providing a mix of deterrence and detection.

CPNI’s advice and research encourages organisations to use all three disciplines together rather than relying on just one.

Appropriate and proportionate

Any procedures, measures and investments put in place must be appropriate and proportionate for that specific situation. Every location, even within the same organisation, will be different and so the security requirements will change accordingly with locally identified threats and vulnerabilities. Implementing the wrong measures may prove costly, unnecessarily disruptive and may even alienate staff. Careful planning and specialist advice will always be necessary.

As a general guide, the following principles should be central to any decisions:

• It is not possible to protect everything so prioritise the areas to protect.
• Measures should be proportionate to the threat.
• Do not let the cost exceed the value of the asset being protected.
• Security is more cost effective when incorporated into longer-term planning.

Before taking any decisions, a full risk assessment should be undertaken within each individual location to understand the various threats and vulnerabilities and their potential impacts to help identify the most appropriate security response.

Crime Reduction Officers – who can be contacted through the local police service – can provide advice about general crime prevention. Organisations with a particular concern about being a target for terrorism should also make contact with their local Counter Terrorism Security Advisers.

The sections below outline some of the key physical, information and personnel security measures that organisations may choose to apply to reduce their vulnerabilities.

Pages in this section

Information security

Almost every business relies on the confidentiality, integrity and availability of its data. Protecting information, whether it is held electronically or by other means, should be at the heart of the organisation’s security planning. The key questions to keep under constant review are:

• Who would want access to our information and how could they acquire it?
• How could they benefit from its use?
• Can they sell it, amend it or even prevent staff or customers from accessing it?
• How damaging would the loss of data be? What would be the effect on its operations?

CPNI provides a range of guidance documents and technical notes aimed at improving practices and raising awareness of current issues related to information security. The following sections set out this information in more detail.

Personnel security

Personnel security measures help organisations manage the risk of staff or contractors exploiting their legitimate access to their premises, information and staff for unauthorised purposes.

Although many organisations regard personnel security as an issue resolved during the recruitment process, it is a discipline that needs to be maintained throughout a member of staff’s time in employment: through appraisal procedures, communication programmes, incentive schemes and even management attitudes and relationships. It should include a formal process for managing staff leaving the business.

When consistently applied, personnel security measures not only reduce operational vulnerabilities, they can also help build a hugely beneficial security culture at every level of an organisation.

Physical security

Physical security measures aim to either prevent a direct assault on premises or reduce the potential damage and injuries that can be inflicted should an incident occur.

For most organisations the recommended response will involve a sensible mix of general good housekeeping alongside appropriate investments in CCTV, intruder alarms and lighting that deter as well as detect – measures that will also protect against other criminal acts such as theft and vandalism and address general health and safety concerns.

In some locations these measures may already be in place to some degree. However, external and internal threats to organisations (and their staff) will constantly evolve and so all procedures and technology should be kept under constant review.

Before designing a physical security scheme, it is recommended that security practitioners read the "Guide to producing operational requirements" (see Related Documents). An Operational Requirement (OR) is a statement of need based upon a thorough and systematic assessment of the problem to be solved and the hoped for solutions.

Producing an OR is a mandatory requirement of the Cabinet Office - Security Policy Framework (SPF) and is a process that has been successfully applied across the UK national infrastructure.