Planning Security Projects
Whether a new build, upgrade or retrofit, there are some fundamental stages that any project must follow to successfully deliver proportionate security measures. This is the established CPNI methodology of:
Key messages for new builds
- Although security may not necessarily be the primary focus in new infrastructure projects it is essential that security risks are identified early in the project so that sound decisions can be made about how they will be treated.
- Security must be considered at all stages of the project and must not be thought of as a separate entity that can be addressed later in delivery by a specialist team in isolation.
- A clear governance structure to map out responsibility for decision making and risk ownership is required to successfully deliver security.
Security planning in new builds
First it is necessary to determine how sensitive the project is so that an appropriate amount of resource can be assigned to identifying, analysing and treating security risks.
The flow chart in the ISO 23234 2021: Planning Security Measures in the Build Environment and the BS EN ISO 19650-5:2020: "Security-minded information management” will help determine this:
A Built asset should be considered to be sensitive if it:
- Forms part of the critical national infrastructure;
- Fulfils a defence, law enforcement or national security or diplomatic function;
- Is a commercial site involving the creation, trading or storage of significant volumes of valuable materials, currency, pharmaceuticals, chemicals, petrochemicals, or gases;
- Constitutes a landmark, nationally significant site or crowded place; and/or
- Is used or is planned to be used to host events of security significance.
In major projects where the built asset is identified as being sensitive, the security requirements will impact the design and delivery of the project. It is important that the requirements are identified early in the project delivery as it is far more cost effective to design in security measures at the outset rather than retrofit the built asset. In less sensitive projects security requirements may not impact on the design, but determining this early will still be of value.
The next stage is to identify who is accountable for security risks, CPNI recommend that there is a senior board level owner accountable for security. See Good Governance for more information.
The senior accountable security risk owner will need to determine who in their organisation is responsible for security and determine whether specialist security consultants are likely to be required. If security consultants are required, we recommend following the advice in Procuring the Services of a Specialist Security Consultant.
The governance of the whole lifecycle, including the operational phase, needs consideration at the project planning stage.
Risk management process
The CPNI risk management process is as relevant to new build infrastructure projects as it is to smaller security projects and security upgrades. The risk management process covers all aspects of risk assessment including risk identification, risk analysis and risk evaluation. Prior to starting the risk assessment part of the process, it is essential that there is an understanding of the parts of the built asset that needs to be protected. Once these have been identified they should be categorised and prioritised. More information can be found at Protective Security Risk Management.
Once the security risks which need to be mitigated have been identified the measures for mitigating those risk should be selected following the Operational Requirement Process (OR).
Security deliverables in the project lifecycle
Guidance is available in documents such as ISO 23234 2021: “Planning security measures in the built environment”, which lists the security deliverables at each RIBA stage to show when security should be considered in the project lifecycle. CPNI has produced a short guide to the ISO 23234: 2021.
A simplified table of security deliverables against RIBA stages is shown below. Many of the deliverables such as risk registers and ORs will be live document revisited throughout the project lifecycle, but the table helps to identify when they should first be developed.
Decommissioning is not listed as a stage in the table below but it is important that consideration is given to the practicalities and cost associated with the decommissioning of security mitigations at the outset of the project.
Summary table of security deliverables in the project lifecycle