CPNI would like to highlight ISO 23234:2021 to all those involved in the delivery of major infrastructure projects as you may find the approach outlined in the standard useful.
As an international standard, it uses terminology that is designed for its international readership, which may appear slightly different from that used in the UK. However, the principles are sound and should assist in delivering security effectively in major projects.
The aim of the document is to help organisations effectively plan security measures in order to protect their built environment from terrorism and other security threats.
The document outlines the security deliverables against the RIBA (Royal Institute of British Architects) project planning stages, highlighting when each process, such as risk assessment, or security strategy, should be delivered.
The document defines a number of roles key to successful delivery of security in the project planning process. On UK projects, these multiple roles may be performed by a single individual. If that is the case, it is important that all aspects are still covered.
The document is independent of any single risk assessment model but the security deliverables in ISO 23234:2021 can be mapped across to the CPNI risk management process. https://www.cpni.gov.uk/rmm/protective-security-risk-management
At the beginning of ISO 23234:2021, Figure 1 enables users to determine if the standard could add value to their projects. This is available in the free to view download of the guidance and should be used to assess if it will be useful to your particular project.
Benefits of using ISO 23234:2021
- Identifies the security deliverables that should be completed at each stage of the project lifecycle, the stages are based on RIBA stages.
- Outlines who should be involved in delivering security advice and in the decision-making process.
- Highlights the key role that the “principle” (the senior responsible owner, an executive level representative) plays in the decision-making process.
- Highlights the importance of initiating the risk management process early in project delivery.
Clarification of terminology
ISO 23234:2021 includes a long list of definitions, some of which are not routinely used by CPNI. Most are unlikely to cause confusion, but we would like to highlight that the document does not use “operational requirement” in the same way that CPNI does.
In ISO 23234:2021 the term “operational requirement” does not define the process in which security measures are selected and mapped back to risk i.e. the CPNI Operational Requirement process. This stage does exist in ISO 23234:2021 but is listed under the deliverable “selection of security measures”. In ISO 23234:2021 “operational requirements” defines the process to detail how security measures will be operated.
Despite some differences in terminology, the process detailed in the standard does not conflict with CPNI advice. Therefore, if ISO 23234:2021 is followed CPNI advice and guidance can be used alongside the process defined in the standard.