Security Planning Guidance

A site’s security plan should be used to mitigate against reasonably foreseeable risks at a site. This guidance has been designed to provide high level, practical advice to anyone looking to formulate a Site Security Plan. The guidance will assist in developing a proportionate plan which aims to mitigate Terrorist and State threats, whilst supporting in countering many other types of security or safety threats. Your site’s security plan should consider evacuation, lockdown, and invacuation.

Last Updated 14 April 2025

Introduction

This guidance has been designed to provide high level, practical advice to anyone interested in formulating a Site Security Plan (SSP) but particularly those responsible or accountable for the production or maintenance/review of a SSP, with a particular emphasis on managing Terrorist and State threats. An effective and proportionate plan that mitigates Terrorist and State threats will also assist in countering many other types of security or safety threats, such as crime disorder etc. and enhance the ability to respond to any type of incident. The SSP should be informed by the Site Security Risk Assessment (The ProtectUK Risk Management Process may assist in this) and associated Security Strategy, and provide the basis for detailed Standard Operating Procedures (SOPs), contingency plans etc. that may be required.

It is important to note that this guidance does not provide a template for a plan, but does set out all the elements that should be considered when planning for a site. Each site/organisation will have its own distinct security requirements and threats, so not all the subjects contained in the guidance will be applicable or relevant to every organisation. As site operations will affect site security operations and vice versa, it is essential that the Site Security Plan works as part of wider site operations and is aligned in style with all other plans being used in the organisation e.g. Business Continuity, Fire, Operations etc.

Cyber and Protective Security (physical) are increasingly linked in terms of both threat (e.g. the use of cyber attack to bring about a physical security failure) and response (e.g. identifying a physical locus for an going Cyber threat) which underlines the need for a fully coordinated and integrated SSP. Good Personnel & People Security (link below) will help to get the most out of both Cyber and Protective Security arrangements.

An effective and proportionate SSP will form the foundation of positive security behaviours, which will help to grow and maintain a positive security culture that will help ensure a lasting and resilient security regime for the organisations concerned. A number of recent public inquiries, high profile incidents and regulatory changes have highlighted the need for effective SSPs, and this guidance will add to that already in place (which will be referred to as required).

NPSA Personnel & People Security: https://www.npsa.gov.uk/personnel-and-people-security

Scope

Some organisations operate in industries, or in ways that have to recognise statutory or regulatory requirements for SSP. (Aviation or Sporting Stadia for example). This guidance is designed to provide additional advice that supports and, where necessary, supplements’ development of an effective SSP.

Cyber Security is a subject with its own authoritative national guidance and specialist advice which can be obtained from the National Cyber Security Centre. Whilst cyber security is not within the scope of this work per se, many of the principles and best practice will be of use regardless of security application, and the management of the interface between cyber and physical security is referenced.

This guidance is intended to be complementary to existing NPSA models of security management such as:

NPSA Protective Security Management Systems (PSeMS) for senior management and critical national infrastructure organisations.

NPSA Security Considerations Assessment (SCA) for new building vulnerability assessment and compliance.

RIBA/NPSA Security Overlay to the RIBA Plan of Work.

Threat

This guidance is primarily focused on site level plans for preventing, mitigating or responding to threats of Terrorism and State Sponsored Sabotage where these are defined as:

A. Terrorism (Terrorism Act 2000)

serious violence against a person;
serious damage to property;
endangering a person’s life (other than that of the person committing the action);
creating a serious risk to the health or safety of the public or a section of the public;
action designed to seriously interfere with or to seriously disrupt an electronic system.

... where they are designed to influence the government, or an international governmental organisation or to intimidate the public, and the use or threat is made for the purpose of advancing a political, religious, racial or ideological cause.

B. State Sponsored Sabotage (National Security Act 2023)

“Activity conducted for, on behalf of, or for the benefit of a foreign power, resulting in damage to property, sites and data affecting the UK’s interests, and national security”.

Both threats contain elements that if done for personal gain alone for example would fall within the criminal threat and risk spectrum of most sites (damage to property, violence, for example). For this reason, this guidance should be of use across all security threats. For the purposes of security planning the act is what needs to be considered, as motivation is not always immediately apparent.

Definition of Terrorism Terrorism Act: https://www.legislation.gov.uk/ukpga/2000/11/part/I/enacted

Definition of State Sponsored Sabotage: https://www.legislation.gov.uk/ukpga/2023/32/contents

Risk

A Security Plan should be focused on mitigating against reasonably foreseeable risks at a site. It is impossible to plan for every eventuality, but a good security plan should enable sites to respond to most types of incident.

Organisations manage risk in a wide variety of ways and security often best fits with whatever risk structures or systems are being used in the rest of the organisation. This allows proper consideration of security risk over time and allows the organisation to establish its tolerance to security risks. This is very important as there are often inconsistencies in approach, and individual understanding of security risks can vary significantly.

In addition, security risks can change rapidly and dramatically requiring a considered, proportionate and timely response. This can be a complicated area of work. The NPSA Protective Security Risk Management Model and ProtectUK Risk Assessment Guidance are useful sources of advice.

When completing the risk assessment it is important to ensure that sufficient detail is captured to allow a robust and broadly applicable security plan to be developed allowing:

senior decision makers to make informed judgements on risk appetite and resource allocation
practitioners and stakeholders to develop and implement appropriate risk mitigation plans
timely review when required both periodically and in the response to threats/incidents or exercises
effective audit of decision making.

Principles

A SSP is a documented systematic set of policies and procedures to achieve security outcomes that protect and mitigate harm or loss. It may consist of several different documents, or systems that together set out the way in which security risks will be managed. An effective security plan is one which demonstrates alignment with all the following principles (not in priority order):

Ownership
The plan should be owned by the person ultimately accountable and responsible for security of assets and people in the host organisation. Clear leadership and continuing senior engagement with the plan will ensure it fits with wider organisational objectives, adapts in good time to any changes in threat or circumstances, and is sufficiently resourced.

Fit with the organisation
The SSP should be based internally on collaboration between all relevant functions in an organisation, complement operations, and support other plans such as: safety, disaster recovery, continuity of operations etc. and externally with partners, neighbours, sub-contractors etc.

Risk based
The plan is based on a site-specific risk assessment (Threat/Vulnerabilities & Likelihood) – a competent Site Risk Assessment is the critical first step in the security planning process and will highlight particular areas of vulnerability. The tolerance of the organisation to the identified risks will need to be determined (by a workshop for example) and this will then ensure that a proportionate SSP is in place which is agreed across the organisation.

Clearly communicated
Well documented and widely understood operational processes using clear, concise and
familiar language are essential elements of the planning process. The completed plan should be communicated to everyone who has a role in its delivery (including contractors, public bodies or partner organisations where relevant). Finally, the signed-off plan should be made easily available for both changes and reference during an incident.

Deliverable
The plan must be capable of being delivered with the resource allocated to it.

Adaptable
It is regularly reviewed (at least annually or whenever conditions change) and capable of adaptation should the threat or environmental factors change (e.g. a change to the national threat level).

Assured
In terms of delivery, the plan is operationally assured through effective supervision, appropriate testing & exercising and the established governance processes of the organisation, which may include formal audits or accreditations such as ISO for example.

Coordination

Internally
Co-ordinating security planning with all other relevant functions in an organisation (Health & Safety, HR and Operational activities etc.) is vital to achieve best effect, allowing all the resources in the organisation to make an appropriate contribution to overall security. It will also:

Support the broader resilience of the organisation and its response to any significant incident or challenge. This allow an all hazards’ approach to incident management and multi-functional responses.
Encourage coordination with IT Security. This is particularly important as IT can both generate complex direct and indirect risks/vulnerabilities but when properly integrated with protective security can amplify the effectiveness of both regimes.
Enable close working relationships with business operations. This minimises the impact of security activities on day-to-day business, resulting in potential cost savings.

Externally
There are a number of ways in which understanding the external environment could impact security planning both positively and negatively:

Emergency service response may be a significant factor in some cases.
Being aware of the wider operating environment of the organisation can help identify threats early, identify system vulnerabilities and reduce risk.
Working with partners/neighbours can de-conflict plans, drive down vulnerabilities, improve cost effectiveness, and maximise effective security especially where there are overlapping security regimes in place (e.g. A campus environment).
Many security operations require a range of suppliers and contractors who may introduce less obvious but equally important vulnerabilities (such technical failures or operational problems) that can seriously affect performance. Understanding supply chain vulnerability is increasingly important in modern security regimes.

Internal/External Coordination

Contracted Security

Many organisations contract private security companies (PSC)¹ to provide security at their sites, and it is vital that their security demand is well understood and serviced by appropriate and resilient supply².This may extend from provision of security guards to the production of all relevant security documentation (including Site Security Plans). There are a wide range of business arrangements in place but in most cases the site operators and the private security supplier have to work closely together. The contractual relationship between site operator and PSC can be delivered in a number of ways, and the following considerations will assist a positive and effective security relationship.

Any contract with a PSC should complement and be informed by the Site Security Risk Assessment, (as well as any defined risk appetite) and related operational considerations. The ultimate responsibility and accountability for managing site security almost always lies with the site operator, and it follows that the site operator needs to assure itself that the PSC contract and performance is properly reviewed, audited and assured using a suite of key performance indicators or a service level agreement.

The contract should preferably be based on the level of security capability (including training status, supervision
etc.) required rather than the level of resource (e.g. number of guards).
Particular attention is required in terms of the relationship between PSC and the site operator when responding to an incident, which can often be an area of difficulty.
The interface between site operators and PSC should be the subject of regular tests and exercises, also defined in the contract.
The contract should also ensure that security officers employed are properly trained and familiar with the site.

¹https://www.npsa.gov.uk/security-contractor-guidance-events

² https://www.npsa.gov.uk/protected-procurement

Integration

All elements of security (and their supporting systems) need to be operationally integrated to ensure they work effectively. This is often an area which causes problems due to its complexity, inter-dependencies and potential lack of visibility. There are three areas where integration may be needed:

Processes and procedures – e.g. building pass issue, or where HR or Supplier Management functions may need to provide data on a regular basis, such as staff movements over time (Joiners/Movers/Leavers).
Operational elements – e.g. managing deliveries or waste collections.
Technical integration – security systems usually require specific expertise to ensure their effectiveness when working together. e.g. managing the response to an alarm using CCTV. This can be a complex area with the potential for additional and sometimes unforeseen vulnerabilities (e.g. where the integration between organisational policies and security policies hasn’t been considered, exercised and reviewed). It can very helpful to run simple operational scenarios with all organisational functions involved (walkthroughs or exercises), to identify the issues and ensure effective integration.

Site Security Plan

Taking the time to develop a coherent, holistic, risk based and proportionate security strategy, supported by effective governance structures, is essential to the creation of an effective SSP.

What follows are the main constituent elements of a Site Security Plan. Given the significant diversity of templates, site requirements and locations, not all elements may be applicable to every site.

It is suggested that a description of the site or area that is covered by the plan should be set out in a section of its own.

The Site Security Risk Assessment should be used as the basis for the creation of the Plan, held in a separate document and subject to its own review process. This is primarily because of the sensitivity of the information contained therein. The allocation of security resource should reflect the risk assessment and the risk appetite of the organisation concerned.

Five core elements of holistic security planning

Leadership & Governance	Response Planning	Physical Security	Personnel Security	Information Security
Leadership Risk Management Policies & Procedures Compliance - Legal & Regulatory Assurance Review & Testing	Incident Management Specific Security Contingency Plans Command, Control & Communication	Search & Screening Access Control Visual Surveillance System Perimeter Security Security Guarding Intruder Detection Systems Security Minded Communications	Security Culture Security Training & Awareness HR & Security	Plans, Procedures & Policies

Did you find this page useful? Yes No