Protecting your business's assets

Protect your assets - people, buildings and information - by identifying and managing the risks and addressing your security and resilience needs.

This guidance was withdrawn on

When considering how to protect your business and its assets, you need to identify the threats and your vulnerabilities.

You’ll need to decide what:

  • security improvements to make
  • type of security and contingency plans to develop

For companies, simple good risk management practice (including vigilance and contingency arrangements) may be all that is needed. Others may feel more vulnerable to attack and so should apply protective security measures to reduce the risk.

Risk assessment

Your risk assessment will determine which measures you should adopt. You will need to thoroughly assess the options, otherwise you might invest in equipment that is ineffective, unnecessary and expensive.

Meet with your local police force at the start of the assessment process. As well as advising you on physical security, they can direct you to professional bodies that regulate and oversee reputable suppliers.

Remember to ensure that all necessary regulations are met, such as local planning permission, building consents, health and safety and fire prevention requirements.

By planning carefully, you can keep costs down. For example, it may be more economical to introduce new changes at the same time as building or refurbishment work.

Security planning

Effective security plans are simple, clear and flexible, but also compatible with existing plans, such as evacuation plans and fire safety strategies. Plans need to be reviewed and tested regularly.

Everyone must be clear about what they need to do in response to a particular incident.

You must consider:

  • details of all the protective security measures that could be implemented, covering physical, information and personnel security
  • instructions on how to respond to a threat (such as a telephoned bomb threat) or the discovery of a suspicious item or event
  • a search plan
  • evacuation plans and details on securing your premises in the event of a full evacuation
  • your business continuity plan
  • a communications and media strategy, which includes handling enquiries from concerned family and friends.

You should read the advice contained in the fire safety risk assessment documents ‘small and medium places of assembly’ and ‘large places of assembly’.

Any security plan should include these core instructions:

  • do not touch suspicious items
  • move everyone away to a safe distance
  • prevent others from approaching
  • communicate to staff, visitors and the public
  • stay away from the immediate vicinity of a suspect item, out of the line of sight and behind hard cover
  • notify the police
  • ensure that whoever found the item or witnessed the incident remains on hand to brief the police.

Business security

The person responsible for security must have sufficient authority to direct action during and after a security threat.
This person will need to:

  • formulate and maintain contingency plans dealing with bomb threats, suspect items and evacuation
  • liaise with the police, other emergency services and local authorities
  • formulate and maintain a search plan
  • arrange staff training, including his or her own deputies and conducting briefings and debriefings
  • conduct regular reviews of these plans

He or she must be involved in the planning of the site’s exterior security and access controls, as well as any new building or renovation work, so that appropriate security specifications (such as glazing and physical barriers) can be factored in.


Staff must be aware of security measures and their part in making them work. The vigilance of all staff (including cleaning, maintenance and contract staff) is essential.

They must have the confidence to report anything suspicious, knowing that all reports will be taken seriously and regarded as contributions to the safe running of the premises.

Staff should be briefed to look out for:

  • unusual packages, bags or other items in odd places
  • people showing unusual interest in sensitive, important or less accessible areas

All staff should be trained in bomb threat-handling procedures or have ready access to instructions, such as the bomb threat checklist in the appendix of the ‘Counter terrorism protective security advice for shopping centres’ guidance.

Counter-terrorism security advisers

The responsible person should establish contact with their local CTSA.

A CTSA can:

  • help assess the threat, both generally and specifically
  • give advice on physical security equipment
  • arrange contact with emergency services and local authority planners to develop response and contingency plans
  • identify trade bodies for the supply and installation of security equipment
  • offer advice on search plans

If a CTSA identifies any security vulnerabilities, he or she can alert the appropriate authorities (for example, the emergency services) that an inspection is necessary. If the situation is not remedied, there may be penalties.

Good housekeeping

Good housekeeping has a wide-ranging impact. On a practical or daily level, it might mean the use of clear plastic bags for waste disposal, or instituting a procedure for checking the registration of contractors’ vehicles. On another level this might mean ensuring an organisation’s security system has an uninterruptible and regularly tested power supply.

Other points to consider:

  • avoiding the use of litter bins or at least reviewing the type used (for example, the size of their openings and their blast mitigation capabilities) and their location (for example, not placed near glazing)
  • keeping public and communal areas clean and tidy (the same for service corridors, yards, fence lines and boundaries )
  • keeping furniture to an operational minimum, to inhibit hiding devices
  • locking unoccupied offices, rooms and store cupboards
  • placing tamper-proof plastic seals on maintenance hatches
  • pruning all vegetation and trees, especially near entrances, fence lines and boundaries to help surveillance

All equipment, whether IT systems or fire extinguishers, needs to be regularly checked and monitored for interference.

Building access

A terrorist needs physical access in order to reach the intended target. You need to decide on the level of security you require before planning your access control system. You will need to find a balance between business needs and effective security.

Access control systems are often the first point of challenge; they represent the boundaries between private and public areas. You must ensure your access control system complies with the relevant legislation.

You will also need to consider what would happen if the system broke down. Is there a system maintenance agreement in place? Your installer should provide both system training and documentation, such as log books, audit controls and service schedules.


CCTV can help clarify whether a security alert is real, can help you decide on the appropriate response and is often vital in any post-incident investigation.

These documents below provide checklists and guidance on what you must consider, such as:

  • cost of installation and maintenance
  • areas to be monitored
  • lighting
  • postitioning of the camera
  • transmission of the images from the camera to screen
  • recording, replaying and copying of images
  • changing and storing of recording media
  • monitoring of images and responding to incidents
  • security of the system
  • regular maintenance and inspections
  • registration with the Information Commissioner under the Data Protection Act

Useful documents:


Suspicious items may be delivered to your premises, these may come in a variety of shapes and sizes. Your local CTSA will be able to provide advice on risk assessment and the precautions you need to take. More information is in PAS97:2015 a specification for mail screening and security on the CPNI website.

Personnel security

Some external threats, whether from criminals, terrorists, or competitors seeking a business advantage, may rely upon the cooperation of an ‘insider’. This could be an employee, a contractor or an agency staff member (for example, cleaner, caterer, security guard) who has authorised access to your premises.

Personnel security policies and procedures limit the risk of staff or contractors exploiting their legitimate access to an organisation’s assets or premises for unauthorised purposes. These purposes can cover many forms of criminal activity, from minor theft through to terrorism.

Pre-employment screening establishes whether an applicant has concealed important information or otherwise misrepresented him or herself. Screening ensures they meet the preconditions of employment (such as if an individual is legally permitted to take up an offer of employment). For more information, see ‘Pre-employment screening’ on the CPNI website.

Further information is available:

Updates to this page

Published 24 November 2014

Sign up for emails or print this page