1、BS 8549:2016Security consultancy Code of practiceBSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Publishing and copyright informationThe BSI copyright notice displayed in this document indicates when the documentwas last issued. The British Standards Institution 2016
2、Published by BSI Standards Limited 2016ISBN 978 0 580 90715 9ICS 03.080.20; 13.310The following BSI references relate to the work on this document:Committee reference GW/3/-/26Draft for comment 16/30326057 DCPublication historyFirst published, November 2006Second (present) edition, August 2016Amendm
3、ents issued since publicationDate Text affectedBS 8549:2016 BRITISH STANDARDContentsForeword ii1 Scope 12 Normative references 13 Terms and definitions 14 The consultancy 25 Personnel 46 Consultancy service 77 Implementation, verification and testing 9AnnexesAnnex A (informative) Example code of con
4、duct 11Bibliography 12Summary of pagesThis document comprises a front cover, an inside front cover, pages i to ii,pages 1 to 12, an inside back cover and a back cover.BRITISH STANDARD BS 8549:2016 The British Standards Institution 2016 iForewordPublishing informationThis British Standard is publishe
5、d by BSI Standards Limited, under licence fromThe British Standards Institution, and came into effect on 31 August 2016. It wasprepared by Subcommittee GW/3/-/26, Security Consultancy, under the authorityof Technical Committee GW/3, Private Security Management implementation, verification and testin
6、g; the addition of Annex A, Example code of conduct.As a code of practice, this British Standard takes the form of guidance andrecommendations. It should not be quoted as if it were a specification andparticular care should be taken to ensure that claims of compliance are notmisleading.Any user clai
7、ming compliance with this British Standard is expected to be able tojustify any course of action that deviates from its recommendations.Presentational conventionsThe provisions of this standard are presented in roman (i.e. upright) type. Itsrecommendations are expressed in sentences in which the pri
8、ncipal auxiliaryverb is “should”.Commentary, explanation and general informative material is presented insmaller italic type, and does not constitute a normative element.Requirements in this standard are drafted in accordance with Rules for thestructure and drafting of UK standards, subclause J.1.1,
9、 which states,“Requirements should be expressed using wording such as: When tested asdescribed in Annex A, the product shall .”. This means that only those productsthat are capable of passing the specified test will be deemed to conform to thisstandard.Contractual and legal considerationsThis public
10、ation does not purport to include all the necessary provisions of acontract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunity from legalobligations.BRITISH STANDARDBS 8549:2016ii The British Standards Institution 20161 ScopeThis British Stan
11、dard gives recommendations for the management, resourcingand operation for the provision of contracted security consultancy services.NOTE 1 The services offered by a security consultancy might include, but are notlimited to:a) assessing and identifying security risks to the customers organization;b)
12、 advising on the adequacy of resilience, existing procedures, defences andprocesses and outlining areas of possible improvement;c) development and maintenance of policies and plans etc.;d) strategic planning;e) crisis management;f) budget management;g) providing training to the customers members of
13、staff;h) pre-employment screening;i) workplace investigation, see also BS 102000;j) asset and lone worker tracking;k) acting as an expert witness in court cases (civil and criminal); andl) compliance management.This British Standard also assists procurers wishing to contract such services toensure t
14、he service fits the end user requirements and risk profile.NOTE 2 Security consultancy services can be provided by any legally defined tradingstyle, e.g. self-employed, a sole trader, a partnership, a limited liability partnership oran incorporated company.2 Normative referencesThe following referen
15、ced documents are indispensable for the application ofthis document. For dated references, only the edition cited applies. For undatedreferences, the latest edition of the referenced document (including anyamendments) applies.BS 7858, Security screening of individuals employed in a security environm
16、ent Code of practice3 Terms and definitionsFor the purposes of this British Standard the following terms and definitionsapply.3.1 customerindividual(s), public or corporate body retaining the services of a consultancy3.2 deliverablemeasurable and tangible outcome of the project as agreed with the cu
17、stomer3.3 milestonecheckpoint within the life of the project identifying when one or multiplegroups of activities have been completedBRITISH STANDARD BS 8549:2016 The British Standards Institution 2016 13.4 operational centrecentre where activities of a business, organization, etc. are administrated
18、 andtake placeNOTE This can be physical or virtual.3.5 scope of workdocument detailing specific contractual services3.6 security consultancyindividual or organization that is the prime provider of contracted servicesNOTE This definition also applies to a security consultant acting in a self-employed
19、capacity, a sole trader, a partnership, limited liability partnership or an incorporatedcompany.3.7 security consultantindividual giving advice with regard to:a) security policies, processes and procedures in relation to any risk to property,people or other tangible/intangible assets; orb) the use o
20、f any services involving the activities of security operatives3.8 security operativeindividual or company that performs activities relating to the provision ofsecurity services3.9 supplierindividual or company (and the persons employed, including all levels ofsubcontractor, by that individual or com
21、pany) that provides the consultancy withinformation, equipment and/or labour which is used in providing the service tothe customer3.10 technical expertindividual who provides specific knowledge or expertise for the fulfilment of thecontract4 The consultancy4.1 Code of conductThe consultancy should p
22、roduce a code of conduct which sets out its approachto services, by which it abides and which is available to the customer.The code of conduct should cover, but not be limited to, the consultancysvalues, obligations, duties, practices and compliance.In particular, the code of conduct should include:
23、a) responsibility and accountability;b) honesty and integrity;c) conflicts of interest;d) compliance with the law;e) authority, respect and courtesy;f) equality;g) confidentiality;h) general conduct; andBRITISH STANDARDBS 8549:20162 The British Standards Institution 2016i) challenging and reporting
24、improper conduct.NOTE 1 An example code of conduct is given in Annex A.NOTE 2 Attention is drawn to the Data Protection Act 1998 1.4.2 StructureThe consultancy should have a clearly defined management structure showingcontrol and accountability at each level of operation.Details of the consultancy o
25、wner should be made available. Any relevantunspent criminal convictions, business failures or liquidations, or undischargedbankruptcy of the owner should be disclosed on request.NOTE Attention is drawn to the Rehabilitation of Offenders Act 1974, as amended2, whose provisions, if applicable, govern
26、such disclosure.Details of the consultant(s) responsible for the delivery of the contracted servicesshould be established and their curriculum vitae and details of experience madeavailable to customers on request.4.3 SubcontractorsWhere the customer permits the use of subcontractors, they should be
27、requiredto comply with the consultancys code of conduct, see 4.1.4.4 FinancesThe consultancy should act with financial probity and have in place theresources and financial controls to provide the contracted services.Supplier and subcontractor fees should be paid promptly and within contractedtimesca
28、les.4.5 InsuranceThe consultancy should possess all necessary insurance cover commensurate withthe contracted services provided and the number of persons employed, e.g.professional indemnity, public liability, efficacy liability, employers liability, whichshould be made available on request.4.6 Admi
29、nistrative office and/or operational centreThe consultancy should have an administrative office(s) and/or operationalcentre(s) where records, professional and business documents, certificates,correspondence, files and other documents necessary for conducting businesstransactions are held in accordan
30、ce with 4.7.4.7 Documented informationSeparate records (hardcopy or electronic) maintained for each customer,employee, sub-contractor and supplier should be held in an accessible andsecure manner and retained for an agreed period after which they should besecurely destroyed. Where no requirement for
31、 the period of retention ofdocuments exists, records should be kept for a minimum of 12 months fromcessation of contract, after which they should be securely destroyed. Amendedand/or updated records should be identifiable by date and clearlydistinguishable from previous versions.NOTE 1 Attention is
32、drawn to the Data Protection Act 1998 1 and associatedguidance note.NOTE 2 Attention is also drawn to the fact that certain records have a statutoryminimum retention period and/or are covered by other Acts.BRITISH STANDARD BS 8549:2016 The British Standards Institution 2016 34.8 Information backupBa
33、ckup copies of information, software and system images should be taken andregularly tested in accordance with company policy.Copies should be securely stored separately in a different location or, if notpossible, in a different fire zone within the same location.NOTE Attention is drawn to BS ISO/IEC
34、 27001.4.9 Complaints managementThe consultancy should operate a complaints management system.NOTE Further guidance on complaints management is given in BS ISO 10002.5 PersonnelCOMMENTARY ON CLAUSE 5A nationally recognized body or agency could undertake the personnel processesand validations outline
35、d in this clause on behalf of the consultancy.5.1 Selection and security screeningAll personnel who have access to information and/or property of the customeror the consultancy should be screened in accordance with BS 7858 and be boundby an agreement to keep confidential such information indefinitel
36、y, unlessotherwise authorized in writing.NOTE Higher levels of security screening might be required as appropriate to thecontracted services.The consultancy service provider should ensure that all personnel are obliged todeclare immediately any changes to the information obtained during theselection
37、 process.5.2 Disciplinary codeAll personnel should be instructed that the following (including the aiding andabetting of others) could constitute a breach of the terms and conditions ofengagement:a) neglecting to complete a required task at work promptly and diligently,without sufficient cause;b) le
38、aving a place of work without permission, or without sufficient cause;c) making or signing any false statements, of any description;d) destroying, altering or erasing documents, records or electronic datawithout permission or through negligence;e) divulging matters confidential to the organization o
39、r customer, either pastor present, without permission;f) soliciting or receipt of gratuities or other consideration from any person;g) failure to account for keys, money, information or property received inconnection with business;h) incivility to persons encountered in the course of duties, or misu
40、se ofauthority in connection with business;i) conduct in a manner likely to bring discredit to the organization, customeror a fellow employee;j) use of uniform, equipment or identification without permission;BRITISH STANDARDBS 8549:20164 The British Standards Institution 2016k) reporting for duty un
41、der the influence of alcohol or restricted drugs, or useof these whilst on duty;l) failure to notify the employer immediately of any:1) conviction for a criminal and/or motoring offence;2) indictment for any offence;3) police caution;4) legal summons;5) refusal, suspension or withdrawal (revocation)
42、 of a licence.NOTE 1 An example of such a licence would be a Security Industry Authority(SIA) licence. For definitions see the SIA website,http:/www.sia.homeoffice.gov.uk/Pages/home.aspx.m) permitting unauthorized access to a customers premises;n) carrying of equipment not issued as essential to an
43、employees duties, or useof a customers equipment or facilities without permission; ando) not maintaining agreed standards of appearance and deportment whilst atwork.NOTE 2 This list is not exhaustive and does not necessarily include all actions withina company policy that could or could not constitu
44、te criminal offences.5.3 IdentificationPersons who have been screened in accordance with 5.1 should be issued withan identity card incorporating, as a minimum, the following information:a) the name, address and telephone number of the consultancy;b) the name, job title and signature of the holder;c)
45、 the expiry date of the card (not more than three years from the date ofissue); andd) a current photograph of the holder.Identity cards should be presented to the customer on request.Old or out of date identity cards should be formally withdrawn from personsrenewing their cards. Cards should be retu
46、rned when an employee leaves theemployment of the consultancy, and destroyed in a secure manner.A record of identity cards issued should be maintained. This record should alsoindicate the status and location of withdrawn cards, e.g. whether they havebeen destroyed or lost, or where they are held by
47、the employee/organization.5.4 Training5.4.1 GeneralThe consultancy should have a clearly defined and documented training policyand should ensure that the training outlined in 5.4.2, 5.4.3 and 5.4.4 is given asa minimum.5.4.2 InductionThe consultancy should provide induction training in matters relat
48、ing to itsconditions of employment, structure and procedures for all employees. Thisinduction training should be additional to the competence recommendationsin 5.4.3.BRITISH STANDARD BS 8549:2016 The British Standards Institution 2016 55.4.3 CompetenceSecurity consultants should be able to demonstra
49、te that they have undergonetraining on the main aspects of security consultancy which could include, whererelevant:a) threat and risk assessment;b) security audits, surveys and reviews;c) security strategy, management, policy and procedures;d) crisis management and business continuity planning;e) physical security;f) electronic security systems;g) manned guarding;h) IT and information security;i) health and safety;j) construction design and management regulations (CDM);k) fire safety;l) investigative practice;m) human rights;n) civil and crimi
