Many security companies are now using outsourced control room facilities. Most use a company that is assessed by one of the five SIA-approved assessing bodies, BSI, NSI, SSAIB, CCAS, and ISOQAR. However some are using control rooms which are not assessed by an SIA or UKAS approved body, and therefore there are significant security risks, writes Derrick Willer, pictured.
Those risks are:
– the service is not independent, eg the supplier also provides manned guarding services,
– their control room does not conform to the security requirements for the building,
– their procedures do not conform to BS 7499,
– they do not conform to the security screening requirements, BS 7858, eg they cannot prove that they do not employ criminals,
– there is a risk of divulging sensitive information by their unscreened employees,
– their software and computer systems are insecure,
– they are not in the EEA (EEC) and hold or have access to personal data contrary to the ICO Data Protection Act.
This becomes especially relevant with the proposed SIA Business Licencing regulations. You will be required to be assessed by a UKAS approved assessing body to the relevant British Standards, viz BS7499, BS7858, BS7984, etc.
Unless you hold an SIA Business Licence you may not trade as a security company after April 1, 2015, the currently proposed cut-off date. Visit www.sia.homeoffice.gov.uk and click “Business Licencing”.
There are few assessed independent control room service suppliers which conform to the relevant British Standard, ISO9001, BS7499, BS7858, BS7984, etc. You can find them at http://www.nsi.org.uk
To use an un-assessed supplier, your company must ensure that the service conforms with BS75499 and BS7858. You can do this in three ways:
– ensure that the supplier gains certification by an approved body,
– you yourselves carry out full audits of the company to confirm that they conform (somewhat difficult if the supplier is not in the UK),
– engage the services of a qualified sub-contract auditor to carry out this service on their behalf.
Where the supplier is outside the EEA or personnel outside the EEA routinely access personal data, eg the Controllers, the rules of the ICO must be followed. At this time only seven countries outside EEA plus USA are judged by the ICO as providing adequate safeguards. No other non EEA countries currently conform. Guidance can be obtained from the ICO on how to conform, see http://ico.org.uk/ and search for “International Transfers”.
Whilst your own and sub-contract internal auditors, with appropriate training, will have little difficulty in auditing UK based companies, those based abroad will also incur considerable expense.
As an auditor with some 25 years experience of the security industry, I would love to be paid to go abroad to conduct an audit, but, obviously, UK is cheaper! My advice is clear; use an independent control room service accredited by a UKAS-authorised assessing body, and you will save money in the long run.
Also, the Business Licencing programme was published by the SIA last year and there has not been any change to the proposed cut-off date. So start now to avoid disappointment. I forecast that there will be last minute rush to obtain a business licence and also that there will be insufficient UKAS accredited assessing resources to cope, risking the future of your business.
About the author
Derrick Willer is a Director of Cavendish, based in the West Midlands and has worked in the UK and abroad in Europe, Asia and Far East. Visit www.cavendishsecurity.com and www.cavendishconsultants.com.
