Managing the Security Function

1 | P a g e Worcestershire, WR11 8NQ
United Kingdom

© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
The International Security Management Institute
Poplar Cottage, 6 Village Street
Harvington, Evesham
Email: [email protected]

+44 207 206 1207
+44 1386 66 11 70

Certified Security Management Professional
Level 6 Organisation Diploma (CSMP)
Unit 3
Managing the Security Function
The International Security
Management Institute

2 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
About ISMI
The International Security Management Institute (ISMI) provides low-cost, high-quality distancelearning education and certification in security management. Programmes are accredited by lead
ISMI is managed by a core team of professional security management education specialists, and is
supported by a large team of practitioners who make up the Professional Assessment Board (PAB).
Members of the PAB are full-time security managers and consultants, which ensures that course
materials remain up to date and relevant.
The Certified Security Management Professional (CSMP) Level 6 Organisation Diploma is the flagship
of ISMI. The designation CSMP ensures that the holder has evidenced through rigorous continued
assessment the ability to manage and advise on security management at an advanced level.
This work is protected under international copyright law. Unauthorised use, copying, sale or
sharing of this document is strictly forbidden without the express permission of the
International Security Management Institute (ISMI) and ISMI Certification Ltd. In the event
of breach of these terms, ISMI Certification Ltd reserves the right to take legal action to seek
damages against parties involved.

3 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
About the CSMP Certification
The Certified Security Management Professional (CSMP) is a 12-unit programme designed to take you
progressively through the essentials of managing security in a corporate environment. Upon
completion of each unit you will be required to submit a short assignment, based on the questions
that follow each unit.
The programme is designed to be undertaken one unit each study month (4 weeks) in the following
Unit 1: Security Risk Analysis
Unit 2: Crime Prevention
Unit 3: Managing the Security Function
Unit 4: Leadership and Management Core Skills
Unit 5: Security Design, Evaluation and Surveying
Unit 6: Perimeter Protection
Unit 7: Protecting Buildings
Unit 8: Access Management
Unit 9: Video Surveillance (CCTV)
Unit 10: Facility Counterterrorism
Unit 11: Protection of Information
Unit 12: Protection of at-Risk Personnel
The CSMP certification is designed for existing security managers seeking to build on and formalise
their professional knowledge and also for those who aspire to becoming security management
The units are set out in such a way as to be conducive to self-study.

4 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
CSMP Programme Study Instructions
The following study instructions are binding under the Study Programme Terms and Conditions and
form part of the contract between ISMI Certification Ltd and the learner.
Coaching and Cohorts – You are allocated to a cohort of students to complete your CSMP
under the guidance of a coach. The programme will take twelve months to complete. You
will have continuous access to your coach in case you need further explanation of any of the
Unit text or concepts.
The Monthly Unit – Each month you will receive, as a pdf document emailed to the address
you provide at the time of registration, a detailed unit comprising the reading text and
assignment instructions for that month. Each monthly unit addresses a different security
management subject. You will be assessed at the end of each month on the answers you
submit to each assignment. You are to first read the notes in detail, then submit written
answers to the assignment tasks in accordance with the specific task instructions.
The Monthly Written Assignment – Upon completion of the reading task, you are then
required to undertake specific written tasks, which you will submit for assessment by the
respective deadline. There will be no submission reminder sent. You should always ask for a
read receipt for your submission. If you miss the deadline this will be regarded as a unit fail.
The Monthly Written Assignment: Your Undertaking – As a condition of participating in this
programme, you undertake to read the notes in detail before completing the assignment
tasks. Only by a thorough first reading of the text can a complete assignment task answer be
produced. If you try to shortcut and go straight to the assignment tasks and then try to find
the answers in the text you will fail to achieve the objectives of the programme and your
answers will likely fail to reach the required standard for a pass. Moreover, this is a
contravention of the conditions of the award, and may lead to unsatisfactory answers that
result in a fail grade. If the answers consistently indicate that you are failing to read the text
before completing the assignment tasks ISMI may write advising you that failure to read the
unit is a contravention of the Study Programme Instructions and you may be in violation of
the conditions of the award.
The Monthly Written Assignment: Achieving a Pass Grade – You must complete EVERY task
correctly in each assignment to the specified minimum word count. Incomplete submissions
will result in a fail grade. ISMI will be looking for a high level of detail in your answer,
demonstrating a clear understanding of the subject. Marking criteria is strict, and you will be
required to evidence competent unit application in answers to every question. Submissions
that fail to do this will be marked as a referral, and you will be given the opportunity to
resubmit once.

5 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
6. The Monthly Written Assignment: Failure to Pass – If you fail to complete the tasks to pass
standard you will not be eligible for the award. If, for reasons beyond your control, you are
unable to maintain the pace of the programme, you will be given one chance to defer to a
place on the next available programme in accordance with the published Study Programme
Terms and Conditions.
Academic Discipline and Misconduct – The work you submit must be your own. If you copy a
submission or collude with another candidate to produce identical or partially identical
submissions, this will be regarded as academic misconduct with fraudulent intent to achieve
the CSMP and you will be removed from the programme. If company sponsored, your
company may be informed. Under such circumstances no refund is available.
Cancellation – Once you have begun the programme no refund is available (subject to your
statutory rights under English Law – see Study Programme Terms and Conditions) and it is
your personal responsibility to ensure that you submit the tasks by their respective deadlines.
Submission of Assignments – Your submissions should always be submitted by email to
[email protected] Due to the vagaries of email communication you should always ask
for a receipt with each submission. If you do not receive a receipt, you should call ISMI to
ensure your submission has been received. If you do not do this ISMI Certification Ltd cannot
be held liable for submissions you may have sent but which have not been received.
The ISMI Security Management Body of Knowledge – Over the period of the study year, the
monthly units will build up into the ISMI Security Management Body of Knowledge – over 800
pages of best practice in security management with a quick reference guide. You will also
have access to additional web-based resources.

6 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Unit 3 – Contents
About this Unit…………………………………………………………………………………………………………………8
Introduction …………………………………………………………………………………………………………………….9
Proactive and Reactive Security………………………………………………………………………………………….10
Security Management Basics ……………………………………………………………………………………………..11
Aligning the Security Management Programme……………………………………………………………………12
Security Programme Design……………………………………………………………………………………………….13
Establishing Security Programme Goals ………………………………………………………………………………14
Statements of Security Policy …………………………………………………………………………………………….16
The Security Mission Statement …………………………………………………………………………………………16
Procedures ………………………………………………………………………………………………………………………17
Assignment Instructions (SOPs) ………………………………………………………………………………………….18
Security Awareness…………………………………………………………………………………………………………..21
Baseline Security Standards……………………………………………………………………………………………….22
The Security Plan………………………………………………………………………………………………………………28
Security Alert and Operating Levels…………………………………………………………………………………….29
Security Department Overview ………………………………………………………………………………………….30
Management Structure……………………………………………………………………………………………………..31
The Chief Security Officer Concept……………………………………………………………………………………..32
The Security Manager……………………………………………………………………………………………………….33
– Professionalism …………………………………………………………………………………………………33
– Image……………………………………………………………………………………………………………….34
– Positioning ……………………………………………………………………………………………………….36
– Education …………………………………………………………………………………………………………37
– Relationships …………………………………………………………………………………………………….38
The Security Focal Point…………………………………………………………………………………………………….41
– Branch Security Representatives …………………………………………………………………………41

7 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Hiring Security Professionals………………………………………………………………………………………………41
– CVs (Resumes) and Application Forms………………………………………………………………….43
– Background Screening………………………………………………………………………………………..43
– Testing for Employment Suitability………………………………………………………………………45
– Job Descriptions ………………………………………………………………………………………………..47
– Person Specifications …………………………………………………………………………………………48
Front-Line Security Operatives (Officers and Supervisors)……………………………………………………..49
– Essential Qualities of Front-Line Security Operatives ……………………………………………..50
Security Supervisors………………………………………………………………………………………………………….51
Security Officers……………………………………………………………………………………………………………….55
– Typical Security Officer Duties …………………………………………………………………………….55
– Conduct of Security Officers When on Duty ………………………………………………………….57
– Security Officer Training……………………………………………………………………………………..58
– Selecting Individual Security Officers……………………………………………………………………61
Contracting Guarding Services……………………………………………………………………………………………62
– The Procurement Process …………………………………………………………………………………..64
Bibliography and References for Additional Study………………………………………………………………..68

8 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
About this Unit
Unit Purpose
Unit 3 explores the core concepts in managing yourself – the security manager, in establishing and
managing a security programme, resourcing a security department and how to manage security
Unit Outcomes and Assessment Criteria

Unit Outcomes Assessment Criteria
3.1 Be able to develop security policy,
programmes and standards.
a. Create security policy, programmes and
b. Generate procedures derived from
security policy.
3.2 Be able to recruit and retain security
a. Create background screening
programmes in accordance with good
practice and standards.
b. Devise tools for job analysis and
personnel specification.
c. Critically evaluate methods of job
suitability testing.
3.3 Be able to recruit, manage and develop
security personnel.
a. Develop programmes to enhance the
skills and abilities of front-line security
b. Critically analyse the reasons for the
shortcomings in supervisory
c. Construct processes to develop
leadership potential.

The assessment questions in the Unit Workbook will be based directly on the above assessment

9 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Security literally means a state of well-being, freedom from harm, or freedom from danger. The word
is derived from Latin secura, formed from the prefix se- (without) and cura (care). It is important to
be mindful of the above when designing a security programme. All too easily, we can slip into a
mindset that reinforces the preconceptions of some workforces that security is about restrictions,
curtailing freedoms, controls and obstacles, none of which are conducive to healthy business growth.
The wise security manager is one who will carefully craft the security programme to become a business
Another misconception about security amongst employees is that it is about “guards, gates and guns”.
Some security managers do little to dispel this perception as it may be suited to their comfort zone,
or it may be what they practiced in a previous career. That, however, is physical security at its most
basic – in effect, the guarding function of security. A more contemporary, business-focused security
programme will view security as more a state of mind, or a state of well-being, implying that for an
organisation to operate securely every member of the organisation should be actively engaged in the
programme. This was succinctly expressed thousands of years ago by ancient Greek philosopher
Thucydides who wrote:
The security of the city depends less on the strength of its fortifications than on the
state of mind of its inhabitants
In summary, security must:

a. Support the business in enabling it, not restricting it.
b. Have the active buy-in of staff, who are encouraged to feel they are part of the
security programme.

There is a third point to make at the outset also. The wise security manager will take a strategic view
of organisational resilience and will be looking for ways to add value. Security management shares a
very close relationship with emergency management, crisis management and business continuity, and
these are all areas of resilience building that provide opportunities for the security manager to add
value to his/her service. Failure to add value to the security function may exacerbate the speed of
cutbacks and contractions, especially at a time when cyber-security and cyber-crime are placing an
ever stronger pull on the security budget. Perhaps one of the biggest changes to the traditional
security management function in the coming years will be a much stronger move towards outsourcing.

10 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Proactive and Reactive Security
Security duties can be divided into preventive
and reactive measures. Preventive measures are
those which are proactive in nature, designed to
deter deviant activity.
First and foremost, security is about relationship
building. The ASIS Chief Security Officer
Standard (ASIS, 2008) identifies the management
of effective relationships as a core responsibility
for effective security management. In fact, the
value of a security programme is often based
more on the quality of internal and external
relationships than on physical security measures.
The subject of
relationships is discussed in
greater detail later in this unit on Page 38.
An obvious irony is that when preventive
measures work very well it is sometimes difficult
to demonstrate return on investment.
Preventive measures may be “sold” to
management in the context of their creating organisational resilience. Good preventive measures
help to reduce the frequency and intensity of crisis events. This is especially important in enterprises
with limited redundancy.
With specific regard to proactive security, the ASIS Chief Security Officer Guideline notes:
“Today’s business risk environments have become increasingly more severe, complex, and
interdependent, both domestically and globally. The effective management of these
environments is a fundamental requirement of business. Boards of Directors, shareholders,
key stakeholders, and the public correctly expect organizations to identify and anticipate
areas of risk and set in place a cohesive strategy across all functions to mitigate or reduce
those risks. In addition, there is an expectation that management will respond in a highly
effective manner to those events and incidents that threaten the assets of the organization.
A proactive strategy for mitigation of the risk of loss ultimately provides a positive impact
to profitability and is an organizational governance responsibility of senior management
and governing boards.”
(ASIS International, 2008)
Reactive measures include detection of crime, investigations, dealing with offenders, closing security
vulnerabilities after an event etc. While reactive measures can more accurately provide a
Typical Issues to Be Addressed by the Security
Management Programme
Security risk analysis; security strategy
planning; security project management;
security awareness programmes; security
systems management; executive protection
and journey management; logistics and supply
chain security; internal crimes and
investigations; fraud and ethical violations;
employee background screening; IT crimes and
information theft or leakage; trespass, site
invasion or occupation; industrial unrest;
burglary and other theft; protest group
activity; unethical conduct; violations of human
rights; drug and alcohol misuse; criminal
damage; sabotage; terrorism; extortion;
kidnap; counterfeiting; due diligence; product
diversion; malicious product contamination;
organised crime; conflicts of interest; vehicle
hijacking; looting

11 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
demonstrable measure of effectiveness of the security programme, it should be appreciated that
when an incident occurs it has an associated cost. A good security programme will utilise both
proactive and reactive measures, and as a security manager, you should be able to explain the benefits
of both approaches to management.
Another means to manage security risk is through insurance. Insurance doesn’t stop an event from
happening, nor can it detect who may be responsible, but it may provide a cushion to lessen the impact
of an adverse event. Often, security measures and insurance are deployed in tandem.
Security Management Basics
It is important that enterprises have some formal mechanism for managing security risks. This should
include creating a programme to deliver awareness, prevention, preparedness, and response to
changes in risk conditions. At its most basic, a security structure may be a single individual – a security
focal point, perhaps responsible for security alongside other tasks or functions. At the other end of
the continuum, there may be a fully-staffed global security structure, with a corporate security
director, regional security advisors, and country and site heads of security.
Security management programmes typically encompass four intertwined elements:
Careful attention to environmental design to reduce opportunities for crime and to increase
the chances of a crime being detected (you will perhaps be able to relate this back to the
Rational Choice Theory in Unit 2).
Mechanical measures (structure hardening, detection and surveillance systems etc).
People (includes both security personnel and members of staff who are correctly socialised to
feel committed to the security programme).
Procedural security (includes security leadership, direction, programmes and policy).
Enterprises have a duty of care to those with whom they are associated (employees, customers,
community etc). These persons will expect that the security function (whether this is a formal security
structure or a single focal point) performs adequately and proportionately.
Where the security programme functions inadequately in an adverse circumstance, liability may
become a risk. According to ASIS International (2004) the criteria that define security liability are:
The foreseeability of the incident.
The likelihood that a given combination of security measures would probably prevent such a
loss event.
The duty to provide such measures, considering the relationship of the parties.
12 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Management programmes can be developed to enhance security in general, or specific programmes
focusing on individual aspects of security may be used. These include (but are not limited to):
Physical security.
Operational Security.
Personnel Security (which may cover both protecting employees/customers from harm, and
also protecting the enterprise against deviant employees).
Information Security.
Travel Security.
Aligning the Security Management Programme
Organisation culture is an important consideration when developing a security management
programme. The security manager should set security programme objectives that are harmonious
with the needs, nature and culture of the enterprise. The culture of an enterprise is defined by shared
attitudes, values, and practices that support the mission. While the primary mission of security is to
protect assets, anything and everything that the security department does should be in harmony with
the overall organisational culture. Security managers who come from a background where discipline
and operating practices are rigidly enforced by diktat may initially find this approach liberal, wooly
and unsettling.
At the same time, security managers should
recognise that culture can be shaped, and
influences and attitudes changed (this has been
a major success area in health and safety in the
workplace), and through negotiation and
influence they can work towards shaping the
enterprise culture to maximise support for loss
prevention activities essential to the enterprise
achieving its mission. One efficient way to
embed security culture within the overall
enterprise culture is by the use of local security champions – regular members of staff who have a
departmental responsibility for security matters, who are coached by the security manager, but who
report to their respective line managers. This concept is discussed in more detail later in this unit.
The starting point for ensuring that the security programme is appropriate can be summed up in four
bullet points:
Study and learn the culture of the enterprise.
Adopt the enterprise culture and subtly influence it, if necessary.
Recognise the goals, mission and strategic objectives of the enterprise.
Align the strategic direction of the security programme to the above two points.
Ensure Your Security Programme is Balanced
Many IT managers will surround their systems
with hardware and software security
programmes sufficient to control a lunar
landing, but will think nothing of dumping kilos
of printout in a skip, or recruiting
programmers without vetting them.
(Wyllie, 2008)

13 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Only with a complete understanding of the enterprise’s culture, purpose and mission can a security
programme begin to be effective.
Security Programme Design
Any comprehensive security programme will be
based on a thorough understanding of the
operating climate, the assets, the attendant
risks and the existing security vulnerabilities.
Sometimes there is a divergence between the
level of security risk mitigation that the security
professional believes he/she should deliver, and the level of inconvenience that business management
is prepared to accept. Here it is important for the security manager to appreciate the difference
risk aversion and risk management, with the key question being “How much protection is
enough protection?” While senior management has a responsibility to shareholders to ensure that
risks to the enterprise (including security risks) are managed, your role includes ensuring that security
doesn’t become a burden on the enterprise to the extent that it obstructs the normal flow of business
It is usual that a baseline level of security is present, irrespective of the level of risk. Fisher, Halibozek
and Green (2008) offer the following alternatives to the comprehensive approach:
One-dimensional security – which relies on a single deterrent, such as guards or simple
insurance cover.
Piecemeal security – in which ingredients are added to the loss prevention function piece by
piece as the need arises, without a comprehensive plan.
Reactive security – which responds only to specific loss events.
Packaged security – which installs standard security systems without relation to specific
You may wish to compare and contrast the above with the approaches to security set out on Page 10
of Unit 1 –
Security Risk Analysis.
A recommended approach is that
packaged security be used as a baseline, upon which additional
security measures can then be built according to the security risk analysis.
Specific elements of baseline standards are covered later in this unit, beginning on Page 22.
Security versus Inconvenience
Security = Cost + Inconvenience
Good Security =
less cost + less inconvenience
14 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Establishing Security Programme Goals
We addressed a little earlier the need for the security programme to be aligned with both the culture
and the goals/mission/objectives of the enterprise. Before establishing the objectives of the
programme it will also be necessary to conduct a full security risk analysis. This will include an
assessment of vulnerabilities. Returning to the introduction in which there was a brief discussion of
adding value by contributing to the overall organisational resilience effort, it may be useful to combine
the security risk analysis process into a more comprehensive enterprise risk analysis process in which
the broader risks to resilience can be examined holistically. Shared solutions to common risks can
then be developed, allowing the limited budgets to create much greater return on investment.
The nature of the security programme – and thus its goals – will often be influenced to a large extent
a) How management views security (narrowly, as a guarding function or more broadly as a
resilience-building function), and
b) On the ability/orientation/personality of the security manager.
There will be societal and broader cultural influences also. In some countries security is expected to
take on almost a paramilitary image, while elsewhere such an image would be counterproductive.
Another factor that often influences the goals of a security programme is the make-up of the security
manager. Some security managers are better suited to managing “guards, gates and guns”, and are
sometimes hired to do precisely that. The more contemporary view of a security manager, however,
is of a competent professional, multi-skilled, educated to an advanced level, and who is intellectually
equipped to contribute to the broader concept of enterprise resilience.
This has led to debates about whether security programme goals should be:
1. Focused solely on “traditional” areas of security, or
2. Converged with IT security (see Page 31) to take a more holistic view of security risks, or
3. Converged into a resilience function, encompassing security management, emergency
management, crisis management and business continuity management.
Views differ sharply, but it is possible in the future that a security programme focusing solely on
traditional security may become too cost-ineffective when the greater financial impact risks are
associated with cybercrime and crises/emergencies.
Some useful basic security programme goals may be articulated as follows:
All security risks will be identified and managed in a business-appropriate way. This will
necessitate involvement of all areas of the business in the security risk analysis process and
the development of countermeasures.

15 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Building on the security risk analysis, a security strategy will be developed for the coming 3-5
years. This will be aligned with the organisational strategy.
The security strategy will be supported by a budget, which will include projected capital and
operational expenditure. Zero-based budgeting will be the standard.
An awareness and engagement programme will be established with the aim of achieving
employee support for the security programme. This will be initiated with a directive from
top management.
Security risk analysis tools and templates will be disseminated throughout the business and
staff enabled to use them. Training will be provided and the use of these tools will be
reflected in line managers KPIs.
Local security representatives will be established in various areas of the business. These will
be trained by security management but will report directly on security matters into their
regular line manager.
The goals of the physical security programme will be aligned with both the general
enterprise risk management programme, and specific areas of risk management. Where
available, industry standards will be adopted and adhered to.
Wherever possible, converged solutions will be chosen, requiring close liaison with IT, HR,
Legal and Emergency Management.
A background screening programme will be in place. This will be managed by HR, with
security management in support, and Legal to provide advice.
Security will be a consideration of every business activity, at planning, start-up, operation
and closeout.
An investigative capability will be established. This will work closely with HR and Legal.
All employees of the security function will be appropriately trained, qualified and licensed.
There should be cross-training to provide redundancy.
Facilities and operations will be security-surveyed at least annually. This process may be
outsourced to ensure objectivity.
The guard force will be performance-audited at least annually. This process may be
outsourced to ensure objectivity.
Appropriate physical security measures will be developed to deter, detect, delay and
respond. Where available, industry standards will be adopted and adhered to.
Security will be a consideration in all business procedures. This will be driven by a top
management directive.
Security programme goals are articulated in mission statements, policies, standards and procedures.
These will be discussed in the sections that follow.

16 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Statements of Security Policy
A policy is a statement of what the enterprise requires. Procedures are those specific instructions that
how to satisfy policy. Within the general security management context, security policy is
usually summed up in a succinct statement of less than 100 words.
This should be well-promulgated and staff accountabilities to maintaining a secure workplace should
be clearly articulated. An example is:

It is the duty of all employees and contractors to maintain a secure working
environment in which risks to people, the company and the community are
identified, assessed and mitigated to as low as is reasonably practicable.
This will be achieved by special means and by the adherence of all employees
and contractors to security procedures, and the obligation of all staff,
contractors and relevant associated parties to report all security incidents,
concerns, near-misses and non-compliances in accordance with reporting

Typically, it is the security manager who writes the policy statement, and the top management team
that signs it and formally declares that it must be adhered to.
Following on from this, there may be more detailed policies for specific aspects of risk management,
such as an IT Security Policy (or Information Security Policy), Kidnap Risk Policy, Fraud Risk Policy etc.
Some enterprises expand the policy into a policy framework document, which is an expansion of the
key objectives and responsibilities required of the policy. The framework document should be no
more than five pages long. Any longer and it is unlikely that it will be read by those concerned.
The Security Mission Statement
Some security programmes support the policy statement with a mission statement. Example mission
statements might be:
Example 1:
The creation and maintenance of a stable, secure and safe working environment in
which we may together pursue our legitimate ends and objectives without disruption,
harm or fear.

17 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Example 2:
We will work together with employees and contractors to achieve a stable and safe
environment in which the business, its individuals and groups may pursue their
legitimate ends and objectives without disruption or harm and without fear of loss or
injury. Together, we will strive to ensure that the business is able to continue with
business activities without disruption.
While policy states what management wants to happen, procedures state how. Procedures are the
day-to-day operational instructions that govern how things should be done within an enterprise – how
to implement policy. Every effort should be made to ensure that security considerations are a part
of routine business operational procedures, and that security isn’t seen as a separate activity that is
the sole responsibility of the security department. For example, if a procedure instructs shipping staff
how to load a delivery truck, the procedure should take into account security requirements alongside
operational requirements (where to place the goods on the truck) and safety considerations. It is all
too easy for a security manager to become engrossed in “pure” security activities, such as perimeter
protection, access control, patrolling etc., that key operational security considerations such as this are
overlooked. Constant liaison and interaction with line management is required. It is worth reminding
ourselves again of Thucydides, the ancient Greek philosopher, who recognised thousands of years ago
that “The security of the city depends less on the strength of its fortifications than on the state of mind
of its inhabitants”.
At line level, security procedures work best when they are incorporated into general operational
instructions. Sometimes, however, they can be stand-alone security specific. For example, Fay (1999)
suggests the following security procedures for office workers:
Do not leave your office door unlocked at night and on weekends. Even at Company facilities
protected at the entrances by security officers or electronic access controls, it is essential to
keep internal office doors closed and locked when not in use.
Do not leave work papers on your desk, especially at night or on weekends, and remove from
the walls any classified maps, drawings or schematics that are not in use.
Keep filing cabinets and closets locked when they are not being regularly accessed.
Be alert for unescorted strangers in your work area, and challenge their right to be there. If
the answer given is unsatisfactory, notify a supervisor or security officer.
Don’t reveal to unidentified telephone callers the comings and goings of company officials or
of visits and meetings.

18 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Unless instructed otherwise, don’t give out home telephone numbers, addresses, or personal
information concerning fellow employees and company officials. If a caller expresses an
important need to talk with an employee who is not in the office, call the employee and pass
on the caller’s number, or obtain permission to give the caller the employee’s contact number.
Follow the prescribed procedures for marking, transmitting, and storing classified documents.
Do not leave sensitive information displayed on unattended word processing equipment, and
password your system and/or sensitive documents. When not in use, remove sensitive
documents from the system and password them onto diskettes. Place the diskettes in a
locked desk or cabinet.
Do not leave your purse or other valuables unattended where they can be seen. Do not leave
your wallet in a coat on a hanger or over the back of a chair. If you are going to be absent
from your work station for an extended time, put away items such as cellphones and hand
Be alert to persons loitering outside the premises and in parking lots.
Notify your supervisor or security officer if an unexplained package is found or delivered to
the office.
Certain regular staff activities, such as overseas business travel, expatriate security, logistics, opening
up retail facilities at the beginning of the working day, armed robbery precautions, improvised
explosive device search etc. require specific security procedures. It is your role as a security manager
to proactively identify those areas that require such procedures, and to develop them.
Assignment Instructions (SOPs)
Assignment Instructions (or Standard Operating Procedures – SOPs) is the term given to specific
procedures that govern the duties of the security force, and which provide clear, succinct instructions
on how to perform both routine and emergency actions. Depending on the nature of the task and the
quality of the guard force, assignment instructions may be written as step-by-step instructions or

19 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function

Step-by-Step Example Instruction Paragraph Example Instruction
Action on Finding an Open Security
1. Close and lock.
2. Check for intruders.
3. Record in notebook the exact time
4. Make a report in the occurrence
Reporting Without Delay
It is important that reports are written as soon as
possible after the incident they describe and whilst
the memory is still fresh. If some facts are not
immediately available, an incomplete report will be
acceptable, provided it is made clear that a fuller
report will follow.

Assignment instructions should be set out in a logical pattern, with Emergency Instructions at the front
of the document. An example of a logical layout is presented below:
Often, assignment instructions are held together in a folder containing other essential security
documents, including job descriptions, site plans, telephone contact lists etc, which then becomes a
security duties file.
Basic Qualities of Assignment Instructions
Consistent – Clear – Understood – Measureable – Appropriate to the task – Achievable –
Practicable – Up to date – Appropriate use of language – Appropriate style – Time bound –
Aligned – Accessible – Specific – Unambiguous – Right level of authorisation – Relevant – Flexible –

20 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Berger (1999) proposes building assignment instructions into a Security Manual, encompassing also:

Security Personnel Rules and Regulations Chain of Command
– Dress code and uniform requirements.
– Conduct on the job.
– Discipline.
– Key duties of the security team
according to position.
– Supervisory responsibilities
Company Policy Local Law First Aid
– Benefits, insurance,
overtime etc.
– Liaison.
– Site regulations.
– Overview of the
criminal law.
– Equipment available.
– Level of involvement.
– Local medical
– Accident/illness forms
and reporting.
– Basic first aid

The local security manager is usually responsible for writing and maintaining assignment instructions,
but in some cases they are provided by the contract security force company as part of the contract.
In other cases there may be specific corporate security best practice that forms the basis of local
assignment instructions. Assignment instructions should exist for every post, and if they don’t, you
can use the services of a good consultant to write them. ISMI can assist on request.
Good assignment instructions share some common attributes:
They should express the policies of the protected enterprise.
Each order should deal with one subject and be brief.
Each order should be indexed for quick reference.
They should be written in such a way that they provide the basis for a consistent, clear,
measurable, and achievable level of service.
They must be up to date and written in a style of language appropriate to the user.
They must provide a means of ensuring that the protective operations are carried out in
accordance with the risk assessment.
They must communicate to front line security personnel the exact way in which protective
operations should be conducted.
They should set out exact steps for emergency response, perhaps using flow charts.
They should be able to be used as a ‘legal’ basis for security staff whenever challenged by
service users.
They can be used as a basis from which to develop site-specific training.
21 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Security Awareness
Effective security management programmes include employee awareness programmes. Awareness
programmes enable employees to understand the relationship between successful enterprise
operations and their personal security obligations under the programme. They also provide useful
feedback mechanisms.
Security awareness development should begin with a security overview during employee induction,
but in larger organisations may entail annual security and safety weeks. In any event, the security
awareness programme should be an ongoing, “living” activity, designed to engage the interest of those
whom it affects. Awareness activities are more than just a strap line at the end of an email with the
“security is everybody’s responsibility”, or a poster on a wall. A comprehensive awareness and
engagement programme may include:
At induction, conveying the approach that every employee is considered a member of the
security team; that there is no “them and us”. Perhaps, to add effect, ask a regular member
of staff to participate in the delivery.
Using the experiences of the security team to provide advice to employees on security issues
relevant to their personal lives: domestic security, travel security, ID theft, fraud and scams,
staying safe online etc. This could include issuing periodic security advisories.
Involving the business in the security risk analysis process and as stakeholders in security
project teams.
Organising social events.
Adding a “security moment” to staff meetings.
Maintaining a security page on the Intranet, with downloads and links to external resources.
Feedback mechanisms, including annual “perception” surveys and satisfaction surveys.
Security considerations integrated into all procedures.
Empowering local management to make security decisions, with professional security in
support to provide best practice, guidance and support.
Developing security analysis software tools that can be used by business lines to measure local
compliance with corporate standards – a security “health check”.
Transparency, not secrecy.
Cross-pollination of staff. Security should be seen as a function that anybody can apply to
join. Likewise, security should be a stepping stone to other jobs in the enterprise.
Co-location of security management alongside other business functions, not hidden away in a
separate building.
Visible response to security concerns raised by employees.
Sharing the ownership of security.
Establishing a formal “hearts and minds” programme.
Creating a 24/7 call centre for employees to call if they have a problem related to security.
Conducting regular drills and exercises.
22 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Key to getting employee support for security is the attitude, behaviour, appearance, bearing and
ethical behaviours of individual security team members (addressed in the latter pages of this unit).
When these fall below expected standards all of the awareness efforts of the security manager can be
undermined. Any deficiency on the part of any security team member is counterproductive to the
goals of the security programme, and must be addressed swiftly.
Baseline Security Standards
Baseline security standards, referred to out the outset of Unit 1, are the minimum standards to which
a security programme should conform, irrespective of the level of risk. The security risk analysis will
then determine the extent to which the baseline standards should be built upon.
The following are some example elements of a typical baseline security management standard. They
are provided for illustration, and will not apply to every site or operation.
1. Security Focal Points – A person designated as the security focal point (SFP) shall exist in all major
areas of the business. The appointment shall be made by local management, and the person
appointed shall carry out security duties alongside his/her regular duties. He/she shall report directly
to a member of the local leadership team and shall be responsible for implementing those elements
of a security strategy commensurate with the security risk analysis and which are necessary to
maintain compliance. Persons assigned as SFPs shall be appropriately trained and meet relevant
competency requirements.
The SFP shall be responsible for the day-to-day security operation of the facility. This includes, but is
not limited to, physical security, security risk analysis, security surveying, security reporting, relevant
external liaison reporting, liaison with other SFPs, security incident contingency planning and
reporting, guard force management (where one exists) and management of local security incidents.
2. Security Policy Statement – All staff and contractors shall be reminded of their obligations under
the company’s security policy statement, which shall be displayed prominently at all facilities.
3. Procedures – Security measures shall be a consideration in all operational procedures. The security
aspect of operational procedures shall be determined between line management responsible for that
operation and the local security focal point.
4. Security Risk Analysis – Security risk analyses for all parts of the business shall be carried out on a
regular basis. Where possible, quantitative assessments (to measure the financial cost of potential
loss) shall be made. The process is collaborative and shall involve representation from across the
business. The SRAM (security risk analysis matrix( shall be the standard tool used, and the results of
the process shall feed into the strategic risk management plan, and cascade locally into risk
management action plans.

23 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
5. Security Risk Management – All security risks shall be identified, documented and managed to
ALARP (as low as reasonably practicable). Vulnerabilities that present a life-safety hazard shall be
mitigated in accordance with legal, regulatory, company best-practice and moral responsibilities, with
attention given to litigation exposures. Contingencies shall also be in place for high impact risks.
6. Security Surveying – Surveys of every facility shall be carried out by the local security focal point on
an annual basis, following the standards format. The SFP may also elect to outsource the process.
The resultant report shall be sent to Corporate Security and local management.
7. Facility Security Plan – A facility security plan (FSP) shall exist for all major areas of the business,
but at least at facility level. The FSP shall include building floor plans key/critical areas, the security
risk analysis, physical security requirements, procedures for both routine and emergency security
actions, and be in compliance with all applicable laws and/or regulations. The FSP shall be reviewed
annually and updated, taking cognisance of any relevant emergency procedures and plans, crisis
management plans, and business continuity plans. The FSP shall be reviewed by local legal counsel to
ensure compliance with local laws, ordinance or government regulations.
In facilities that are shared with other companies, the FSP shall ensure that there is a facility security
coordination programme to address aspects of shared responsibilities, including but not limited to
security risk analysis and threat/vulnerability assessments, emergency procedures, testing of
evacuation procedures, communication of incidents, access management, guard force management,
and liaison with authorities.
8. Facility Security Plan Budget – An annual FSP budget shall be produced and shall include anticipated
costs for security personnel, equipment purchase, maintenance and operations, regulatory
compliance, changes in the security risk analysis, escalation of security operating levels, training and
awareness programmes, and incident management contingency. Local management is responsible
for approving and meeting the agreed budget requirements.
9. Security Awareness Programme – There shall be an ongoing security awareness programme in all
areas of the business, extending to both employees, contractors and, where relevant, visitors. This
shall include drills and exercises.
10. Security Operating Levels – The SFP shall be aware of the different security operating levels
(according to the prevailing threats) and remain in close liaison with local management to ensure a
smooth transition to the next level, if necessary. The decision to escalate or de-escalate the security
operating level shall be taken by the local management team in liaison with the SFP and Corporate
Security. Management shall have in place documented security procedures ready for escalation of
the security operating level.
11. Access Management – All persons entering company premises shall be required to enter through
designated and controlled access points, and shall be documented by name and issued an appropriate

24 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
identification badge via the use of automated access control systems or a manual register. All
Company employees and resident contract personnel shall be issued a company- specific identification
card, which bears their photograph, name and other relevant identifying data. Contractors, vendors,
and visitors to company facilities shall be required to produce evidence of identification prior to being
issued a temporary entry badge. Badges shall be clearly displayed by all persons while on site.
Identification badges shall only be worn by the person to whom issued and shall not be used by
another person for any purpose. Escorting of visitors shall be at the discretion of local management.
Staff shall challenge any unidentified person on site not wearing a badge.
12. Entry/Exit Search Procedures – Search procedures shall be developed to provide for the periodic
and “for cause” inspection and search of vehicles, packages, bags and other containers entering or
exiting (or on) company premises. A record shall be maintained of every search and searching shall
be carried out in full accordance with the law. Note that in some jurisdictions personal body searching
is an infringement of human rights. Procedures shall include actions to be taken in the event that a
person refuses to permit a search and for actions in the event that contraband is discovered.
13. Key Control – A procedure shall be in place to control the issue of keys, which may only be issued
to designated, authorised persons, upon signature. A register shall be kept documenting all key issues
and returns, and this shall be checked daily to monitor for deviances. Keys shall be signed back in by
a designated (or duty) key custodian, such as a security guard or receptionist. Procedures shall be
implemented to control the duplication of keys, and to provide for the periodic rotation/replacement
of locks.
14. Car Parking and Vehicular Access – Wherever possible, car parking shall be in an illuminated,
protected area, segregated by a pedestrian checkpoint from the main operational area. Vehicles
parked on company property shall display a pass at all times.
15. Door Security – Doors shall be equipped with appropriate locking hardware, incorporating at least
two deadlocking points. Specific advice on door hardware is available from Corporate Security.
Exterior personnel doors shall be of steel, solid core wood construction, or industrial strength glass. A
single door shall be designated as the final exit door, with other doors having augmented security
measures only accessible from inside, where the risk level dictates. All exterior building doors shall be
closed and locked at all times when not in use, during periods of minimal staffing, and at night,
holidays and weekends, with the exception of emergency exits, which should incorporate override
mechanisms for internal exit. The use of padlocks shall be avoided, if possible, except when used
internally on overhead and rolling doors. In the event doors must be left open for ventilation, a locking
security gate (grille gate) shall be installed.
Appropriate alarm systems shall be installed to detect unauthorised opening or breakthrough of the

25 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
16. Window Security – Windows shall be secure to the extent that they provide a degree of security
commensurate with the risk, while not contravening safety and fire regulations. For ground floor
windows and those within 5 metres of the ground, near a flat roof or other climbable object,
toughened glass (but preferably laminated glazing) shall be used as a minimum standard, and
augmentation with grilles or bars is recommended. Windows that are overlooked by public areas
shall be made opaque so as to make the identification of targets difficult.
Depending on the security risk analysis there may be a need to consider window bars or grilles.
Emergency egress shall be an overriding concern at all times. Where there is a risk of window
fragmentation from bomb blast, anti-shatter film, or better still, blast-resistance laminated glazing
shall be used.
Appropriate alarm systems shall be installed to detect breakthrough of the window frame, and of the
pane itself.
17. Roof Security – All roof doors and hatches shall be secured at all times when not in use. Exterior
ladders affixed to the building, which provide access from ground level to the roof, shall be modified
or equipped in such a fashion as to preclude use of the ladder by unauthorised persons. Skylights shall
be secured using bars or a grille, and shall be alarmed.
18. Site Perimeter – The site perimeter shall clearly demarcate company property. The extent of
perimeter protective measures shall be in accordance with the nature of the site, the security risk
analysis, and determined by local management, the local SFP and Corporate Security. Corporate
Security is the expert resource in this regard.
Where a secure perimeter is required, fencing shall be resistant to climbing and breaching and be a
minimum of 2.4m high with anti-climb hostile topping extending the fence to 3m overall. Fences shall
be topped with coiled razor wire. Walls shall be topped with a rotating spike defence.
Fencing should be buried at the base wherever practicable. Where not possible, gaps between the
bottom of the fence and ground shall not exceed 5cm. Storm drains, culverts, pipelines, utility tunnels,
etc. in excess of 600 cm
2 which pass through or under the perimeter fence shall be fitted with security
bars or a grille to be resistant to intrusion.
A properly equipped gatehouse shall be established on the perimeter to control access.
19. CCTV Surveillance – The use of CCTV surveillance shall be at the discretion of the local
management team, and in consideration of local laws and cultural norms. Where video surveillance
systems are installed, signs shall be prominently displayed. CCTV systems shall be designed by a CCTV
installation contractor and procured on a competitive (Request for Proposal) basis. Where a remote,
outsourced monitoring provider is used, this will be in liaison with Corporate Security.

26 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Only those with legitimate access shall have access to recordings, which will be retained for a
minimum of 14 days, unless there are exceptional circumstances.
A preventative maintenance programme shall be developed and implemented for all CCTV systems,
and repairs made promptly to ensure installed systems operate as designed.
Covert video recording shall not be used, unless with the express permission of Corporate Security
and in local liaison with HR and the Legal Department. The use of dummy cameras is to be avoided.
20. Alarm Systems – As a minimum, external doors and windows of critical areas shall be fitted with
alarm sensors. Methods for assessing and responding to an alarm shall be in place. Systems shall be
designed, installed and maintained by a reputable contractor, selected at local management level. If
necessary, a security alarm receiving centre may be used to monitor alarms. Signs and alarm sounding
boxes shall be prominently displayed.
21. High-Value Items – Cash and valuables shall be stored in burglar-resistant safes, although, in
principle, storage of cash or other valuables should be kept to a minimum and there shall be a strict
need-to-know policy. Safes weighing less than 300 kg shall be anchored to the building structure, or
better still buried in the floor, in accordance with the manufacturer’s specifications. Fire-resistant
safes shall be used for the storage of irreplaceable documents. Dissemination of safe combinations,
and/or keys, shall be strictly limited to those who require access to the contents. Safe combinations
and/or locks shall be changed upon personnel re-assignments, or when the possibility of compromise
A procedure shall exist that describes who is authorised to remove contents and how custody transfer
will be handled when moving cash or other valuables to another location.
22. Exterior Lighting – Exterior security lighting shall be employed to ensure the safety of personnel
and serve as a deterrent to intrusion and to assist in the detection of intruders. Exterior security
lighting shall extend to parking areas. Exterior building doors shall be illuminated with lights by the
use of dedicated fixtures or area lighting. Entry control points shall be illuminated appropriate to the
task. Lighting controls shall be installed within protected areas or shall be capable of being locked
against tampering.
23. Guarding Contractors – Security guarding contractors shall be selected in accordance with the
company procurement procedures, and, where possible shall be by competitive bid. The contract
shall be put out to tender at least every three years. The guarding contract shall be supplemented by
a service level agreement.
Security operatives shall be properly background screened and appropriately and adequately trained
by the contractor, and licensed in accordance with law and or regulations.

27 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Operatives shall not carry lethal weapons except in exceptional circumstances, when it is a legal
requirement to do so, and only with the permission of Corporate Security. Operatives may be
equipped with incapacitating agents/devices or sticks only if permitted by local laws. The contractor
shall undertake to provide operatives with the necessary personnel protective equipment
commensurate with the task risk assessment. Reflective vests shall be worn when on vehicle
checkpoint duty and in other appropriate circumstances.
The SFP shall be responsible for ensuring that operatives are provided with the basic tools, premises
and procedures necessary to do their job, including the provision of communications equipment.
Assignment instructions (also known as SOPs) shall exist for all routine and emergency guarding tasks.
Assignment instructions shall be a collaborative contractual arrangement between the SFP and the
Contract security operatives whose duties may require them to operate a motor vehicle shall possess
a valid driver’s licence.
Operatives shall inspect the perimeter fence for damage a minimum of once per month, and more
often for fences located to critical facilities.
24. Pre-Employment Screening – Pre-employment screening shall be mandatory for all employees
and permanent contractors. HR shall be the lead in pre-employment screening. All information
discovered as a result of pre-employment screening shall be treated as confidential personal data and
shall be secured if hard copy, or encrypted if computer-based. Information on adverse findings shall
remain on file for three years.
25. Information Security – Employees and contractors shall follow IT and information security
procedures as promulgated. At the end of the working day all company sensitive information shall be
locked away or encrypted. During the working day laptop computers shall be secured with locking
cables and out of office hours they shall be removed from the office or locked in a secure container.
Non-company, non-encrypted portable flash memory devices shall be prohibited from use in company
computers. No computer shall be left on overnight. All company sensitive waste shall be securely
disposed of by cross-shredding and a clear desk policy should be in place.
26. Drug and Alcohol Screening – A drug and alcohol screening programme shall be initiated and
managed by HR. Security operatives shall be subject to random screening.
27. Incident Reporting – Security incidents, near misses, and suspicions shall be reported to the
appropriate line manager, via the whistle-blowing hotline, or via the company web-based reporting
systems as soon as possible. Employees shall be reminded through the company security policy of
their contractual obligation to report all incidents and misconduct.

28 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
28. Exceptions to the Standards – Exceptions and exemptions to the standards shall not be made as
a matter of routine, but may be made under any or all of the following conditions:
a. Where there is an immediate threat to life or risk of serious injury.
b. When the situation is an emergency.
c. When to follow a standard would be in violation of local laws.
d. When the security risk analysis has determined that that standard is not necessary and if
signed off by both the local management team and Group Security.
All exceptions and exemptions should be documented, and reviewed as part of an annual security
The Security Plan
The term “security plan” has no unified agreement on definition. It could be the strategic security
plan for the enterprise, or a local facility-level document describing security measures in place. It
could also be a contingency document, explaining what to do in the event of a particular incident, or
a plan of security actions relating to a specific business operation.
A site schematic is a kind of security plan. This is a diagram setting out areas of particular sensitivity
or vulnerability, areas of high loss, blind spots, camera locations, access control points, exits, doors,
windows and other significant points.
A more modern interpretation of the term “security plan” is that it is a virtual term encompassing
several different documents and processes. This may include:
The security risk analysis.
A security risk management action plan.
A security deployment plan.
Baseline security standards.
A vulnerability assessment.
A security survey report with recommendations.
Security procedures.
A security project plan.
A plan that looks forward to future security needs and includes a budget.
Loss prevention objectives, usually quantified and including a cost/benefit analysis.
A facility protection plan – a narrative document that describes the threats, their impact on
the facility or enterprise, and the security measures to be applied, in accordance with the
security alert and operating level.

29 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Security Alert and Operating Levels
In some enterprises, security alert and operating levels (SAOL) are established. The SAOL usually
relates directly to the threat level, which is typically identified as
low, medium, substantial and high,
usually colour-coded. The determination of the SAOL may be set by the enterprise or may reflect the
national alert level of the host country. The latter is often the case in large critical infrastructure
industrial complexes, where the national alert level is promulgated publicly.
It follows that the higher the SAOL, the more the demand placed on security. It is important to avoid
prolonged use of the highest level unless absolutely necessary. This is not only expensive to maintain,
but has the additional drawback that staff will begin to lower their guard if there is no perceived
incident, thus devaluing this level when it is used again. An example is provided below. Note that the
SAOL verbal descriptor (low, medium etc), should always be included as 1% of a typical workforce
cannot distinguish between red and green.

High Elevated
Level, requiring
A high or imminent threat of criminal or terrorist activity, or civil unrest,
against installations, property and personnel, or a significant natural
disaster or emergency having a major impact on the facility, its operations
and personnel. Security measures will be significantly reinforced and
there may be restrictions on activities in response to the threat, which will
be continually assessed
Substantial A substantial and continuing threat of criminal or terrorist activity, or civil
unrest, against installations, property and personnel, or a significant
natural disaster or emergency affecting the facility. Strong access control
will be enforced, in addition to enhanced surveillance and response.
Contingency plans will be developed for risks with an unacceptably high
Medium Normal
Level, using
A medium threat of criminal or terrorist activity, or civil unrest, against
installations, property and personnel, requiring the implementation of
appropriate permanent and ad hoc security measures. This may involve
some inconvenience, such as strong access control measures.
Low A low threat of criminal or terrorist activity, or civil unrest, against
installations, property and personnel. Baseline security measures will be in
place, and selected measures from higher threat levels may be
implemented as needed.

Where terrorism is the overriding concern, it may be this which determines the overall SAOL.
The SAOL can then be used to develop the facility protection plan – a narrative document that
describes the threats, their impact on the facility or enterprise, and the security measures to be

30 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
applied, in accordance with the security alert and operating level (Patterson, 2003). A different plan
is developed for each SAOL, although in practice each plan builds on the one for the previous level,
with incremental security increases. Patterson (2003) provides tabulated examples, broken down
into measures that would be applied during working hours and after working hours. This is not
explained further here, but if you wish to purchase the book, please contact ISMI.
Security Department Overview
Security departments lead in the management of security risk. The extent to which the day-to-day
management of security risk is shared between the security department and line management varies
according to organisational culture and the nature of business, but a healthy security risk management
programme is one in which everybody recognises and executes their security responsibilities under
the programme.
A security department typically comprises three core elements:
Manpower (usually the highest-cost element).
Policies, procedures, best practice templates, guidelines and programmes.
The role of the department is to create an environment in which security risks are identified and
reduced to ALARP, so that the enterprise can be free to go about its core business and flourish without
hindrance and impediments. Core responsibilities of the department are:
Establish physical protection measures, best practice protocols and procedures to protect the
enterprise from malicious harm.
Create a security aware culture across the enterprise that is shared by all employees.
Lead the security risk analysis programme in order that the enterprise is continuously aware
of threats and risk that may impede operations.
Provide a source of expertise, best practice, tools and templates.
Incident response.
Care is needed in how the security department positions itself and operates. It is important to note
that security measures can have an obstructive effect on business productivity and efficiency and a
balance needs to be established between security obstacles and freedom. This can best be achieved
by ensuring that business lines have a legitimate voice in security decisions. It is not the role of the
security department to impose security by diktat. There needs to be buy-in and the active
participation in the programme by all employees.
The security department has both a
compliance and service function. Compliance is a board-level
requirement and means ensuring that activities are compliant with applicable laws, regulations,
contract provisions and company policies. This is a fiduciary responsibility. In its service role, the
security department is expected to be a function that enables the business to achieve its mission by

31 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
managing external and internal threats.
Management Structure
There are many variations on security management structures, but every structure should have one
critical element in common: there should be board representation of the security function. Without
this, security’s voice will not be heard nor appreciated at the most senior level and the security
programme may lack the authority and legitimacy that it needs in order to be effective. In effect, it
risks being relegated to a guarding service.
The example (right) depicts a typical structure. This is
regional model, in which the top three levels
indicate the corporate structure, and the bottom two
levels indicate the lower level. Usually, the budget for
the corporate element of the structure is funded
centrally, while the lower level budgets are part of
overall country or site budgets.
An alternative to the regional model is the
model, in which there might be a global head of
security for physical security, another global head for
operational security etc. This is less common than the
regional structure.
Probably, the best solution is a combination of the
two, in which the corporate structure is based along
regional lines, but has the support of global leads in investigations, information security, threat
assessment and intelligence analysis etc.
For a number of years, the profession has been debating the concept of convergence in security
management. Convergence, in its most common meaning, is the bringing together of traditional and
cyber-security. For many enterprises, for example, the financial impact of a cyber-attack could
significantly outweigh that of a traditional security incident. There is a strong argument for a single
person to lead both traditional and cyber-security and ASIS International is a thought leader in this
initiative. It is unclear whether this will ever become the norm.
Traditional security leaders are often
recruited from the uniformed services and are generally not IT security experts. Recruiting of IT
security professionals into senior security leadership positions continues to be a rare exception, and
the notion is strongly resisted by many incumbent security managers. Nevertheless, going forward
security leaders will have to forge much closer operational relationships with business cyber-security
experts or risk being less influential in security management decision making.
The lower levels of the security structure are increasingly being contracted out. This is not in response

32 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
to any security factor, but in line with the continued drive by enterprises to contract out non-core
Increasingly, albeit slowly, there is also a move towards contracting out security manager posts. The
case for retaining the in-house security manager is sometimes difficult to defend and not always well
articulated by incumbents. In the parallel field of IT security management, outsourcing of
management posts is becoming normal, and it is likely that in the future large security contracting
companies will begin to specialise more actively in the provision of outsourced security services at
management level. From a client point of view this may become an attractive option – obvious costsavings aside – especially when the client can chose from a professional cadre of well-trained, fullyqualified and experienced security management specialists. Moreover, some companies are finding
that they can manage security by the use of management specialists who are contracted in for,
perhaps, 3 days a week.
The Chief Security Officer Concept
The concept of the Chief Security Officer (CSO) creates at the senior governance level a single position
having the responsibility for crafting, influencing, and directing an organisation-wide protection
strategy and operating at a position which allows for direct access to the board of directors. Such a
position is well suited to larger organisations with a broad risk profile. The CSO is so positioned as to
be able to influence business strategy in relation to internal and external risk exposure.
Fundamentally, this is a person who fully understands and can articulate the organisation’s strategic
objectives, and who can develop a commensurate security programme at a strategic level to help
ensure the achievement of those objectives.
ASIS (2008) summarises the risk responsibilities of this office holder as including:
• Human resources and intellectual assets.
• Ethics and reputation.
• Financial assets.
• Information technology systems.
• Transportation, distribution and supply chain.
• Legal, regulatory and general counsel.
• Physical and premises.
• Environmental, health and safety.
This person should be professionally certified and formally educated to
Masters Degree level. You can read more about this in the ASIS Chief Security
Officer Guideline, which is free to ASIS members and available to purchase by non-members from ASIS
The ASIS Chief Security
Officer Guideline
provides useful advice
on physical security
measures. Available for
purchase from ASIS
33 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
The Security Manager
The role of security manager can be summarised by the following attributes:
“Meticulous adherence to undeviating courtesy, honesty, and responsibility in one’s
dealings with customers and associates, plus a level of excellence that goes over and
above the commercial considerations and legal requirements.”
Professionalism is about the highest standards in competence, ethics and behaviour. The position of
security manager is one of trust and dependability. As such, ethical and loyalty standards of this
person are expected to be amongst the highest in the organisation. As a CSMP and member of ISMI,
you will be obligated to the following ethical code:
You should have as your primary duty your obligation to your employing organisation and to
the success of its mission.
You should perform your professional duties in accordance with relevant law and the highest
moral principles.
You should pay due regard to human rights, equality and diversification and not engage in
discriminatory behaviour.
You should respect the rights of others in performing professional responsibilities.
You should not knowingly become professionally associated with those who don’t conform to
the highest professional standards.
You should observe the precepts of truthfulness, honesty, and integrity, and not knowingly
spread false information or defame any individual.
You should be faithful and diligent in discharging professional responsibilities and not engage
in any conflict of interest unless fully disclosed.
You should not claim competence or skill when not possessed.
You should safeguard all confidential information (including personal private information)
that the privilege of your office allows you access to.
Experience and appropriate education are important factors in developing professionalism, but
especially important is the ability to respond proportionately, rationally, resourcefully, intelligently,

34 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
appropriately and calmly to any given situation. These are often qualities that are very difficult to
assess in recruitment.
The key qualities/competencies of a security manager can probably be summarised as follows:
Loyal, discreet, honest, trustworthy
and dependable
Ethically strong and incorruptible
Good leader
Good team player
Instinctive project manager
Good motivator and inspiring
Good communicator (written and
Good understanding of how business
works and the global business
Cost driven
Cross-culturally aware
Capacity to learn
Able to represent the enterprise in
the community
Ability to function in a fast changing
Fair minded
Forward looking
Strong analytical skills
Good time manager
Able to manage change
Understands finance
Good negotiator
Good presenter
IT and technology savvy
Good organisational skills
You no doubt consider yourself a high scorer in most of the above areas!
Incorrect stereotypical preconceptions persist about security managers having rigid mechanistic
management approaches, especially when they enter security management as a second career from
the armed or police forces. To a large extent, these preconceptions are incorrect, and many of those
transiting from a career in the uniformed services to a second career in a business enterprise make
every effort to create an image that they are first and foremost a flexible business manager, and not
the head of a corporate policing service. A few, however, do not, and you can surely think of case
Image is also conveyed through language. Security managers should speak the language of business
– “money”, rather than “threats”, and should be a
negotiator rather than an imposer of rules. In your
day-to-day dealings with the business, the use of army or police jargon should be avoided as this
reinforces the stereotype perception. A common failing of security managers is the lack of ability to

35 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
articulate a business case. Merely presenting top management with a threat assessment is not a
business case. Business cases should have a monetary basis and security manager presentation skills
should be on a par with other competitors, including marketing professionals, for a share of the fixedcost budget. You can gain much by attending business skills seminars, workshops and courses.
Security managers should become skilled in delivering a diverse return on investment, dispelling the
perception that they are all about “guards, gates and guns”. While security, and usually physical
security, is the main specialism, there is much that a skilled and trained security manager can offer
across the whole range of resilience capacity building, in areas of emergency management, crisis
management, business continuity planning, and due diligence.
Kovacich and Halibozek (2006) identify the following as essential qualities that influence the image of
the contemporary security manager:
Must be trustworthy.
Strong analytical skills.
Must be technology and computer savvy.
Ability to work with, and lead, project teams.
Good communication skills – written and verbal.
Has international experience, preferably business.
Must understand the global business environment.
Must possess a good understanding of how business works.
Good command of the language and ideally a second language.
Possess college or university education, supplemented by a degree.
Has experience with, and an understanding of, other cultures and languages.
Importantly, the security manager should strive to become a key corporate
player, rather than the
The image of the security department is very important. In many environments a security department
that portrays a policing image is regarded by employees with distrust. Requiring employees to obey
is less effective than empowering employees to feel they belong to the security effort. This approach
doesn’t run counter to the fact that a great deal of loss originates at the hands of employees, but
employees who feel part of the security programme are less likely to tolerate deviance among
colleagues. And of course, the wise security manager always sleeps with one eye open!
A great deal can be done to improve the image of security by adding services. For example, a leading
oil and gas company in the Middle East “brands” its front-line security professionals as EMS
(Emergency Management Services), responsible for not only security but also fire-fighting, first
responders in the case of any site emergency, rescue and paramedic services. At facilities where such
a converged approach is appropriate, this has not only economic benefits but also makes the team
members more accessible to regular staff.

36 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Positioning relates to two aspects:
The level within the organisation to which the security manager directly reports.
The focus of the security manager.
In regard to the first point, the level at which security management positions itself within the
organisational hierarchy has a direct effect on its power to
influence. Accountability for security should be at the
highest level possible within the enterprise. Normally, this
is a board director, who will have security as one of a
number of portfolios. The overarching portfolio of this role
varies from organisation to organisation. It can be
resilience oriented (including emergency management,
business continuity and crisis management), risk
management oriented, compliance oriented, finance
oriented, legal oriented, or health and safety oriented. In
some cases, it will be the CEO who personally takes on this
role. Security programmes that report into a lower echelon of management, for example facilities or
health and safety, are usually less effective at the strategic level, and don’t convey the message that
business resilience is a board-level concern. The need for demonstrable top management support
for the security programme is one of the paramount considerations for a successful security
programme. When senior management delegates complete protection responsibility to lower-level
managers without top-level backing the results are usually unsatisfactory, according to ASIS (2004).
The second point to make relates to how you position yourself, and here it is important to note the
work of Katz (Johnson, 2004) who identifies three managerial skills – technical, human, and conceptual
– that are essential to successful management. Your position in the organisation – or the position to
which you aspire – should determine the emphasis that you place on developing and demonstrating
each of these skill sets.
For example, if you are content with remaining at the lower levels of management, you should focus
technical skills – the lower-level skill set. But if you aspire to reach higher levels of management,
your focus should be towards the upper two sets or
human and conceptual. This is explained in greater
detail overleaf.
“The implementation and
execution of the security
programme will be most effective
when the security director reports
directly to top management. The
authority and responsibility of the
security director must be clearly
defined in written policy.”
Berger (1999)
37 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Conceptual skill involves the formulation of ideas. You should understand abstract relationships,
develop ideas, and solve problems creatively. At top level management you will need conceptual skills
in order to view the organization as a whole. Conceptual skills are used in planning and dealing with
ideas and abstractions.
Human skill involves the ability to interact effectively with people. In your role, interacting and
cooperating with other employees will be essential to the success of your security programme. It is
crucial at supervisor level and as you reach middle management the need to demonstrate this skill
becomes of the utmost importance. If you reach the highest echelons of management without first
having developed strong personal relationships and networks, your task will be all the more difficult.
Technical skill involves both knowledge and proficiency. First-line managers need technical skills to
manage their area of specialty, but as you advance up the management hierarchy, you will increasingly
be able to employ subject-matter and specialism experts to support you. For example, a senior
security manager doesn’t need to know the intricacies of running a CCTV control room. This is the
specialism of the control room operators. As you progress upwards through the management
hierarchy you will have to learn how to become a more strategic thinker and to delegate the detail.
We will cover delegation in the subsequent unit.
The fact that you are undertaking this programme indicates that you appreciate the value of education
and competence development above and beyond your inherent security instinct and any background
skills from a former police or military career.
Security instinct is something that all humans acquire, but without formal education or credentials in
security management you risk opening yourself to challenge by those outside the security department
who think they may have a better understanding of security than you. With formal education in
security, you can be confident that you are arguing from an informed perspective, and that you are

38 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
expressing a professional opinion.
Moreover, you should be mindful of liability. If a security incident should lead to a fatality and there
is a subsequent enquiry, you can better justify your actions if you can evidence competence through
formal education in security management.
Education for the security manager takes various forms including:
Professional certifications, such as the CSMP, CPP.
Classroom courses in security management and related specialisms.
Courses in generic business management and administration skills.
On-site specific training.
Conferences and seminars.
Degrees (normally MSc-level degrees at security management level).
On-site training should be aimed at developing specific on-the-job skills. You should embrace courses
common to all management functions such as financial management, change management and time
management, and you should personally lead on developing and delivering staff development
programmes on security awareness. Alternatively, you may wish to engage a contractor, such as ISMI,
to develop an on-line staff security awareness product on your behalf, but online awareness training
packages, at best, can only supplement face-to-face awareness training.
External training serves a different function. It allows you to learn new and innovative ways of doing
things by sharing in common best practice. It can bring fresh ideas to create more efficient and
effective security programmes. It can also raise your awareness of changes and trends in the threat
spectrum that might otherwise go unnoticed. ISMI has a close working relationship with a number of
classroom training providers and can recommend good courses.
Relationship building is one of the most important activities a security manager can undertake. Strong
relationships foster compliance and can also be the catalyst for intelligence flow.
Internally, strong relationships must be forged with top management. At this level the security leader
should operate as gatekeeper for the organisation, shielding top management from the worry of dayto-day security risks. The higher the level of positioning of the security leader in the organisation, the
more successful this will be. It has been emphasised previously in this programme that it is essential
to speak the language of business: “bottom line” instead of “threats”. The 2005 State of the CSO
Report identifies “inability to communicate with executives” as the key reason security managers get
Internally, also, it is important to foster strong relationships with all employees. Kovacich and

39 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Halibozek (2006) caution that employees often consider security professionals an extension of law
enforcement. They imagine the security staff watching them and “making” them behave in a certain
way – a way not necessarily conducive to good business practices. They add that employees are not
receptive to constraints, particularly when they don’t understand the reasons for them or the value
the constraints bring to the business. Berger (1999) goes further, adding that the regular feeling of
“co-worker” between security personnel and other employees does not exist. Even though the
security officer is there to protect the company employees and the property that enables them to
have employment, Berger contends that in the eyes of most employees security still represents
authority in almost the same image as that represented by a policeman. Here, therefore, consensus
building, negotiation, liaison and persuasion are key elements of the security management toolkit.
Security focal points (discussed below) are an important consideration here.
Good internal relationships should be developed with at least the following:
The board or executive management team
Crisis and business continuity management
Health and safety management
Line management
The unions
Specifically, line managers should be included in the
security risk analysis and management process, and there
should be cross-business representatives on major security
projects in order to secure buy-in and consensus. And the
security manager should become actively involved in nonsecurity initiatives that will give him or her greater positive
exposure in the enterprise.
Externally, relationships should be forged within the
broader security community as a whole (security
associations, business crime forums, specific sector forums etc), and also at the local level (neighbours,
local emergency management, police and security service liaison, civil defence and fire service liaison
The police relationship may be quite difficult to establish. In some environments police are reactively
focused, or have a low opinion of private security. Also, instinctively, police officers may be aloof or
“Often, security professionals
think that assets protection
decisions regarding risks are
theirs to make. No, they are not.
Security professionals are the inhouse security consultants and
Kovacich and Halibozek (2006)
40 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
even suspicious of the motives of any approach. In some environments police are perceived as
corrupt. A good starting point is to invite a police officer to address security guards on basic aspects
of the law, trespass and powers of arrest. The security manager will have to work hard at building this
relationship. At management level, one option is to establish local crime prevention forums, at which
police officers address, and can take questions from, a body of local security managers.
In establishing any relationship with police there must be the support of top management. Many
enterprises wish to keep certain reputational-damaging crimes private, and may be concerned that
their security manager will be too quick to share problems with the police. To an extent, this concern
is mitigated by the fact that many police services are often reluctant to get involved in internal
company crimes.
A convivial relationship can generally be established with the fire service. Fire prevention and firefighting training days can be organised for security guards, and, if an industrial premises, it is useful
for the fire service to be shown in advance on-site hazards (such as hazardous or explosive materials
storage) and critical areas that have an inherent fire risk, such as fileserver rooms. In some
environments there will be a legal requirement for the fire service to inspect the premises.
If the nature of site operations warrants it, local first-aid and emergency medical care facilities should
be visited by the security manager, who will establish what care facilities are available. In remote
locations, it is the practice of some multinationals to invest in local healthcare infrastructure, and so
liaison with medical professionals is useful. Local healthcare, or at least voluntary first aid services,
may be prepared to offer training to security guards in how to administer first aid.
Neighbours are not only a useful source of intelligence, but also support in the event of an emergency.
Ways in which neighbours can be leveraged to provide support to the security function include:
Establishment of a special radio channel or notification system to provide emergency
information about adversaries or alerts. This practice is common in retail.
Establishment of neighbourhood watch schemes, a common practice in business districts and
industrial parks.
Establishment of a mutual aid scheme whereby organisations agree to commit resources to
assist neighbours in the event of a major emergency, a common practice in concentrated
industrial areas.
The Security Focal Point
41 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Security Focal Points are individuals responsible for the management of security at a local level. Often,
they are HSE professionals and are double-hatted as such. In smaller organisations the security focal
point may be the facilities or premises manager, or an HR professional. Since there are always
litigation and liability concerns when making security decisions, security focal points should be
properly trained and should develop, or have access to, centrally produced security standards and
guidelines which detail security compliance requirements.
Branch Security Representatives
Branch Security Representatives are a kind of Security Focal Point, but their remit is more limited.
Security accounts, perhaps, for only 10-20% of their task allocation. They are responsible to local line
management for ensuring security compliance within a specific branch (the nature of the security
emphasis will be driven by the nature of work in the branch and the direction of the line manager),
they report directly to line management (not to a security professional), and they are trained
collectively through a security best practice programme developed by security professionals.
Security Focal Points and Branch Security Representatives may be used in large or widely dispersed
organisations to augment and enhance security compliance across the organisation or used in
business units where the employment of a full time security manager cannot be justified.
Hiring Security Professionals
Fay (2002) suggests four routes through which security professionals may be hired:
Newspapers and Journals – the position to be filled will determine the specific periodical selected.
Entry security positions are usually advertised in local newspapers, whereas senior security positions
are usually placed in national periodicals. For senior positions, the blind ad system may be used, in
which the identity of the company is not revealed.
Position-Open Notices – These may appear in newsletters, circulars, on notice boards, via security
associations etc. College noticeboards are good ways to recruit temporary guards.
Word-of-Mouth – This is particularly useful for senior positions. Here, the security leader spreads
the word informally throughout professional networks.
Employment Agencies – This method is almost always limited to searching for candidates for senior
posts. The agency typical negotiates between 10-25% of the candidate’s annual salary as commission.
Some agencies advertise their vacancies; others specifically head hunt candidates for the post. Such
agencies vary greatly in competence.
A fifth route is hiring internal candidates. Internal recruitment ensures that the qualities and abilities
of the candidates will be known. In addition, other employees will be motivated as they see
opportunities for promotion. External recruitment, on the other hand, will provide the organisation

42 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
with a wider pool of candidates from which to select and may also introduce new thinking to the
Many security professionals are hired on the basis of a past career in the military, police or intelligence
services. This has pros and cons. Such individuals may be well versed in security, but they are more
often than not likely to lack the academic credentials that are standard among their non-security
peers. There is much debate on the relative merits of “second-career” security professionals. There
is no doubt that former uniformed service personnel have training that is second to none, but a key
hiring risks is that it is very difficult to assess the competence of a person from such a background
since he or she will probably retire from uniformed service with an unblemished testimonial, and it
will be exceptionally difficult to drill down into that person’s past to identify any significant
weaknesses, tendencies to unethical behaviour or past wrongdoings. There have been many cases of
bad hiring decisions specifically because of the lack of availability of such information. Hallcrest II, a
US report on trends in private security, reported a growing trend away from hiring security managers
with uniformed backgrounds towards hiring security managers with business backgrounds
(Cunningham, 1990).
Whatever the background, the hiring process should carefully evaluate potential candidates for
evidence of “softer” management skills. Crucially important among the soft skills are the interpersonal
skills related to leadership, negotiating, relationship building, and motivating. Relationship building,
it has been emphasised, is crucial to the success of a corporate security programme.
The hiring process in a mature enterprise is almost always under the ownership of HR, which follows
a formal procedure. One of the first phases is for a detailed
job requirements analysis to be
undertaken. This forms the basis for developing a
Job Description and a Person Specification. The Job
Description outlines the key responsibilities of the role and reporting responsibilities. The Person
Specification outlines the education, experience, training, skills and personal qualities of the desired
incumbent. These may be grouped into
mandatory and desired columns. The mandatory column
represents the criteria that candidates must fulfill in order to be considered, and the
desired column
will comprise of criteria which will enhance the candidate’s chances of success. Both of these
documents are discussed later in this unit.
Hiring candidates who can evidence a previous commitment to continuing professional development
is important. Security is a profession in which there is greater emphasis on experience than on
qualification. While experience is essential, there is a general consensus in business that for most
positions formal training and qualifications are the norm.
CV’s (Resumes) and Application Forms
43 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
The CV (curriculum vitae) has become the standard tool by which prospective candidates market
themselves, and it should be looked at in exactly this way – a personal marketing tool. It is a useful
tool to aid in the initial paper sift of potential candidates, but it should not replace the
as the formal, signed documentation of skills, qualifications and personal details.
US research in the 1990s revealed that one-third of resumes were fraudulent (Purpura, 2008), and a
2006 US study revealed in 49% of cases a discrepancy between what the applicant provided in their
CV regarding employment, education, or credential reference (ASIS, 2008). A fraudulent CV may
contain both falsifications and material omissions. While the typical introductory statements such as
“I am a dynamic….. results-focused……” are subject to interpretation, falsifications often occur in
qualifications and education. Material omissions occur when some previous employers are left out in
order to make the applicant’s work history look more stable, or to hide an employer that the applicant
doesn’t want to be approached.
The application form is not immune from falsifications, but at least it allows the enterprise to ask
specific questions (within the bounds of local employment and discrimination legislation) and it
requires the applicant to make a formal signed declaration before submission. This is a powerful
deterrent. Nevertheless, according to MI5 – the UK’s domestic national security service – one UK bank
in 2006 rejected 16% of applicants due to its robust screening programme. There were medium and
high risk discrepancies in the candidates’ application forms, and many cases of candidates
withdrawing their applications when enquiries were made into their backgrounds.
The default position on falsifications and omissions should be that the applicant is rejected unless a
convincing explanation can be provided. It follows that if a candidate is prepared to present false or
misleading information in their CV, they do not have the ethical qualities necessary to work in security
in a corporate setting.
Background Screening
When an offer of employment is made, it is
often made subject to successful outcome of
background screening. Background checks are
normally completed before employment is
taken up, but there are some cases in which
employment may be started pending
satisfactory background screening.
Background screening is usually the
responsibility of HR, which effectively places HR in the front line of defence against potential employee
miscreants. In a number of enterprises screening is the responsibility of the security department. The
practical process of background screening may be outsourced to external agencies, which have
experience in identifying irregularities and potential problem employees.
Pre-employment screening is central to a holistic
approach to security and aims to ensure
that an organisation counters the full range of
threats it faces, including terrorism, fraud and
reputational damage.
The Centre for the Protection of National
Infrastructure (UK Government, 2011)

44 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
The document that provides the basic source information for the screening process is the application
. The form should highlight the fact that pre-employment screening will take place and that the
applicant must provide their consent for checks to be undertaken. It should also include a clear
statement that lies or omissions are grounds to terminate the hiring process or employment no matter
when they are discovered. This is important legally but it can also have significant deterrent value
(CPNI, 2011). In some countries, such as the UK, falsifying qualifications in order to seek financial gain
(a salary) is a criminal act.
At its most basic, a background check is confirmatory. It seeks to verify the information provided by
the applicant on the application form, such as previous employment, education, qualifications and
training courses attended. Background screening should delve back into a candidate’s past work
history for 10 years, and seek explanations for any gaps in employment of greater than 30 days.
According to MI5, The (UK) Security Service, the purpose of pre-employment checks is to confirm that
a job applicant meets a number of pre-requisites for the post. Pre-employment
checks include:
Confirming the identity of the applicant.
Establishing that the individual has the right to do the job given their
nationality and immigration status.
Verifying their declared skills and employment history.
In some cases additional checks (e.g. criminal records checks) may also be included.
Establishing beyond doubt a person’s identity can be difficult. MI5 provides
useful recommendations in this regard in the publication
Managing the Risk,
which can be obtained from ISMI, as does the CPNI Pre-Employment Screening
Good Practice Guide, which is available from at the time of
producing this unit. The CPNI document is particularly detailed and provides
essential advice, together with checklists and useful templates.
Within the UK, BS 7858 is the British Standard that sets out recommendations
for the security screening of individuals to be employed in an environment
where the security and safety of people, goods or property is a requirement. The standard is used
widely in the private sector by enterprises in their pre-employment screening processes, and by third
party screening companies undertaking pre-employment checks for enterprises.
Contact ISMI for a
copy of
Managing the
The CPNI PreEmployment
Screening Good
Practice Guide is
available online or
contact ISMI for a

45 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Often, there is a need for the check to become
investigatory. In this context the prospective
employer looks more closely at the candidate
and seeks out more subjective views on the
applicant’s qualities, such as their fit into a
team, reliability, efficiency, reasons for leaving
previous employment etc. This type of
information is rarely written down by previous
employers, but a good investigator may be
able to delve into these areas in some detail.
Many employers, to their later regret, step
back from delving into such depth, but it is
essential that the applicant’s subjective as well
as objective fit in the organisation is assessed,
and this cannot be accurately determined
through the interview process or by cognitive/aptitude
testing. Levels of screening and investigatory avenues are set out in the
CPNI Pre-Employment Screening Good Practice Guide.
If a candidate is rejected on the basis of a background check, the matter
should be documented in case the applicant seeks redress or claims
discrimination. A claim may be upheld if the screening process has failed to
take account of local legislation. CPNI (2011), for example, identifies seven
individual UK Acts of Parliament that have to be observed when screening.
Testing for Employment Suitability
For security posts there should be in-depth investigation into an assessment of the honesty, integrity
and ethics of the applicant. This goes beyond the regular pre-employment screening process. Testing
for suitability for appointment to a security post varies in accordance with the position, the culture of
the organisation, and the environment. In the US, for example, pre-employment alcohol and drug
testing is much more common than in the UK.
Testing may be objective, for example alcohol and drug (in which a positive test result bars a candidate
from employment), or subjective, in which a candidate’s aptitude in relation to the post is assessed.
Some tests fall between the two – for example, honesty/integrity testing, in which an applicant
answers a series of scenario-based questions and the results are analysed to determine the
candidate’s level of relative honesty.
Fay (2002) recommends the use of personality testing, aimed at various facets of intellectual or
emotional functioning, adding that areas of greatest concern to the security leader are honesty,
propensity for violence, personal traits, values and attitudes.
There have been numerous instances of
individuals gaining employment within
organisations when, in retrospect, their
applications should have been rejected on
security grounds. In most cases, these
individuals presented false information (e.g.
forged identification or false references) or
concealed important facts such as criminal
convictions during the recruitment process. In a
smaller number of cases there were clear
indications that the individual was lacking in
integrity or reliability, to the extent that this
might present security concerns.
MI5 (The Security Service) (2006)
The ASIS PreEmployment
Background Screening
Guideline provides
useful advice. Available
for purchase from ASIS
46 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Proficiency tests can be used to determine candidates’ suitability for particular jobs. Arvey and
Campion (1982) concluded in their research that
cognitive ability and job tryout were among the most
valid indicators of job suitability. Commonly-used indicators such as
interview and experience scored
relatively low in their tests.
For more senior positions candidates should be required to make a presentation. Empirical evidence
on security management training courses indicates that only about one third of incumbent security
managers are proficient presenters to a standard that would maintain the engagement of executive
management, and significantly fewer can present a sound financial case to support their argument,
an observation echoed by Gill (2006).
Whereas proficiency tests assess a candidate’s existing skills, aptitude tests offer an insight into a
candidate’s suitability for a role in which the individual is not currently trained. If a person’s score is
similar to those of others already working in a given job, the likelihood of success in that job is
predicted (Fay, 2002). Example aptitude tests include:
The General Aptitude Test Battery – This test measures nine different aptitudes and can be used to
help assess the likelihood that a candidate will be successful in specific careers or training. Areas
tested are general learning ability, verbal aptitude, numerical aptitude, spatial aptitude, form
perception, clerical perception, motor coordination, finger dexterity, manual dexterity. An
explanation of each category can be found at The test can be completed in entirety, or specific portions may be used.
The Minnesota Multi-Phasic Inventory – This is an objective personality test designed to measure
social and emotional adjustment, describing feelings, attitudes and behaviours. It is most commonly
used by mental health professionals to assess and diagnose mental illness. The test results must be
analysed and interpreted by a professional.
Intelligence tests measure the intellectual capacity of an individual. Test scores are generally given in
intelligence quotients, or IQ. A target score for a security management or investigative position should
be about 125. For a security guard a score of about 100 is good.
It should be noted that psychologists generally agree that using intelligence tests to bar individuals
from job opportunities without careful consideration of other relevant factors is unethical (Fay, 2002).

47 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Job Descriptions
A job description is an outline description of the job, usually following a format prescribed by HR,
which is typically the custodian of the recruitment process. It is the responsibility of the security
department to liaise with HR to ensure that security-role job descriptions are populated with the detail
appropriate to the role. Job descriptions should exist for all roles, from the Chief Security Officer down
to front-line officers.
A detailed job requirements analysis forms the basis from which the job description is written. The
job requirements analysis seeks to:
Set out the personal qualifications, skills and experience necessary for the post.
Set out the relationship of the post to others in the enterprise.
Set out the conditions under which the work is to be performed.
The job description will include the following detail:
The job title.
The general purpose of the job and how it fits into the overall organisation.
The job location and an indication of the working conditions.
The specific tasks that the role entails and the responsibilities involved.
The post to which this post reports.
The nature of any supervisory responsibilities, both material and manpower resources.
Special features or equipment associated with the role.
Possibly also salary (or perhaps grade), hours of work and holiday entitlements.
Once created, a job description is then a valuable tool in:
Communication management/organisational expectations.
Recruitment and placement.
Measuring performance and developing performance-measuring criteria.
Matching employees to posts.
Determining training and development needs.
Developing procedures.
Compensation, recognition and reward.
Discipline or corrective action in the event of deviation.
Person Specifications
A person specification, also known as a job specification, details the qualities of the ideal candidates,
often in two columns:
essential and desired. It will include expectations of qualifications, skills,
experience, and sometimes physical and mental attributes if relevant to the post and non

48 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
discriminatory under law. It may also provide an indication of what sort of judgment or initiative the
incumbent is required to possess.
A person specification usually covers the following details:
Qualifications and knowledge.
Specialist skills areas.
Physical skills, attributes or minimum standards.
Any mandatory licensing or registration.
The person specification is a key document in the recruitment and selection process, used for:
Identifying the minimum (essential) qualities necessary for the job to be performed to an
adequate standard.
Identifying the ideal (desirable) qualities for outstanding performance in the post.
Forming the basis of a job advertisement.
Enabling prospective applicants to self-select by assessing themselves against the
requirements for the post.
Ensuring that rigorous criteria are consistently applied in the shortlisting and selection of
Ensuring equality of opportunity and providing a defence against possible claims.
Providing a basis for determining selection methods.
Providing a basis for determining core interview questions.
Examples to help you construct job descriptions and person specifications can be found at the
following web locations (correct at time of unit writing – if unavailable contact ISMI for a copy): and there is more guidance from this source in the
Online Library.

49 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Front-Line Security Operatives (Officers and Supervisors)
Front-line security operatives are an organisation’s most
important security asset, but often the largest cost item in
a security budget, so it is essential that great care is given
to their selection. Front-line operatives include security
supervisors and security officers (you might refer to
security officers as security guards in your environment).
Front-line security operatives are normally recognisable
by virtue of their uniform, although this may be subtle.
ASIS (2011) notes that most organisations have adopted
the approach of making security officers recognisable
without appearing authoritarian.
More often than not, front-line manpower is provided by contractors, and this has pros and cons,
discussed later.
Whether the operatives are directly hired or contracted in, two issues are paramount:
training and
honesty/integrity/good ethical conduct. These two elements combine to create professionalism.
Security operatives are best used as part of a comprehensive protection plan, alongside technology,
hardware, crime prevention through environmental design and procedures. ASIS (2012) notes that
operatives play a public relations role when they perform their protection duties and represent an
employer, often being the first contact a visitor or employee has with an enterprise. The way
operatives interact with people has a marked effect on their initial impression of the enterprise.
Impressions are not just conveyed verbally. If an operative appears lazy, disinterested, or susceptible
to corruption or other unethical behaviour, this will not only reflect badly on the security department
but, from a visitor’s perspective, on the whole enterprise. Respect for the security department cannot
be demanded; it has to be earned.
A badly managed front-line security manpower operation can cause considerable damage to the
image of security as a whole. Typical indicators of a badly-managed operation include, but are not
restricted to:
Abuse of power.
Bad image and attitude towards
Confusion over whether to look tough or
Poor appearance and bearing.
Poorly paid and not liked – feeling of being
an “outsider” – a feeling often reinforced
by the attitude of some employees.
Bribe taking.
Theft and misconduct during quiet hours.
Doing “favours”.
Officer begging because they are not paid
Throughout this programme the
term security
officers and guards
are used interchangeably. In
Europe and the US, the trend is to
refer to front-line security
operatives as
security officers;
elsewhere, this isn’t always the
case, and often the term security
officer is reserved for a higher
ranking security professional.

50 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Essential Qualities of Front-Line Security Operatives
Some of the essential qualities when selecting front-line security operatives include:
Good judgment and rationality
Proportionate response
Calmness (doesn’t anger easily when
provoked by rudeness)
Smart appearance
Good personal discipline
Doesn’t gossip
Exercises discretion
Honesty and integrity
Foreseeability and the link between
cause and effect
Trustworthiness and ability to work on
own initiative
Doesn’t abuse position to bully
Doesn’t bore easily (guarding can be
very monotonous)
Team player
Fairness and understanding
Doesn’t criticise management
Learns quickly from mistakes
Example setter
Good common sense
Ability and willingness to work alone
Good character
Neat in appearance
Tidy worker
Instinctive teamworker
Works well both under stress and during
periods of potential boredom
Ability to take initiative to respond
correctly to a given situation
Good self-motivation and drive
To the extent possible, the above attributes should be assessed in the recruitment process.
Essential skills typically include:
Technology-savvy; must be able to manage sophisticated computer-based security systems.
Good observation and good memory.
Good verbal and written communication skills.
Good, basic education and (eg basic numeracy, literacy).
Appropriate additional qualifications.
Physically fit; must be able to meet the requirements of the post.
Good practical skills; may be required to carry out emergency repairs or remedial
Driving skills.
51 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Security Supervisors
Supervisors play a critical role in the management of
security operations as front-line managers. There is no
doubt that the efficiency of the security force depends on
the adequacy and skill of its supervisors. They are the key
to employee mentoring, turnover and satisfaction.
Security supervisors are best appointed by promotion
from the guard force. Without opportunities for
advancement, guard force personnel can become demotivated and apathetic, and the lower ranks of
the security department can become a repository of low performance.
The roles of the supervisor are many and varied, and can include hiring, training, disciplining,
motivating, promoting, coordinating and controlling. It follows that in order to be effective,
supervisors should undergo a course of instruction in all of these areas. The training need not be
security specific, and there are several generic supervisory management training courses that meet
this requirement. Generic management will be addressed in Unit 4, Management and Leadership.
Above and beyond the basic security officers qualities listed on the previous page, supervisors should:
Be able to lead.
Be able to motivate and encourage others to do their best.
Be able to manage teams.
Be able to cope with pressure without moaning or blaming the company or managers.
Be able to accept challenging and difficult tasks.
Be able to accept responsibility and take decisions, and be willing to accept the consequences
of those decisions.
Be able to delegate.
Be able to multitask.
Be able to share credit and praise for good performance with the team.
Be able to accept criticism on behalf of the team without blaming others.
Be able to cross-network and liaise with other supervisors
Be comfortable in a team environment.
Respect the differences between sexes but manage both in a consistent manner without
Not show favouritism to any individual officer.
Be able to earn respect from all directions, from below and from above and from peers.
Be able to defuse conflict to the satisfaction of all parties.
Be consistent.
Be courteous.
Be objective.
Be discreet.
In relation to security supervision,
there is an old adage:
“Employees don’t do what you
expect, they do what you inspect”

52 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Be tactful.
Be approachable in confidence.
Be willing to praise.
Many of the above are qualities and not skills. As such, when recruiting supervisors you should look
for these.
Poor supervision may lead to problems in the security force, such as:
Low motivation.
High staff turnover.
Employee misconduct.
Poor performance.
Supervisors should also be good mentors, trainers and coaches. Coaching entails “sitting” with
somebody on a one-to-one basis and demonstrating how to do something, then observing that person
carrying out the same action with the coach providing correctional feedback to the extent necessary.
Lussier and Achua (2004) add that an essential element of coaching giving motivational feedback to
maintain and improve performance. It is essential to praise and encourage during coaching, even if
the individual being coached demonstrates nothing more than a satisfactory grasp of the task.
Supervisors should excel in interpersonal skills and two key criteria in their selection should be that
they are a) a team player, and b) able to motivate others. Sennewald (2008) calls this “enlightened
supervision” in which security officers carry out their duties willingly with minimal supervision. He
adds that performance is the ultimate goal of supervision. ASIS (2011) notes that the most effective
managerial style for supervisors is to give credit for good performance and be objective when noting
Ensuring good performance requires supervisors to execute regular inspection. This doesn’t mean
parading security officers in three ranks and checking uniforms, but instead to identify those tasks that
are done properly, acknowledge and give credit for good performance in such areas, and then point
out any deficiencies in an objective manner (Sennewald, 2008). The inspection process must be
consistent, continuous and constructive. It also requires the security supervisor to go out and inspect
posts. A less obvious, but very useful, method of inspection is for supervisors to relieve security
officers when they are away for lunch, appointments or sick. This allows the supervisor to see firsthand what the demands of the assignment are, the level of performance, the extent to which
procedures are being followed and any other problems or special circumstances associated with the
Another method of maintaining good performance and vigilance is for the supervisor to systematically
rotate the security officers’ duties at two-hour intervals. Guarding, especially, can be very boring and

53 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
monotonous work and job rotation is essential to maintain alertness. Some security managers think
nothing of placing a guard on a single post for many hours, with little consideration to the extent to
which performance degrades rapidly after about 2 hours, and more rapidly in periods of inactivity. In
part this is because less than half of security managers have had personal experience of the boredom
of prolonged guarding assignments.
Some organisations appoint supervisors on seniority. This risks leading to poor results. Not everybody
is suited to the role of supervision, so at very least supervisors should be volunteers, with vacancies
advertised internally. Obviously, those who indicate supervisory potential should be identified and
encouraged to apply.
A recommended means to develop supervisory potential and appoint supervisors is as follows:
1. Make available to security officers after a certain period of employment (perhaps 1-2 years)
the opportunity to attend a short supervisory skills workshop. The aim of this workshop should
be less on developing supervisory skills and more on testing for aptitude. This should be
voluntary; a good employee does not necessarily make a good supervisor.
2. Identify those who performed well and interview to establish ambition, suitability and
3. Develop a short list and select. Organise this so that it coincides with an off-site course in
generic supervisory leadership. Promote the selected officer and send immediately on the
course before returning that person to the security team.
4. Upon successful completion of the course, return the newly-appointed supervisor to the
workforce either as a day supervisor, or as a supervisor of a different shift team to that which
they were previous working in.
Training specifically designed for supervisors may include:
Revision of the key training requirements of a security officer – (see Page 58) as a typical role
of security supervisors, especially if they are relief supervisors, is to carry out training. Larger
contract security companies may have special training teams that visit assignments on
Security supervisory skills – a good distance learning programme is the Skills for Security Level
3 Security Operations distance-learning course (contact UK-based Skills for Security for further
information), which is available on CD and which covers health and safety, security risk
analysis, access control, perimeter security, buildings security, CCTV, explosive devises,
search, information security, IT security, customer care, substance abuse, contingencies and
emergencies, private security and the law, evidence, equality and diversity.

54 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Generic supervisory management skills – report writing, performance evaluation, writing
appraisals, leadership, motivation and management, organisational skills, decision-making
skills, basic counseling (especially useful when security officers suffer stress in the workplace),
team working, discipline, communication, negotiation, time management, delegation, change
management, equality and diversity, handling customer complaints, etc. These kind of
generic subjects can often be addressed by attendance at a local college.
Basic security management skills – a key requirement of a security supervisor may be to
deputise for the security manager. ISMI can recommend a good course to prepare candidates
for this.
Train the trainer – since security supervisors are likely to become trainers of security officers
at some time or another, they should undergo a train the trainer course, specifically designed
for security.
Sennewald (2008) identifies failure to properly prepare and equip new supervisors with the training
to discharge their new responsibilities is perhaps the most common shortcoming in the security
Supervisors have to play a difficult balancing act, displaying loyalty to both the officers whom they
supervise and to the organisational management as a whole.
Supervisors who fail to manage this balance correctly, who
put personal popularity before management responsibility,
and who try to be one person to the guard force and a
different person to management will usually perform
One of the front-line tasks of security supervisors may be to
calculate security manpower. This is especially important
when using directly hired personnel. Here, there are simple
rules of thumb that can be applied. Taking into account typical time off for holidays, sickness and
training, for a site at which security officers work 40 hours a week, each 24 hour post requires (3 x 8
hour shift or 2 x 12 hour shift) about 5 (actually 4.5) persons to keep that position continuously
manned. For a site at which the working week is 60 hours, the number of security officers you need
to employ to maintain a 24-hour post reduces to 3.
The supervisor represents
management’s needs and views
to those below and at the same
time has the responsibility of
representing the needs and
views of his or her people up to
(Sennewald 2008)

55 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Security Officers
The basic functions of a security officer force are many and varied, and it is not the purpose of this
unit to describe them in detail or to provide instruction on how to execute such duties. One of the
best resources on the duties of front-line security officers is The Security Manual by David Brooksbank.
The book is concise and not cumbersome, making it an ideal desktop companion. It is also available
on Kindle, so can be downloaded to smart phones, making it portable and fully searchable.
The duties of security officers should be set out in a detailed set of assignment instructions (or SOPs)
– addressed earlier). This ensures the consistency and accountability of the security operation.
Typical Security Officer Duties
Typical security officer duties include the following:
Control of entrances and movement of pedestrian and vehicle traffic.
Visitor reception and processing.
Badge management.
Visitor escort and supervision (eg contractors).
Vehicle registration.
Person/vehicle/property searching and contraband detection.
Site searching for unauthorised persons, IEDs etc.
Patrolling of buildings and perimeters to detect and deter.
Ensuring adherence to badge wearing policy.
Equipment serviceability inspections.
Health and safety monitoring and rectification of hazards.
Fire prevention, detection and first response.
Enforcing enterprise security policy.
Escort of material and personnel.
Inspection of security and fire exposures.
Monitoring of assets from a central control facility.
CCTV and control room operation.
Incident reporting.
Interviewing and evidence collection.
Response, including emergency response and coordination.
Evicting undesirable persons from site.
Responding to criminal acts by employees.
Responding to criminal acts by outsiders.
Apprehension and temporary detention of suspects.
Dealing with disturbed people, including physical restraint.
Providing training and awareness.
56 | P a g e
© Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part,
uploading or webhosting permitted. V1.2.2 (0822)
Module 3 – Managing the Security Function
Key control and locking up.
Lost property management.
Telephone messages and switchboard operation.
Guarding and escorting high-value items, such as cash.
Administering first aid.
Maintaining on-site traffic discipline.
Weighbridge management.
Shipping/receiving supervision and manifest inspections.
Security facilities during strikes and managing peaceful picketing.
Protecting the site against site invasion and occupation.
Securing facilities and protecting the workforce during protest activity.
Security of controlled substances.
Protecting persons at risk (eg visitors, executives, VIPs).
Evacuating personnel in an emergency.
Mail screening.
Dealing with nuisance calls.
Emergency call-out.
Emergency response to employees in distress while off-site.
Special assignments.
ASIS (2011) emphasises that to perform duties properly, an officer must know many details, such as
the following:
Regulations of the security officer force.
Requirements of particular assignments.
Rules of the enterprise.
Layout of facilities and offices.
Facility security procedures.
Safety and fire regulations.
Fire-fighting procedures.
Vulnerable points of the facility and areas
of high-value property storage.
Locations of all departments and key
personnel and vulnerable personnel.
Locations of all telephones, fire alarm
stations, and fire and emergency exits.
Locations of all stairways and doors.
Locations of stocks of materials.
Location of all fire-fighting equipment
and PPE.
Locations of light switches.
Locations of elevator control switches.
Locations of heating, air conditioning,
and ventilating controls.
Locations of all sprinkler system valves.
Locations of control devices for
machinery and operations at the facility.
Model procedures on how to carry out many of the typical duties of a security officer can be found in
The Security Manual, by David Brooksbank.

57 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
Conduct of Security Officers When on Duty
When on duty security officers are subject to special orders. ASIS (2011) provides the following
Non-familiarity, non-fraternisation and no unnecessary conversation with persons while on
duty. No favouritism and constant vigilance.
Officers should maintain a military bearing yet be customer friendly. Their dress and
deportment will be appropriate.
Smoking and eating on duty should be prohibited.
No conversations with, or statements, to the media.
Rules must be enforced diplomatically.
The employer’s uniform shall not be worn without authorisation.
Any criminal conviction will be promptly reported to the employer.
Officers will not leave their post until/unless properly relieved.
When handing over a post, officers will brief their relief fully.
Brooksbank (2007), for his part, advocates the following:
Do not act or imagine as if you have the powers of a police officer.
Do not criticise management or its decisions; they may be repeated to your detriment.
Do not gossip about security issues.
Do not expect, solicit, or expect favours.
Do not show favouritism, allow privileges or relax the rules in respect of anyone.
Do not lose your temper under provocation.
Do not use obscene or abusive language.
Do not let yourself become bored to the detriment of your performance.
Do not act the hero in life safety situations where the danger to you is significant.
Do remember that the image you project is all important in earning respect for you and for
the security function.
Do always remember that goodwill is an important element in your relationships.
Do study your company’s rules until you are completely familiar with them.
Consider your job and how you should behave in foreseeable circumstances.
Take notice of everything that occurs of a routine nature on your assignment, so that you can
quickly identify the abnormal.
Learn from the mistakes and misfortunes of others.
Remember that your employer’s interests are all important provided they are pursued within
the law.
Never give mistaken loyalty to a colleague who is behaving badly.
58 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
Security Officer Training
From the above it will be obvious that training is essential. If using contracted services, the officers
may have been trained already, but as cost is the imperative in contracted security services the
training will likely be minimal.
Training should take the form of:
1. Theoretical classroom studies (duties, appearance, law, handling complaints, reporting,
writing etc).
2. Practical training (restraint, response, handling emergencies, search, visitor processing,
patrolling etc.)
3. Specific-to-site training.
Theoretical classroom and practical training are usually delivered once, with annual refresher sessions.
The last category should be ongoing.
Training may also include distance learning and on-line packages, although for front-line security
operatives training should be made as practical as possible. Other forms of training include mentoring,
coaching and on-the-job training.
Security officer training courses should include at least some of the following elements:
The basic duties a security officer – security officers should be proficient across a wide range
of basic skills: nature, role, duties and responsibilities of the security officer, access control
(personnel, material, vehicles), visitor processing, patrolling, legal authority and limitations,
dealing with intruders, use of force, observation and incident reporting, principles of
communication, principles of safeguarding information, console operation, life safety
awareness, car park and vehicle security, CCTV, contraband detection etc.
Basic literacy and skills – sufficient to enable the security officer to write short reports and
take statements.
Customer care – more often than not, the role of the security officer is less a paramilitarystyle guard and more a company representative who is in regular interaction with customers,
whether they are employees of the company or visitors. “Meet and Greet” is often a core
function. Development of specific people skills relating to customer care are therefore of
importance in ensuring harmonious relations.
Conflict management and resolution – security officers should discharge their duties with
restraint, should respond calmly but firmly to rudeness and aggression and should be able to
defuse conflict. There may also be a need to train security officers to recognise the precursors
of violence and to deal with disturbed persons who pose an immediate threat to others. A
key aspect of the training will be how to effectively defuse conflict.
Ethics and behaviour – the ethical and behavioural standard of security officers should set an
59 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
example to others, and security officers should be made aware that by virtue of their special
position of trust, they will be punished severely for behavioural and ethical violations. This
includes soliciting or receiving favours or gifts for services performed. ASIS (2011) states that
failure to prevent damage to or theft of property, acceptance of bribes or gratuities, or
permitting the violation of company rules should be cause for discipline, including dismissal.
Conduct – security officers should discharge their duties in a professional and fair manner. But
care should be taken not to discharge duties as if the security officer were a police officer.
The fact that a security officer is identified by his or her uniform does not usually confer any
additional powers above that of a regular citizen. Security officers should not show
favouritism, allow privileges or permit relaxation of instructions in respect of anyone.
However, impartial goodwill should be at the forefront of security officer duties.
Technical skills – this may range from the operation of computers that control technical
security systems, through remedial maintenance of security systems, to the emergency
shutdown of critical site equipment in the event of an emergency.
Emergency response – to include practical training in fire-fighting equipment, life-safety
equipment, the administration of first aid, how to respond to accidents, workplace violence
etc., and any site-specific considerations. Also, crowd control, evacuation management,
action on discovery of suspicious devices etc.
Counter-terrorism – to include searching for suspicious devices, recognition of suspicious
devices, mail screening, recognition of potential hostile reconnaissance and incident
Crime-scene skills – specifically, how to handle evidence and preserve a scene of crime and
how to take witness statements. Also photography and crime scene sketching.
Crime response skills – how to liaise with police, how to give statements to police, how to
give evidence in court.
The use of notebooks – in some jurisdictions the pocket notebook can become a source of
evidence to be presented in court. Therefore, security staff need to be trained in the do’s and
Response skills – here it is important to educate the security officer in what he/she is expected
to respond to, and what would be considered too dangerous or unreasonable. Appropriate
practical training should be given for expected response actions. Under certain circumstances
this may include physical restraint training.
Personal equipment handling skills – depending on the assignment, the environment and the
law, the security officer may be equipped with a range of equipment, including radios, PDAs,
batons, non-lethal weapons and lethal weapons. Some of these, such as firearms, will require
regular refresher training and competence testing.
The law and regulations – security officers must be fully conversant with relevant areas of the
criminal law (especially theft, criminal damage, threats and intimidation, assault, possession
of illegal substances, trespass, possession of weapons, bribery and corruption, forgery,
permissible use of force, arrest, procedure after detention, questioning after arrest, search
after arrest, children and the law), specific site rules and regulations, and security procedures
and assignment instructions. Multiple choice testing is recommended.
Radio procedure – basic practical training in how to use portable communications equipment
60 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
in the most secure and effective manner.
Traffic management – basic directional hand signals, procedures on positioning when
stopping a vehicle, and possibly including the use of speed detection equipment.
Identification of typical frauds – for example, weighbridge fraud, delivery fraud, and
transportation fraud.
Special considerations when dealing with unionised employees – site specific.
Special considerations when dealing with strikes – site specific.
Health and safety at work and hazardous substances – health and safety is often a front-line,
day-to-day duty of security staff, who need to know not only basic health and safety
procedures but also special procedures relating to substances hazardous to health.
Fire prevention and detection – closely related to the above, but in consideration that while
on office premises most fires break out during the working day, in industrial premises most
fires break out at night, when the security officer may be the only person on site. This training
must also include instruction in fire regulations.
Equality, cultural diversity and human rights – many workforces have culturally and
religiously diverse workforces. Inappropriate behaviour, insensitive actions or ignorance may
lead to conflict. Security officers should be trained in correct use of language, specific terms
to avoid, acts of faith, tokens of faith, dress, diet, names and relevant legislation. In some
circumstances this may extend to specific training on the Voluntary Principles on Security and
Human Rights and the UN Guidelines on the Use of Force.
Illegal substances – in some environments there is a significant level of misuse of drugs. The
security officer must be fully conversant with the organisations drug and alcohol policy.
Training may involve recognition and management of persons under the influence of alcohol
and drugs, drugs and their effects, signs of persistent drug abuse, recognition of illegal
substances, recognition of paraphernalia associated with drug misuse.
Scenario training – it is difficult to assess how a security officer may react in a given scenario.
Scenario training enables a security officer to become more aware of the many issues that
occur in given specific scenarios and prepares him/her for what to expect.

61 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
Selecting Individual Security Officers
When selecting individual security officers, ASIS (2012) offers the following summary

Background Screening Minimum Requirements
Criminal records check
Verification of declared qualifications
7 years employment history
7 years residential check
Investigate gaps of more than 1
Drugs screen test
Appropriate mental and physical
18 years old. If to be armed, psycheval
and minimum 21 years old
Disqualifiers Personal Attributes
Serious criminal conviction
Conviction of offence involving drugs
Declared by a court to be mentally
Good character
Proper behaviour and ability to handle
Neat appearance
Knowledge of job

62 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
Contracting Guarding Services
Increasingly, there is a trend towards outsourcing non-core business activities and so the outsourcing
of security services is becoming the norm. Typically, the contract security sector is growing at about
5% per annum. In-house security officers have become an expensive luxury, and practice shows that
contracted services can perform the role at lower cost and often without significant reduction of the
quality of service – and sometimes with an improvement in service. The following is a comparison
between proprietary (in-house) and contract guarding services. You will no doubt be able to add to
this from experience.

Proprietary Contract
Pros Cons Pros Cons
Selection, hiring
and firing under
your direct control
Often better
Identify with
Pride and loyalty
Only serving one
supervisory chain
employees who
know the company
Career employees
No sickness cover
Long-term sickness
problems (often
chronic back
problems and
You provide the
The cost of added
You have to train
Usually more
Difficult to manage
if disgruntled
Ability to replace if
Uniform provided
The contractor may
write assignment
The contractor may
provide added
The contractor may
have manpower
Cover for sickness
Basic training
provided by
Lack of site training
Lack of general
No control over
Motivation and pay
under control of
Excessive staff
High company
labour turnover
May not identify
with client
May feel like an
Often not career

The problems surrounding the use of contract officers are not universal and a combination of correct
contractor selection and good management will alleviate many of the disadvantages of using
contracted guarding services.
There is a growing realisation that the salaries of security personnel should be commensurate with
the increasing demands of their position. For example, security officers (guards) should be paid
equivalent to entry-level, semi-skilled employees (or equivalent to entry level wages for a proprietary
officer position), while the remuneration of security supervisors should be no less than that paid to
directly-employed operational supervisors on site.

63 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
Before engaging a contracted service, basic questions to be addressed include:
1. What level of security do you require? What is the appropriate balance between manpower,
hardware and procedures, noting that manpower is typically the most expensive?
2. Is there a business case for security manpower? Have you estimated the potential annual loss
exposure and calculated the potential return on investment in terms of loss avoidance that
security manpower can achieve? Remember in your calculations that a security measure
cannot reduce loss exposure to zero.
3. Have you considered how you are going to integrate technology with manpower? Technology
can be a significant force multiplier if used correctly?
4. What are the routine duties to be performed? Have you produced assignment instructions to
determine manpower requirements and do you have a post order for each duty?
5. Have you produced job descriptions and person specifications for each role?
6. Can you add value to the contract by diversifying the contribution of the security force, such
as health and safety, emergency response, first aid and rescue, fire first response?
7. What liability issues are covered by your policies and how does this fit in with your liability
8. Have you estimated the cost of equipping the security force?
9. What is the extent of training that will be required?
10. Do the officers need to be licenced?
11. What does the law say with regard to the possession and use of weapons and what will be the
company position on this?
12. How skilled will the officers need to be? What is the complexity of the equipment they will
have to operate?
13. Who will the team report to? An in-house manager or supervisor, or will they use their own
reporting structure? If the latter, how will you be kept informed?
14. What will be the exact management structure?
15. Are you going to stipulate minimum pay for the officers? Are you going to provide any form
of “top-up” pay?
16. What will be the procedure for problem resolution involving the guard force?
17. How will performance standard be monitored?
18. Who will provide appraisal and discipline?
19. How will you execute the invitation to bid? Will you pre-qualify bidders first? What will be
the pre-qualification criteria? Are your proposals in harmony with best practices in company
20. What are the health and safety hazards associate with the role? What will be your minimum
personal specifications? Have you consulted employment law to ensure that you can meet
your requirements and at the same time comply with employment law?
21. What are the legal requirements around contracting manned services and specifically the
legal, cultural, diversity and equality issues around employing exclusively nationals, nonnationals etc? Who will be responsible for the background screening of the officers?

64 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
The Procurement Process
The first stage of the tender process is to prepare a list of 10-12 companies and invite them to bid
(Julian, 2004). This can be compiled though networking with other security managers who can
recommend good providers. This may be at odds with your company’s procurement practice, which
may insist that the contract goes out to open tender. Conversely, they may be prepared to work with
you to establish minimum pre-qualification requirements that favour a smaller number of companies
that have good reputations in the industry. Typical pre-qualification questions are:
1. How long has the contractor company been in operation?
2. Can the contractor demonstrate consistently good performance on existing contracts?
3. What is the annual monetary turnover of the company? Can the company provide accounts
for the past three years?
4. What is the labour turnover of the company and how does this relate to the sector as a whole?
(a prequalification criteria should be that the company’s labour turnover should be better
than average for the sector)
5. How much experience does the contractor company have in this specific business sector?
6. Is this the contractor’s core business?
7. Have there been any health and safety rulings against the company?
8. Have there been criminal charges against the company or have any of its employees been
convicted of a criminal offence while on duty?
9. How does the company carry out training, and to what standard? Is there refresher training
(eg mobile training teams)? Are records kept?
10. What formal qualifications do employees have?
11. What are the baseline standards for hiring by the company?
12. What procedure does the company follow for background screening?
13. Does the company have any certifications?
14. Do the supervisors and managers in the company have any formal qualifications in general
management and in commercial security management? If not, why not?
15. What are the developmental opportunities for officers in the company? Are they encouraged
to take voluntary courses? Are they supported financially?
16. How does the company ensure employees are fit for assignment, including medical checks?
17. Is there an existing management structure able to meet the client’s requirements?
18. Does the company have sufficient existing staff to meet the requirement and are they resident
19. Can the company provide evidence of comparable contracts in terms of size, complexity,
duration and demands?
20. What added services can the contractor provide (eg. dog handlers, remote monitoring and
21. Can the contractor provide a list of assignments that can be contacted for references?
22. Are there any personality conflicts of interest between the contractor and your company that
would cause embarrassment if the contract were awarded to them?

65 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
The following points, not meant to be exhaustive, may help
you in developing the bid process:
1. Establish a timetable for the process.
2. Appoint a project manager.
3. Engage you Procurement Department, HR and
4. Define the scope of work and document this.
5. Establish contract terms and conditions.
6. Determine how long you want the contract to run.
7. Determine penalties for on-compliance with the
contract terms and conditions.
8. Draw up a short list of pre-qualified contractors.
9. Develop detailed Bid Specification Document (example headings are presented below) and
share this with all bidders.
10. Begin drafting the contract.
11. Develop a service level agreement (an example can be obtained from ISMI on request).
12. Request with the proposals the bidders’ trading terms and conditions and share with the
bidders your trading terms and conditions.
13. Issue an invitation to bid.
14. Set up a bidders’ conference at the site so that bidders can establish the operational
requirements, ask questions and tour the site.
15. Set a date for submission of bids no later than two
weeks after the bidders’ conference.
16. Assess the bids, and select. Julian (2004) suggests
that you look for:
a. A clear and cogent plan to transition
service to the new supplier.
b. Value for money.
c. Delivery of services and staff appropriate
to the customer’s needs.
d. Quality of performance and continuity.
e. Innovation and added value.
f. Appropriate management.
g. Staff development and low turnover.
h. Quality of references.
17. Invite the selected contractor for detailed
discussions on the contract, Service Level
Agreement and Operating Agreement. The
contract will then become a legally binding
agreement between the two parties.
ASIS (2011) advises the
development of detailed bid
specifications that spell out the
requirements, including wages,
benefits, and performance
expectations. This way you
should be able to avoid low-bid,
poor-performance results after
the contract has been awarded.
McCrie (2001) advises on the use
of a solicitation summary,
Statement of purpose to
identify tasks to be
Client contact person.
Bidders’ conference details.
Letter of intent.
Proposal submission
Modification or withdrawal
of proposals.
Bidders’ rights of appeal.
Amendments to the
Procurements rules.
66 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function

A Bid Specification Document should cover the following subjects:
The nature, quantity, quality and scope of the required services.
The standards of staff, management and supporting services required.
The qualifications, terms and conditions that will be applied.
The cost factors applying to the project.
Any customer issues, policies or systems that must be incorporated into the bid.
The terms and conditions of the contract.
It may be set as out as below:
Duties of the contractor.
Sites where the contract will operate.
Staffing requirements.
Assignment instructions.
Additional cover arrangements.
Contractor’s personnel policies and standards.
Personnel competencies and training policy.
Vetting and clearance policies.
Uniform requirements.
Insurance requirements.
Quality management and QA standards.
Communications requirements.
Reporting and control standards.
Customer obligations.
Contractual terms and legal responsibilities.

Adapted from: Julian (2004)
67 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
Bibliography and Further Reading
Arvey and Campion (1982) in Berman, Jeffrey, A. (1997), Competence-Based Employee Interviewing,
Greenwood Press, Westport, CT
ASIS International (2011),
The Protection of Assets Manual, ASIS International, Alexandria, VA
ASIS International (2008),
The Chief Security Officer Guideline, ASIS International, Alexandria, VA
ASIS International (2008),
The Chief Security Officer Standard, ASIS International, Alexandria, VA
Berger, David (1999),
Industrial Security, Elsevier, Boston, MA
Cunningham, W, Strauchs, J and Van Meter, C (1990),
Private Security Trends 1970-2000: The
Hallcrest Report II
, Butterworth-Heinemann, Stoneham, MA
Fay, David (1999),
Model Security Policies and Procedures, Elsevier, Boston, MA
Fay, David (2002),
The Contemporary Security Manager, Elsevier, Boston, MA
Gill, Martin (2006)
The Handbook of Security, Palgrave Macmillan, London
Hanson, Julie (2005),
The State of the CSO, CSO Online
Johnson, Brian R (2004),
The Principles of Security Management, Elsevier, Boston, MA
Julian, John (2004),
Selecting a Guarding Contractor, The Security Institute, UK
Lussier, R.N. and Achua, C.F (2004),
Leadership: Theory, Application, Skill Development, Thomson
South-Western, Eagon, MN
Kovacich, Edward and Halibozek, Gerald (2006),
Security Metrics Management, Elsevier, Boston, MA
Patterson, David (2003),
Implementing Physical Protection Systems, ASIS International, Alexandria,
Purpura, Phillip (2008),
Introduction to Security, Elsevier, Boston, MA
Sennewald, Charles A. (2008)
Effective Security Management, Elsevier, Boston, MA
Brooksbank, David (2007),
The Security Manual, Gower, UK
Wyllie, William (1998),
The Millennium Security Manager, Wyllie, Leicester, UK
Web Resources:
Centre for the Protection of National Infrastructure
Newcastle University
Scottish Credit and Qualifications Framework
68 | P a g e
© Copyright ISMI Certification Ltd. All Rights Reserved. Revised 0114
Module 3 – Managing the Security Function
The material and information contained in this Unit are generic, and for general information and
educational purposes only. You rely upon the material or information in this Unit as a basis for
making any security, business, legal or any other decisions entirely at your own risk and without
legal recourse to ISMI. Whilst ISMI endeavours to keep the information up to date and correct,
we make no representations or warranties of any kind, express or implied about the
completeness, accuracy, reliability, suitability or availability with respect to the Unit or the
information, best practice, products, services or related graphics contained in the Unit for any
purpose. Any reliance you place on such material is therefore strictly at your own risk.