Private security services - Protection of critical infrastructure - Part 1: General requirements

This document is the overarching standard for the provision of private security services for critical infrastructure. It is complemented by vertical substandards for specific sectors with more detailed focus on the related services such as e.g. aviation security and maritime/port security.
It specifies service requirements for quality in organization, processes, personnel and management of a security service provider and/or its independent branches and establishments under commercial law and trade as a provider with regard to security services.
It lays down quality criteria for the delivery of security services requested by public and private clients.
This document is suitable for the selection, attribution, awarding and reviewing of the most suitable provider of security services.

Private Sicherheitsvorkehrungen zum Schutz kritischer Infrastrukturen - Teil 1: Allgemeine Anforderungen

Dieses Dokument enthält die wesentlichen übergeordneten Anforderungen an die Erbringung privater Sicherheitsdienstleistungen für kritische Infrastrukturen.
ANMERKUNG 1 Dieses Dokument ist der erste Teil einer Normenreihe über die Erbringung privater Sicherheitsdienstleistungen für kritische Infrastrukturen. Es wird durch weitere branchenspezifische Teile ergänzt, die detailliertere Anforderungen an zugehörige Dienstleistungen wie z. B. Sicherheit in der Luftfahrt sowie Sicherheit für Seeschifffahrt und Seehäfen angeben.
ANMERKUNG 2 Beispiele für Branchen mit kritischer Infrastruktur sind in Anhang A angegeben.
ANMERKUNG 3 Siehe Bild 1.
[Bild 1]
ANMERKUNG 4 Es ist wichtig, dass die Auswahl eines privaten Sicherheitsdienstleisters stets das am besten ausgewogene Verhältnis zwischen Qualität und Preis darstellt. Dieses Dokument legt die Mindestanforderungen fest, die Dienstleister erfüllen sollten, damit dieses ausgewogene Verhältnis hergestellt wird.
Es legt Dienstleistungsanforderungen an die Qualität in Bezug auf die Organisation, Prozesse, das Personal und die Verwaltung eines Sicherheitsdienstleisters und/oder dessen unabhängigen Zweigstellen und handelsrechtlichen Niederlassungen als Anbieter von Sicherheits¬dienstleistungen fest.
Es legt Qualitätskriterien für das Erbringen von Sicherheitsdienstleistungen fest, die von öffentlichen und privaten Kunden gefordert werden.
Dieses Dokument ist geeignet für die Auswahl, Zuteilung, Auftragsvergabe und Kontrolle des am besten geeigneten Anbieters von Sicherheitsdienstleistungen.

Dispositions de sécurité privée pour la protection des infrastructures critiques - Partie 1 : Exigences générales

Le présent document constitue la norme cadre pour la fourniture de services de sécurité privée pour les infrastructures critiques. Il est complété par des sous-normes verticales pour des secteurs spécifiques, l’accent étant mis plus précisément sur les services connexes tels que la sécurité aérienne et la sécurité maritime/portuaire.
Il spécifie les exigences de qualité de service relatives à l’organisation, aux processus, au personnel et à la gestion d’un prestataire de services de sécurité et/ou de ses succursales et établissements indépendants en vertu du droit commercial, agissant en tant que prestataire en matière de services de sécurité.
Il spécifie les critères de qualité relatifs à la prestation de services de sécurité demandés par des clients publics et privés.
Le présent document est adapté à la sélection, l’attribution, l’adjudication et la revue du prestataire de services de sécurité le plus approprié.

Storitve zasebnega varovanja - Zaščita kritične infrastrukture - 1. del: Splošne zahteve

General Information

Status
Published
Public Enquiry End Date
22-Jul-2020
Publication Date
22-Jul-2021
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
21-Jul-2021
Due Date
25-Sep-2021
Completion Date
23-Jul-2021

Buy Standard

Standard
SIST EN 17483-1:2021
English language
24 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Draft
oSIST prEN 17483-1:2020
English language
22 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN 17483-1:2021
01-september-2021
Storitve zasebnega varovanja - Zaščita kritične infrastrukture - 1. del: Splošne
zahteve

Private security services - Protection of critical infrastructure - Part 1: General

requirements
Private Sicherheitsvorkehrungen zum Schutz kritischer Infrastrukturen - Teil 1:
Allgemeine Anforderungen

Dispositions de sécurité privée pour la protection des infrastructures critiques - Partie 1 :

Exigences générales
Ta slovenski standard je istoveten z: EN 17483-1:2021
ICS:
03.080.99 Druge storitve Other services
13.310 Varstvo pred kriminalom Protection against crime
SIST EN 17483-1:2021 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 17483-1:2021
---------------------- Page: 2 ----------------------
SIST EN 17483-1:2021
EN 17483-1
EUROPEAN STANDARD
NORME EUROPÉENNE
June 2021
EUROPÄISCHE NORM
ICS 03.080.99; 13.310
English Version
Private security services - Protection of critical
infrastructure - Part 1: General requirements

Dispositions de sécurité privée pour la protection des Private Sicherheitsvorkehrungen zum Schutz kritischer

infrastructures critiques - Partie 1 : Exigences Infrastrukturen - Teil 1: Allgemeine Anforderungen

générales
This European Standard was approved by CEN on 23 May 2021.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this

European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references

concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN

member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management

Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 17483-1:2021 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
Contents Page

European foreword ....................................................................................................................................................... 4

1 Scope .................................................................................................................................................................... 5

2 Normative references .................................................................................................................................... 6

3 Terms and definitions ................................................................................................................................... 6

4 Provider .............................................................................................................................................................. 8

4.1 General ................................................................................................................................................................ 8

4.2 Structure ............................................................................................................................................................. 8

4.2.1 Management structure .................................................................................................................................. 8

4.2.2 Human resources management .............................................................................................................. 10

4.3 Health and Safety Management ............................................................................................................... 11

4.4 Risk management ......................................................................................................................................... 11

4.5 Operational and financial capacity ........................................................................................................ 11

4.6 Business continuity management .......................................................................................................... 12

4.7 Insurances ...................................................................................................................................................... 12

4.8 Corporate governance and compliance ............................................................................................... 12

4.9 IT-Security Management ........................................................................................................................... 12

5 Contracts ......................................................................................................................................................... 13

5.1 General ............................................................................................................................................................. 13

5.2 Contractual liabilities ................................................................................................................................. 13

5.3 Contract manager ......................................................................................................................................... 13

5.4 On-site management ................................................................................................................................... 13

5.5 Customer responsibility ............................................................................................................................ 14

5.6 Resources ........................................................................................................................................................ 14

5.7 Cooperation with other relevant parties ............................................................................................. 14

5.8 Subcontractors .............................................................................................................................................. 14

5.8.1 General ............................................................................................................................................................. 14

5.8.2 Contracts ......................................................................................................................................................... 14

5.8.3 Selection .......................................................................................................................................................... 14

5.9 Leased workers/ agency workers .......................................................................................................... 15

6 Staff .................................................................................................................................................................... 15

6.1 General ............................................................................................................................................................. 15

6.1.1 Introduction ................................................................................................................................................... 15

6.1.2 Terms and conditions of employment .................................................................................................. 15

6.1.3 Security screening........................................................................................................................................ 16

6.1.4 Identification of staff ................................................................................................................................... 16

6.1.5 Uniform ............................................................................................................................................................ 16

6.2 Recruitment and selection ........................................................................................................................ 17

6.2.1 General ............................................................................................................................................................. 17

6.2.2 Criteria to be fulfilled for employment ................................................................................................ 17

6.2.3 Selection .......................................................................................................................................................... 17

6.2.4 Interview ......................................................................................................................................................... 18

6.2.5 Recruiting........................................................................................................................................................ 18

6.3 Training ........................................................................................................................................................... 19

6.3.1 Training policy .............................................................................................................................................. 19

6.3.2 Trainer ............................................................................................................................................................. 19

---------------------- Page: 4 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)

6.3.3 Training requirements ............................................................................................................................... 19

7 Service delivery ............................................................................................................................................. 20

7.1 Start up and contract commencement .................................................................................................. 20

7.2 Operating procedures ................................................................................................................................. 20

7.3 Communication with the customer ........................................................................................................ 20

7.4 Operational plan and rostering ............................................................................................................... 21

7.5 Service level agreement ............................................................................................................................. 21

7.6 Contract termination and cessation of services ................................................................................ 21

Annex A (informative) Examples of critical infrastructure sectors ........................................................ 22

Bibliography ................................................................................................................................................................. 24

---------------------- Page: 5 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
European foreword

This document (EN 17483-1:2021) has been prepared by Technical Committee CEN/TC 439 “Private

security services”, the secretariat of which is held by ASI.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by December 2021, and conflicting national standards shall

be withdrawn at the latest by December 2021.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

According to the CEN-CENELEC Internal Regulations, the national standards organisations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,

Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,

Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North

Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United

Kingdom.
---------------------- Page: 6 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
1 Scope

This document includes the main overarching requirements for the provision of private security services

for critical infrastructure.

NOTE 1 This document is the first part of a series of standards on the provision of private security services for

critical infrastructure. It will be complemented by other sector specific parts, which give more detailed

requirements for related services such as aviation, maritime and port security.
NOTE 2 Examples of critical infrastructure sectors are given in Annex A.
NOTE 3 See Figure 1.
Figure 1 — Structure for sector-specific standards

NOTE 4 It is important that the selection of a private security service provider always represents the best balance

between quality and price. This document sets out the minimum requirements that providers should comply with

in order for this balance to be struck.

It specifies service requirements for quality in the organization, processes, personnel and management

of a security service provider and/or its independent branches and establishments under commercial

law and trade as a provider of security services.

It lays down quality criteria for the delivery of security services requested by public and private clients.

This document is suitable for the selection, attribution, awarding and reviewing of the most suitable

provider of security services.
---------------------- Page: 7 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

EN 15602, Security service providers - Terminology
3 Terms and definitions

For the purposes of this document, the terms and definitions given in EN 15602 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1
critical infrastructure

asset, system, or a part thereof, which is essential for the maintenance of vital societal functions, health,

safety, security, economic or social well-being of people, where the disruption or destruction of which

would have a significant impact in a society as a result of the failure to maintain those functions

Note 1 to entry: Examples of critical infrastructure sectors are given in Annex A.

3.2
insider threat

threat posed by unauthorised access, use or disclosure of privileged information, techniques, technology,

assets or premises by an individual with legitimate or indirect access, which could cause harm or damage

3.3
insider threat policy
policy aimed to detect and mitigate insider threats
3.4
risk assessment

systematic process for the identification, analysis and evaluation of threats to determine the impact of

the consequences of hazards and threats relative to the probability of their occurrence

---------------------- Page: 8 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
3.5
security analysis

total of defined organizational, personnel, technical and structural security measures for the prevention

and/or averting of dangers through written analysis of possible attack and damage scenarios with the

aim of achieving a defined level of protection

Note 1 to entry: Security analyses are based on a structured approach which generally includes the following

criteria:
— determination of the object to be protected and the protection aims;
— analysis of threats / damage scenarios / dangers;
— evaluation of probability of occurrence and potential extent of damage;
— development of measures to reduce damages and their probability of occurrence;

— development of measures to initiate security as early as possible (e.g. coordination of electronic and

mechanical security devices to trigger an alarm before the mechanical security devices have been

completely overcome);

— planning of measures and provision of means for damage control and containment in the event of

damage;
— analysis of the own risk bearing capacity and assessment of the residual risk.

Even a sophisticated security analysis is not able to eliminate the residual risk completely. For this reason, crisis

and disaster management is often introduced to protect life and property as far as possible in an emergency.

3.6
staff performance management policy

systematic process by which the provider involves its employees, as individuals and members of a group,

in improving organisational effectiveness in the accomplishment of the provider's mission and goals

Note 1 to entry: This policy is a tool which is used to communicate the organisational goal to the employees

individually, allot individual accountability towards that goal and tracking of the progress in the achievement of the

goals assigned and evaluating their individual performance. The staff performance management policy reflects the

individual performance or the accomplishment of an employee, which evaluates and keeps track of all the

employees of the organization.
---------------------- Page: 9 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
3.7
management system

set of interrelated or interacting elements of an organisation to establish policies and objectives, and

processes to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines, e.g. quality

management, financial management or environmental management.

Note 2 to entry: The management system elements establish the organization's structure, roles and

responsibilities, planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those

objectives.

Note 3 to entry: The scope of a management system can include the whole of the organization, specific and

identified functions of the organization, specific and identified sections of the organization, or one or more functions

across a group of organisations.

Note 4 to entry: This constitutes one of the common terms and core definitions for ISO management system

standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original

definition has been modified by modifying Notes 1 to 3 to entry.
[SOURCE: EN ISO 9000:2015, 3.5.3]
3.8
key performance indicator
KPI
business statistics which measure an organisation's performance

Note 1 to entry: KPIs show the progress (or lack of it) toward realizing the organization's objectives or strategic

plans by monitoring activities which (if not properly performed) would likely cause degradation of the performance

of the provider.

[SOURCE: EN 50518:2019, 3.1.21 modified — At Note 1 to entry the term provider is used instead of ARC]

4 Provider
4.1 General

The provider shall be authorized by the competent authorities to provide private security services for

critical infrastructure if those are already specified and/or regulated by public authorities in accordance

with the national legal frameworks.

A provider shall only provide those private security services for critical infrastructure for which the

provider has obtained the necessary authorization from the competent authority corresponding to the

sector-specific standard(s).
4.2 Structure
4.2.1 Management structure

The provider shall demonstrate that its owners, board members and management have a clean record,

e.g. not been convicted for any of the following crimes:
a) weapons and/or drug trafficking and/or organized crime;
b) bribery and/or corruption;
c) fraud and/or money laundering and/or financing of terrorism;
---------------------- Page: 10 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
d) attempting or committing terrorist offences;
e) child labour and/or trafficking in human beings;
f) intentional crimes against human beings;
g) tax or social security fraud;
h) cyber and information security crimes.

They need to hold the required licence for their function where legally applicable.

The provider shall:

1) have a management structure showing command, control and accountability at each level of

operation;

2) have code of conduct documents on ethics, drugs and alcohol, compliance and corporate social

responsibility and about operational procedures (e.g. hygiene and cleanliness, behaviour,

punctuality);

3) clearly communicate organizational structures and procedures to all operational levels;

4) operate a complaints management system in accordance with quality management systems;

5) have secure storage for important and confidential documents relating to the contract;

6) operate under confidentiality procedures for the management of information and data related to the

business;
7) provide rules for making contract information available to third parties;

8) have an operational presence within an appropriate distance to the site where the services are

provided for the duration of the contract, or at least for the duration of the provision of the services;

9) disclose the structure of its ownership as well as demonstrate the professional competence of its

management for the provision of private security services;

10) disclose any unspent criminal convictions and current or discharged bankruptcy of a principal or

director;
11) give information on its membership of professional organisations;

12) give information on the provider’s activities with regards to its compliance with applicable

legislation regarding the protection of environment;

13) have a management system implemented that covers the quality for the provision of the declared

services.

NOTE A management system such as EN ISO 9001 or similar fulfils the requirement.

---------------------- Page: 11 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
4.2.2 Human resources management
4.2.2.1 General
The provider shall have policies in place, which shall include the following:
a) maintaining accurate information/data on staff structure and staff numbers;
b) recruitment including job descriptions;
c) retention of staff;
d) career development;
e) training;
f) absenteeism reduction;
g) equal opportunities;
h) disciplinary and grievance;
i) inspection/supervision;
j) operational management;
k) staff satisfaction measurement;
l) staff representation (participation in decision-making).
The policies are also expected to:
m) abide by labour and social law and collective labour agreements;

n) abide by law and regulations regarding health and safety and appropriate internal policies for health

and safety.
4.2.2.2 Staff motivation

The provider shall have a policy for motivating security staff. This policy shall include at least the

following:
— methodologies used;
— motivation measuring system;
— motivation techniques;
— responsibility on the job;
— self-management (shift work, measures against boredom);
— communication on the job (dealing with clients and colleagues);
— safety awareness.
The provider shall inform staff about career opportunities.
---------------------- Page: 12 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
4.2.2.3 Staff performance management policy

The provider shall implement a clearly defined staff performance management policy.

4.3 Health and Safety Management

The provider shall have a structured occupational health and safety management system (e.g. ISO 45001

[12]).

NOTE ISO 45001 [12] (old: OHSAS 18001:2007 [14]) is an Occupation Health and Safety Assessment Series for

health and safety management systems. Such a management system is intended to help the provider to control

occupational health and safety risks.

The provider shall mitigate against occupational hazards and demonstrate that the client is always

actively involved.

The working environment shall be in line with social and technical development that ha an impact on

health and safety.

Work shall be planned in a manner that it can be performed in a safe and healthy environment.

The provider shall investigate accidents together with the health and safety representative of the client

and/or staff if present, continuously assess risks and take all precautions necessary.

The provider shall document the working conditions and measures to improve them.

The provider shall also make preventative medical care available to the employees suited to their

working conditions. In case of a health and safety incident the provider shall also make medical treatment

available at no cost to the employee, unless this is covered by statutory insurance.

4.4 Risk management

The provider shall install and maintain a risk management system and be able to demonstrate it

(e.g. EN ISO 22301 [6] or ISO 31000 [9]).
4.5 Operational and financial capacity

The provider shall demonstrate that it has the necessary capacity in terms of infrastructure, staff and

procedures to guarantee the full implementation of all terms and clauses of the contract between the

provider and the client.

The provider shall disclose information to the potential client about its organizational structure, its

dedicated responsible management if applicable, the range of services it is authorized to provide and the

length of time it has been operating private security services for critical infrastructure.

The provider shall disclose the following information to the potential client regarding:

— balance sheets and profit and loss statements for the past three financial years if their publication is

compulsory under the legislation or practice in the country in which the applicant is registered;

— valid tax clearance certificate where relevant;

— clearance certificate from social security authorities with regard to necessary social security fees

where relevant.

At the request of the potential client, the provider shall also provide a project-related operational and

financial plan, where the requested security services exceeds a value of 15 % of the total turnover of the

last closed business year of the provider.
---------------------- Page: 13 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
4.6 Business continuity management

The provider shall establish a documented business continuity policy including operational contingency

plans.

The provider shall record which significant risks exist with regard to its operational processes and

procedures and the technologies used for this purpose, e.g. on the basis of EN ISO 9001 [4]. In particular,

the critical processes shall be identified and suitable measures for risk minimization shall be defined.

NOTE Further information and examples are given in e.g. EN ISO 22301 [6].
4.7 Insurances

The provider is expected to comply with international and/or national regulations and collective labour

agreements regarding insurances.
The provider’s insurance shall include cover for the following:

— accidents to employees while on duty (including the necessary on- and offboarding time before and

after duty) unless covered by statutory insurance;

— loss, damage or injury to the customer or third parties caused by intent or negligence of the provider

(as long as they have been caused whilst performing the contractual duties).

The provider shall provide to the client its insurance policy and supporting information regarding third

party liability.

The provider shall ensure there is adequate evidence of appropriate insurance cover to the client.

When sub-contracting work to a third party, the provider shall ensure that adequate insurance cover

commensurate with the business is in place.
4.8 Corporate governance and compliance

The provider shall demonstrate a structured corporate governance policy or equivalent and shall provide

evidence of its:
— code of conduct for directors and employees;
— internal and external control procedures and audits;
— reporting arrangements – financial and operational.
4.9 IT-Security Management

The provider shall establish a documented IT-security management system. The provider and the client

shall agree on IT-security management processes according to their requirements.

NOTE EN ISO/IEC 27001 [7] gives more information on IT-security management system.

---------------------- Page: 14 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
5 Co
...

SLOVENSKI STANDARD
oSIST prEN 17483-1:2020
01-julij-2020

Zagotavljanje zasebne varnosti za zaščito kritične infrastrukture - 1. del: Splošne

zahteve

Private security provision for the protection of Critical Infrastructure - Part 1: General

requirements
Private Sicherheitsmaßnahmen zum Schutz kritischer Infrastrukturen

Dispositions de sécurité privée pour la protection des infrastructures critiques - Partie 1 :

Exigences générales
Ta slovenski standard je istoveten z: prEN 17483-1
ICS:
03.080.99 Druge storitve Other services
13.310 Varstvo pred kriminalom Protection against crime
oSIST prEN 17483-1:2020 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 17483-1:2020
---------------------- Page: 2 ----------------------
oSIST prEN 17483-1:2020
DRAFT
EUROPEAN STANDARD
prEN 17483-1
NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2020
ICS 03.080.99; 13.310
English Version
Private security provision for the protection of Critical
Infrastructure - Part 1: General requirements

Dispositions de sécurité privée pour la protection des Private Sicherheitsmaßnahmen zum Schutz kritischer

infrastructures critiques - Partie 1 : Exigences Infrastrukturen
générales

This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee

CEN/TC 439.

If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations

which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other

language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC

Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are

aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without

notice and shall not be referred to as a European Standard.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2020 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 17483-1:2020 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
Contents Page

European foreword ....................................................................................................................................................... 4

1 Scope .................................................................................................................................................................... 5

2 Normative references .................................................................................................................................... 5

3 Terms and definitions ................................................................................................................................... 5

4 Provider .............................................................................................................................................................. 7

4.1 General ................................................................................................................................................................ 7

4.2 Structure ............................................................................................................................................................. 7

4.2.1 Management structure .................................................................................................................................. 7

4.2.2 Human resources management ................................................................................................................. 8

4.3 Health and Safety Management .................................................................................................................. 9

4.4 Risk management ......................................................................................................................................... 10

4.5 Operational and financial capacity ........................................................................................................ 10

4.6 Business continuity management .......................................................................................................... 10

4.7 Insurances ...................................................................................................................................................... 10

4.8 Corporate governance and compliance ............................................................................................... 11

4.9 IT-Security Management ........................................................................................................................... 11

5 Contracts ......................................................................................................................................................... 11

5.1 General ............................................................................................................................................................. 11

5.2 Financial terms ............................................................................................................................................. 11

5.3 Contractual liabilities ................................................................................................................................. 12

5.4 Contract manager ......................................................................................................................................... 12

5.5 On-site management ................................................................................................................................... 12

5.6 Customer responsibility ............................................................................................................................ 12

5.7 Resources ........................................................................................................................................................ 12

5.8 Cooperation with other relevant parties ............................................................................................. 12

5.9 Subcontractors .............................................................................................................................................. 12

5.9.1 General ............................................................................................................................................................. 12

5.9.2 Contracts ......................................................................................................................................................... 13

5.9.3 Selection .......................................................................................................................................................... 13

5.10 Leased workers ............................................................................................................................................. 13

6 Staff .................................................................................................................................................................... 13

6.1 General ............................................................................................................................................................. 13

6.1.1 Introduction ................................................................................................................................................... 13

6.1.2 Terms and conditions of employment .................................................................................................. 13

6.1.3 Security screening........................................................................................................................................ 14

6.1.4 Breach of terms and conditions of employment ............................................................................... 14

6.1.5 Identification of staff ................................................................................................................................... 14

6.1.6 Uniform ............................................................................................................................................................ 15

6.2 Recruitment and selection ........................................................................................................................ 15

6.2.1 General ............................................................................................................................................................. 15

6.2.2 Criteria to be fulfilled for employment ................................................................................................ 15

6.2.3 Selection .......................................................................................................................................................... 16

6.2.4 Interview ......................................................................................................................................................... 16

6.2.5 Recruiting........................................................................................................................................................ 17

6.3 Training ........................................................................................................................................................... 17

6.3.1 Training policy .............................................................................................................................................. 17

---------------------- Page: 4 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)

6.3.2 Trainer .............................................................................................................................................................. 17

6.3.3 Training requirements ............................................................................................................................... 18

7 Service delivery ............................................................................................................................................. 18

7.1 Start up and contract commencement .................................................................................................. 18

7.2 Operating procedures ................................................................................................................................. 18

7.3 Communication with the customer ........................................................................................................ 18

7.4 Operational plan and rostering ............................................................................................................... 19

7.5 Service level agreement ............................................................................................................................. 19

7.6 Contract termination and cessation of services ................................................................................ 19

Annex A (informative) Examples of critical infrastructure sectors ........................................................ 20

Bibliography ................................................................................................................................................................. 22

---------------------- Page: 5 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
European foreword

This document (prEN 17483-1:2020) has been prepared by Technical Committee CEN/TC 439 “Private

security services”, the secretariat of which is held by ASI.
This document is currently submitted to the CEN Enquiry.
---------------------- Page: 6 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
1 Scope

This document is the overarching standard for the provision of private security services for critical

infrastructure. It is complemented by vertical substandards for specific sectors with more detailed

focus on the related services such as e.g. aviation security and maritime/port security.

It specifies service requirements for quality in organization, processes, personnel and management of a

security service provider and/or its independent branches and establishments under commercial law

and trade as a provider with regard to security services.

It lays down quality criteria for the delivery of security services requested by public and private clients.

This document is suitable for the selection, attribution, awarding and reviewing of the most suitable

provider of security services.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

EN 15602:2008, Security service providers — Terminology
3 Terms and definitions

For the purposes of this document, the terms and definitions given in EN 15602 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
critical infrastructure

asset, system or part thereof which is essential for the maintenance of vital societal functions, health,

safety, security, economic or social well-being of people, and the disruption or destruction of which

would have a significant impact in a society as a result of the failure to maintain those functions

Note 1 to entry: Examples of critical infrastructure sectors are given in Annex A.

3.2
insider threat

threat posed by unauthorised access, use or disclosure of privileged information, techniques,

technology, assets or premises by an individual with legitimate or indirect access, which could cause

harm or damage
3.3
insider threat policy
policy aimed to detect and mitigate insider threats
3.4
risk assessment

systematic process for the identification, analysis and evaluation of threats to determine the impact of

the consequences of hazards and threats relative to the probability of their occurrence

---------------------- Page: 7 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
3.5
security analysis

total of defined organisational, personnel, technical and structural security measures for the prevention

and/or averting of dangers through written analysis of possible attack and damage scenarios with the

aim of achieving a defined level of protection

Note 1 to entry: Security analyses are based on a structured approach which generally includes the following

criteria:
— determination of the object to be protected and the protection aims;
— analysis of threats / damage scenarios / dangers;
— evaluation of probability of occurrence and potential extent of damage;
— development of measures to reduce damages and their probability of occurrence;

— development of measures to initiate security as early as possible (e.g. coordination of electronic and

mechanical security devices to trigger an alarm before the mechanical security devices have been completely

overcome);

— planning of measures and provision of means for damage control and containment in the event of

damage;
— analysis of the own risk bearing capacity and assessment of the residual risk.

Even a sophisticated security analysis is not able to eliminate the residual risk completely. For this reason, crisis

and disaster management is often introduced to protect life and property as far as possible in an emergency.

3.6
staff performance management policy

systematic process by which the provider involves its employees, as individuals and members of a

group, in improving organizational effectiveness in the accomplishment of the providers mission and

goals

Note 1 to entry: This policy is a tool which is used to communicate the organizational goal to the employees

individually, allot individual accountability towards that goal and tracking of the progress in the achievement of

the goals assigned and evaluating their individual performance. The staff performance management policy reflects

the individual performance or the accomplishment of an employee, which evaluates and keeps track of all the

employees of the organization.
3.7
sector-specific substandard

complementary vertical standards to this overarching standards within the critical infrastructure

sectors

Note 1 to entry: Examples of critical infrastructure sectors are given in Annex A.

Note 2 to entry: See Figure 1
---------------------- Page: 8 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
Figure 1 — Structure for sector-specific substandards
4 Provider
4.1 General

The provider shall be authorized by the competent authorities to provide private security services for

critical infrastructure if those are already specified and/or regulated by public authorities in

accordance with the national legal frameworks.

A provider shall only provide those private security services for critical infrastructure for which the

provider has obtained the necessary authorization from the competent authority corresponding to the

sector-specific substandard(s).
4.2 Structure
4.2.1 Management structure

The provider shall demonstrate that its owners, board members and management have a clean record,

e.g. not been convicted for or pending charges for any crimes such as:
a) weapons and/or drug trafficking and/or organized crime;
b) bribery and/or corruption;
c) fraud and/or money laundering and/or financing of terrorism;
d) attempting or committing terrorist offences;
e) child labour and/or trafficking in human beings;
f) intentional crimes against human beings and public or private property;
---------------------- Page: 9 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
g) tax evasion or evasion of social security contributions.

They need to hold the required licence for their function where legally applicable.

The provider shall:

1) have a management structure showing command, control and accountability at each level of

operation;
2) have a code of conduct on ethics, drugs and alcohol;
3) have a code of conduct on compliance and corporate social responsibility;

4) have a code of conduct about operational procedures (e.g. appearance, behaviour, punctuality);

5) clearly communicate structures and procedures to all operational levels;

6) operate a complaints management system in accordance with quality management systems;

7) have secure storage of important and confidential documents related to the contract;

8) operate under confidentiality management of information and data related to the business;

9) provide rules for making contract information available to third parties;

10) have an operational presence within an appropriate distance to the site of the provision of the

service for the duration of the contract, or at least for the duration of the execution of the services;

11) disclose the structure of its ownership as well as the curricula vitae of its management;

12) disclose any unspent criminal convictions or undercharged bankruptcy of a principal or director;

13) give information on its membership in professional organizations;

14) give information on the compliance of its activities with applicable legislation regarding the

protection of environment.

The provider shall be able to demonstrate to the potential client the above before signing the contract, if

the potential client requires so. The provider can disclose to the potential client other relevant

information such as on other certification.
4.2.2 Human resources management
4.2.2.1 General

The provider shall have a human resource policy in place, which shall include the following:

a) abide by labour and social law and collective labour agreements;

b) abide by law and regulations regarding health and safety and appropriate internal policies for

health and safety;
c) maintaining accurate information/data on staff structure and staff numbers;
d) recruitment policy including job description;
e) policies for retention of staff;
---------------------- Page: 10 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
f) policies for career development;
g) training policy;
h) absenteeism reduction policies;
i) policies for equal opportunities;
j) disciplinary and grievance procedures;
k) inspection/supervision;
l) operational management;
m) staff satisfaction ratios;
n) staff representation (participation in decision-making).
4.2.2.2 Staff motivation

The provider shall demonstrate its policy for motivating security staff. This policy shall include at least

the following:
— methodologies used;
— motivation measuring system;
— motivation techniques;
— responsibility on the job;
— self-management (shift work, measures against boredom);
— communication on the job (dealing with clients and colleagues);
— safety consciousness.
The provider shall inform staff entering the company about career opportunities.
4.2.2.3 Staff performance management policy

The provider shall implement a clearly defined staff performance management policy.

4.3 Health and Safety Management

The provider shall have a structured occupational health and safety management system (e.g.

ISO 45001 [10]).

NOTE ISO 45001 [10] (old: OHSAS 18001:2007 [12]) is an Occupation Health and Safety Assessment Series

for health and safety management systems. Such a management system is intended to help the provider to control

occupational health and safety risks.

The provider shall prevent occupational hazards and demonstrate that the client is always actively

involved.

Working environment shall be in line with social and technical development that has an impact on

health and safety.
---------------------- Page: 11 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)

Work shall be planned in a manner that it can be performed in a safe and healthy environment.

The provider shall investigate accidents together with the health and safety representative of the client

and/or staff if present, continuously assess risks and take all precautions necessary.

The provider shall document the working conditions and the action plans and measures to improve

them.

The provider shall also make preventative medical care available to the employees suited to their

working conditions. In case of a health and safety incident the provider shall also make medical

treatment available at no cost to the employee.
4.4 Risk management

The provider shall install and maintain a risk management system and be able to demonstrate it (e.g.

EN ISO 22301 [3] or ISO 31000 [7]).
4.5 Operational and financial capacity

The provider shall demonstrate that he has the necessary capacity in terms of infrastructure, staff and

procedures to guarantee the full execution of all terms and clauses of the contract between the provider

and the client.

The provider shall disclose information to the potential client about its organizational structure, its

dedicated responsible management if applicable, the range of services it is authorized to provide and

the length of time it has been operating private security services for critical infrastructure.

At the request of the potential client, the provider shall also provide a project-related operational and

financial planning in case the share of the volume of the requested security services exceeds a value of

15 % in relation to the total turnover of the last closed business year of the provider.

4.6 Business continuity management

The provider shall establish a documented business continuity policy including operational contingency

plans.

The provider shall provide evidence which significant risks exist with regard to its operational

processes and procedures and the technologies used for this purpose, e.g. on the basis of EN ISO 9001

[6]. In particular, the critical processes shall be identified and suitable measures for risk minimization

shall be defined.
NOTE Further information and examples are given in e.g. EN ISO 22301 [3].
4.7 Insurances

The provider is expected to comply with international and/or national regulations and collective labour

agreements regarding insurances.
Insurances of the provider shall cover the following:

— accidents to employees while on duty (including the necessary on- and offboarding time before and

after duty);
— general liability;
— social security/public liability.

The provider shall disclose to the client information and its policy and views regarding third party

liability.

The provider shall ensure there is sufficient evidence of appropriate insurance coverage to the client.

---------------------- Page: 12 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)

When sub-contracting work to a 3 party, the provider shall ensure that a sufficient insurance covers

commensurate with the business is in place.
4.8 Corporate governance and compliance

The provider shall demonstrate a structured corporate governance policy or equivalent and shall

establish proof of it:
— code of conduct for directors and employees;
— internal and external control procedures and audits;
— reporting arrangements – financial and operational.
4.9 IT-Security Management

The provider shall establish a documented IT-security management according to existing standards, e.g.

on the basis of EN ISO/IEC 27001 [4].
5 Contracts
5.1 General

A written contract between the provider and the client shall be signed by both parties. The contract

shall state the rights and obligations of the provider and of the client including respective liabilities and

responsibilities and financial and economic aspects. The contract shall clearly stipulate the usage of

sub-contractors as well as respective conditions.

The client shall provide a security analysis, to the extent necessary to provide the security service, to

the provider. In the security analysis, critical infrastructures (see 3.1) shall be identified separately.

If the client is not able to provide a security analysis, then the provider should carry out a risk

assessment of the critical infrastructure site:

— assess the probability of a security breach and/or threat and the consequence of such an event on

the site;
— define countermeasures and the security plan;
— clarify that the proposed contract meets the risk assessment.

The security analysis/assessment is the basis for the preparation of the security plan. The security plan

should incorporate the optimization of the required services by the use of technologies, procedures and

workforce. The security plan shall contain information to ensure the ongoing provision of services and

the deployment of managers on site.
5.2 Financial terms

The provider shall disclose the following information to the potential client regarding:

— balance sheets and profit and loss statements for the past three financial years if their publication is

compulsory under the legislation or practice in the country in which the applicant is registered;

— valid tax clearance certificate where relevant;

— clearance certificate from social security authorities with regard to necessary social security fees

where relevant.
---------------------- Page: 13 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
5.3 Contractual liabilities

The provider’s liability for damages arising in the course of the provision of services and for which the

provider is responsible shall be agreed between the provider and the client within the framework of the

contract.

The amount of liability demanded by the client shall be limited at least in the case of simple negligence.

These limits of liability shall be regulated in the contract and shall be set in relation to the risk analysis/

assessment and the contract value. The amounted limited liability shall not exceed the insurance

coverage.
5.4 Contract manager

The provider shall appoint and present a contract manager to the client, who is responsible for the

organization and operation of the contract. This person shall have the mandate for handling all

employment issues in regard to the contract.
5.5 On-site management

If there is more than one security guard on duty at the same time at on site, an on-site operational

manager shall be appointed (e.g. senior guard, team leader, shift leader).
5.6 Customer responsibi
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.