SIST EN 17483-1:2021
(Main)Private security services - Protection of critical infrastructure - Part 1: General requirements
Private security services - Protection of critical infrastructure - Part 1: General requirements
This document is the overarching standard for the provision of private security services for critical infrastructure. It is complemented by vertical substandards for specific sectors with more detailed focus on the related services such as e.g. aviation security and maritime/port security.
It specifies service requirements for quality in organization, processes, personnel and management of a security service provider and/or its independent branches and establishments under commercial law and trade as a provider with regard to security services.
It lays down quality criteria for the delivery of security services requested by public and private clients.
This document is suitable for the selection, attribution, awarding and reviewing of the most suitable provider of security services.
Private Sicherheitsvorkehrungen zum Schutz kritischer Infrastrukturen - Teil 1: Allgemeine Anforderungen
Dieses Dokument enthält die wesentlichen übergeordneten Anforderungen an die Erbringung privater Sicherheitsdienstleistungen für kritische Infrastrukturen.
ANMERKUNG 1 Dieses Dokument ist der erste Teil einer Normenreihe über die Erbringung privater Sicherheitsdienstleistungen für kritische Infrastrukturen. Es wird durch weitere branchenspezifische Teile ergänzt, die detailliertere Anforderungen an zugehörige Dienstleistungen wie z. B. Sicherheit in der Luftfahrt sowie Sicherheit für Seeschifffahrt und Seehäfen angeben.
ANMERKUNG 2 Beispiele für Branchen mit kritischer Infrastruktur sind in Anhang A angegeben.
ANMERKUNG 3 Siehe Bild 1.
[Bild 1]
ANMERKUNG 4 Es ist wichtig, dass die Auswahl eines privaten Sicherheitsdienstleisters stets das am besten ausgewogene Verhältnis zwischen Qualität und Preis darstellt. Dieses Dokument legt die Mindestanforderungen fest, die Dienstleister erfüllen sollten, damit dieses ausgewogene Verhältnis hergestellt wird.
Es legt Dienstleistungsanforderungen an die Qualität in Bezug auf die Organisation, Prozesse, das Personal und die Verwaltung eines Sicherheitsdienstleisters und/oder dessen unabhängigen Zweigstellen und handelsrechtlichen Niederlassungen als Anbieter von Sicherheits¬dienstleistungen fest.
Es legt Qualitätskriterien für das Erbringen von Sicherheitsdienstleistungen fest, die von öffentlichen und privaten Kunden gefordert werden.
Dieses Dokument ist geeignet für die Auswahl, Zuteilung, Auftragsvergabe und Kontrolle des am besten geeigneten Anbieters von Sicherheitsdienstleistungen.
Dispositions de sécurité privée pour la protection des infrastructures critiques - Partie 1 : Exigences générales
Le présent document constitue la norme cadre pour la fourniture de services de sécurité privée pour les infrastructures critiques. Il est complété par des sous-normes verticales pour des secteurs spécifiques, l’accent étant mis plus précisément sur les services connexes tels que la sécurité aérienne et la sécurité maritime/portuaire.
Il spécifie les exigences de qualité de service relatives à l’organisation, aux processus, au personnel et à la gestion d’un prestataire de services de sécurité et/ou de ses succursales et établissements indépendants en vertu du droit commercial, agissant en tant que prestataire en matière de services de sécurité.
Il spécifie les critères de qualité relatifs à la prestation de services de sécurité demandés par des clients publics et privés.
Le présent document est adapté à la sélection, l’attribution, l’adjudication et la revue du prestataire de services de sécurité le plus approprié.
Storitve zasebnega varovanja - Zaščita kritične infrastrukture - 1. del: Splošne zahteve
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
SIST EN 17483-1:2021
01-september-2021
Storitve zasebnega varovanja - Zaščita kritične infrastrukture - 1. del: Splošne
zahteve
Private security services - Protection of critical infrastructure - Part 1: General
requirements
Private Sicherheitsvorkehrungen zum Schutz kritischer Infrastrukturen - Teil 1:
Allgemeine Anforderungen
Dispositions de sécurité privée pour la protection des infrastructures critiques - Partie 1 :
Exigences générales
Ta slovenski standard je istoveten z: EN 17483-1:2021
ICS:
03.080.99 Druge storitve Other services
13.310 Varstvo pred kriminalom Protection against crime
SIST EN 17483-1:2021 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST EN 17483-1:2021
---------------------- Page: 2 ----------------------
SIST EN 17483-1:2021
EN 17483-1
EUROPEAN STANDARD
NORME EUROPÉENNE
June 2021
EUROPÄISCHE NORM
ICS 03.080.99; 13.310
English Version
Private security services - Protection of critical
infrastructure - Part 1: General requirements
Dispositions de sécurité privée pour la protection des Private Sicherheitsvorkehrungen zum Schutz kritischer
infrastructures critiques - Partie 1 : Exigences Infrastrukturen - Teil 1: Allgemeine Anforderungen
générales
This European Standard was approved by CEN on 23 May 2021.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 17483-1:2021 E
worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
Contents Page
European foreword . 4
1 Scope . 5
2 Normative references . 6
3 Terms and definitions . 6
4 Provider . 8
4.1 General . 8
4.2 Structure . 8
4.2.1 Management structure . 8
4.2.2 Human resources management . 10
4.3 Health and Safety Management . 11
4.4 Risk management . 11
4.5 Operational and financial capacity . 11
4.6 Business continuity management . 12
4.7 Insurances . 12
4.8 Corporate governance and compliance . 12
4.9 IT-Security Management . 12
5 Contracts . 13
5.1 General . 13
5.2 Contractual liabilities . 13
5.3 Contract manager . 13
5.4 On-site management . 13
5.5 Customer responsibility . 14
5.6 Resources . 14
5.7 Cooperation with other relevant parties . 14
5.8 Subcontractors . 14
5.8.1 General . 14
5.8.2 Contracts . 14
5.8.3 Selection . 14
5.9 Leased workers/ agency workers . 15
6 Staff . 15
6.1 General . 15
6.1.1 Introduction . 15
6.1.2 Terms and conditions of employment . 15
6.1.3 Security screening. 16
6.1.4 Identification of staff . 16
6.1.5 Uniform . 16
6.2 Recruitment and selection . 17
6.2.1 General . 17
6.2.2 Criteria to be fulfilled for employment . 17
6.2.3 Selection . 17
6.2.4 Interview . 18
6.2.5 Recruiting. 18
6.3 Training . 19
6.3.1 Training policy . 19
6.3.2 Trainer . 19
2
---------------------- Page: 4 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
6.3.3 Training requirements . 19
7 Service delivery . 20
7.1 Start up and contract commencement . 20
7.2 Operating procedures . 20
7.3 Communication with the customer . 20
7.4 Operational plan and rostering . 21
7.5 Service level agreement . 21
7.6 Contract termination and cessation of services . 21
Annex A (informative) Examples of critical infrastructure sectors . 22
Bibliography . 24
3
---------------------- Page: 5 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
European foreword
This document (EN 17483-1:2021) has been prepared by Technical Committee CEN/TC 439 “Private
security services”, the secretariat of which is held by ASI.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by December 2021, and conflicting national standards shall
be withdrawn at the latest by December 2021.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
4
---------------------- Page: 6 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
1 Scope
This document includes the main overarching requirements for the provision of private security services
for critical infrastructure.
NOTE 1 This document is the first part of a series of standards on the provision of private security services for
critical infrastructure. It will be complemented by other sector specific parts, which give more detailed
requirements for related services such as aviation, maritime and port security.
NOTE 2 Examples of critical infrastructure sectors are given in Annex A.
NOTE 3 See Figure 1.
Figure 1 — Structure for sector-specific standards
NOTE 4 It is important that the selection of a private security service provider always represents the best balance
between quality and price. This document sets out the minimum requirements that providers should comply with
in order for this balance to be struck.
It specifies service requirements for quality in the organization, processes, personnel and management
of a security service provider and/or its independent branches and establishments under commercial
law and trade as a provider of security services.
It lays down quality criteria for the delivery of security services requested by public and private clients.
This document is suitable for the selection, attribution, awarding and reviewing of the most suitable
provider of security services.
5
---------------------- Page: 7 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 15602, Security service providers - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 15602 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1
critical infrastructure
asset, system, or a part thereof, which is essential for the maintenance of vital societal functions, health,
safety, security, economic or social well-being of people, where the disruption or destruction of which
would have a significant impact in a society as a result of the failure to maintain those functions
Note 1 to entry: Examples of critical infrastructure sectors are given in Annex A.
3.2
insider threat
threat posed by unauthorised access, use or disclosure of privileged information, techniques, technology,
assets or premises by an individual with legitimate or indirect access, which could cause harm or damage
3.3
insider threat policy
policy aimed to detect and mitigate insider threats
3.4
risk assessment
systematic process for the identification, analysis and evaluation of threats to determine the impact of
the consequences of hazards and threats relative to the probability of their occurrence
6
---------------------- Page: 8 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
3.5
security analysis
total of defined organizational, personnel, technical and structural security measures for the prevention
and/or averting of dangers through written analysis of possible attack and damage scenarios with the
aim of achieving a defined level of protection
Note 1 to entry: Security analyses are based on a structured approach which generally includes the following
criteria:
— determination of the object to be protected and the protection aims;
— analysis of threats / damage scenarios / dangers;
— evaluation of probability of occurrence and potential extent of damage;
— development of measures to reduce damages and their probability of occurrence;
— development of measures to initiate security as early as possible (e.g. coordination of electronic and
mechanical security devices to trigger an alarm before the mechanical security devices have been
completely overcome);
— planning of measures and provision of means for damage control and containment in the event of
damage;
— analysis of the own risk bearing capacity and assessment of the residual risk.
Even a sophisticated security analysis is not able to eliminate the residual risk completely. For this reason, crisis
and disaster management is often introduced to protect life and property as far as possible in an emergency.
3.6
staff performance management policy
systematic process by which the provider involves its employees, as individuals and members of a group,
in improving organisational effectiveness in the accomplishment of the provider's mission and goals
Note 1 to entry: This policy is a tool which is used to communicate the organisational goal to the employees
individually, allot individual accountability towards that goal and tracking of the progress in the achievement of the
goals assigned and evaluating their individual performance. The staff performance management policy reflects the
individual performance or the accomplishment of an employee, which evaluates and keeps track of all the
employees of the organization.
7
---------------------- Page: 9 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
3.7
management system
set of interrelated or interacting elements of an organisation to establish policies and objectives, and
processes to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines, e.g. quality
management, financial management or environmental management.
Note 2 to entry: The management system elements establish the organization's structure, roles and
responsibilities, planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those
objectives.
Note 3 to entry: The scope of a management system can include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more functions
across a group of organisations.
Note 4 to entry: This constitutes one of the common terms and core definitions for ISO management system
standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original
definition has been modified by modifying Notes 1 to 3 to entry.
[SOURCE: EN ISO 9000:2015, 3.5.3]
3.8
key performance indicator
KPI
business statistics which measure an organisation's performance
Note 1 to entry: KPIs show the progress (or lack of it) toward realizing the organization's objectives or strategic
plans by monitoring activities which (if not properly performed) would likely cause degradation of the performance
of the provider.
[SOURCE: EN 50518:2019, 3.1.21 modified — At Note 1 to entry the term provider is used instead of ARC]
4 Provider
4.1 General
The provider shall be authorized by the competent authorities to provide private security services for
critical infrastructure if those are already specified and/or regulated by public authorities in accordance
with the national legal frameworks.
A provider shall only provide those private security services for critical infrastructure for which the
provider has obtained the necessary authorization from the competent authority corresponding to the
sector-specific standard(s).
4.2 Structure
4.2.1 Management structure
The provider shall demonstrate that its owners, board members and management have a clean record,
e.g. not been convicted for any of the following crimes:
a) weapons and/or drug trafficking and/or organized crime;
b) bribery and/or corruption;
c) fraud and/or money laundering and/or financing of terrorism;
8
---------------------- Page: 10 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
d) attempting or committing terrorist offences;
e) child labour and/or trafficking in human beings;
f) intentional crimes against human beings;
g) tax or social security fraud;
h) cyber and information security crimes.
They need to hold the required licence for their function where legally applicable.
The provider shall:
1) have a management structure showing command, control and accountability at each level of
operation;
2) have code of conduct documents on ethics, drugs and alcohol, compliance and corporate social
responsibility and about operational procedures (e.g. hygiene and cleanliness, behaviour,
punctuality);
3) clearly communicate organizational structures and procedures to all operational levels;
4) operate a complaints management system in accordance with quality management systems;
5) have secure storage for important and confidential documents relating to the contract;
6) operate under confidentiality procedures for the management of information and data related to the
business;
7) provide rules for making contract information available to third parties;
8) have an operational presence within an appropriate distance to the site where the services are
provided for the duration of the contract, or at least for the duration of the provision of the services;
9) disclose the structure of its ownership as well as demonstrate the professional competence of its
management for the provision of private security services;
10) disclose any unspent criminal convictions and current or discharged bankruptcy of a principal or
director;
11) give information on its membership of professional organisations;
12) give information on the provider’s activities with regards to its compliance with applicable
legislation regarding the protection of environment;
13) have a management system implemented that covers the quality for the provision of the declared
services.
NOTE A management system such as EN ISO 9001 or similar fulfils the requirement.
9
---------------------- Page: 11 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
4.2.2 Human resources management
4.2.2.1 General
The provider shall have policies in place, which shall include the following:
a) maintaining accurate information/data on staff structure and staff numbers;
b) recruitment including job descriptions;
c) retention of staff;
d) career development;
e) training;
f) absenteeism reduction;
g) equal opportunities;
h) disciplinary and grievance;
i) inspection/supervision;
j) operational management;
k) staff satisfaction measurement;
l) staff representation (participation in decision-making).
The policies are also expected to:
m) abide by labour and social law and collective labour agreements;
n) abide by law and regulations regarding health and safety and appropriate internal policies for health
and safety.
4.2.2.2 Staff motivation
The provider shall have a policy for motivating security staff. This policy shall include at least the
following:
— methodologies used;
— motivation measuring system;
— motivation techniques;
— responsibility on the job;
— self-management (shift work, measures against boredom);
— communication on the job (dealing with clients and colleagues);
— safety awareness.
The provider shall inform staff about career opportunities.
10
---------------------- Page: 12 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
4.2.2.3 Staff performance management policy
The provider shall implement a clearly defined staff performance management policy.
4.3 Health and Safety Management
The provider shall have a structured occupational health and safety management system (e.g. ISO 45001
[12]).
NOTE ISO 45001 [12] (old: OHSAS 18001:2007 [14]) is an Occupation Health and Safety Assessment Series for
health and safety management systems. Such a management system is intended to help the provider to control
occupational health and safety risks.
The provider shall mitigate against occupational hazards and demonstrate that the client is always
actively involved.
The working environment shall be in line with social and technical development that ha an impact on
health and safety.
Work shall be planned in a manner that it can be performed in a safe and healthy environment.
The provider shall investigate accidents together with the health and safety representative of the client
and/or staff if present, continuously assess risks and take all precautions necessary.
The provider shall document the working conditions and measures to improve them.
The provider shall also make preventative medical care available to the employees suited to their
working conditions. In case of a health and safety incident the provider shall also make medical treatment
available at no cost to the employee, unless this is covered by statutory insurance.
4.4 Risk management
The provider shall install and maintain a risk management system and be able to demonstrate it
(e.g. EN ISO 22301 [6] or ISO 31000 [9]).
4.5 Operational and financial capacity
The provider shall demonstrate that it has the necessary capacity in terms of infrastructure, staff and
procedures to guarantee the full implementation of all terms and clauses of the contract between the
provider and the client.
The provider shall disclose information to the potential client about its organizational structure, its
dedicated responsible management if applicable, the range of services it is authorized to provide and the
length of time it has been operating private security services for critical infrastructure.
The provider shall disclose the following information to the potential client regarding:
— balance sheets and profit and loss statements for the past three financial years if their publication is
compulsory under the legislation or practice in the country in which the applicant is registered;
— valid tax clearance certificate where relevant;
— clearance certificate from social security authorities with regard to necessary social security fees
where relevant.
At the request of the potential client, the provider shall also provide a project-related operational and
financial plan, where the requested security services exceeds a value of 15 % of the total turnover of the
last closed business year of the provider.
11
---------------------- Page: 13 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
4.6 Business continuity management
The provider shall establish a documented business continuity policy including operational contingency
plans.
The provider shall record which significant risks exist with regard to its operational processes and
procedures and the technologies used for this purpose, e.g. on the basis of EN ISO 9001 [4]. In particular,
the critical processes shall be identified and suitable measures for risk minimization shall be defined.
NOTE Further information and examples are given in e.g. EN ISO 22301 [6].
4.7 Insurances
The provider is expected to comply with international and/or national regulations and collective labour
agreements regarding insurances.
The provider’s insurance shall include cover for the following:
— accidents to employees while on duty (including the necessary on- and offboarding time before and
after duty) unless covered by statutory insurance;
— loss, damage or injury to the customer or third parties caused by intent or negligence of the provider
(as long as they have been caused whilst performing the contractual duties).
The provider shall provide to the client its insurance policy and supporting information regarding third
party liability.
The provider shall ensure there is adequate evidence of appropriate insurance cover to the client.
When sub-contracting work to a third party, the provider shall ensure that adequate insurance cover
commensurate with the business is in place.
4.8 Corporate governance and compliance
The provider shall demonstrate a structured corporate governance policy or equivalent and shall provide
evidence of its:
— code of conduct for directors and employees;
— internal and external control procedures and audits;
— reporting arrangements – financial and operational.
4.9 IT-Security Management
The provider shall establish a documented IT-security management system. The provider and the client
shall agree on IT-security management processes according to their requirements.
NOTE EN ISO/IEC 27001 [7] gives more information on IT-security management system.
12
---------------------- Page: 14 ----------------------
SIST EN 17483-1:2021
EN 17483-1:2021 (E)
5 Co
...
SLOVENSKI STANDARD
oSIST prEN 17483-1:2020
01-julij-2020
Zagotavljanje zasebne varnosti za zaščito kritične infrastrukture - 1. del: Splošne
zahteve
Private security provision for the protection of Critical Infrastructure - Part 1: General
requirements
Private Sicherheitsmaßnahmen zum Schutz kritischer Infrastrukturen
Dispositions de sécurité privée pour la protection des infrastructures critiques - Partie 1 :
Exigences générales
Ta slovenski standard je istoveten z: prEN 17483-1
ICS:
03.080.99 Druge storitve Other services
13.310 Varstvo pred kriminalom Protection against crime
oSIST prEN 17483-1:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
oSIST prEN 17483-1:2020
---------------------- Page: 2 ----------------------
oSIST prEN 17483-1:2020
DRAFT
EUROPEAN STANDARD
prEN 17483-1
NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2020
ICS 03.080.99; 13.310
English Version
Private security provision for the protection of Critical
Infrastructure - Part 1: General requirements
Dispositions de sécurité privée pour la protection des Private Sicherheitsmaßnahmen zum Schutz kritischer
infrastructures critiques - Partie 1 : Exigences Infrastrukturen
générales
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/TC 439.
If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations
which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.
Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2020 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 17483-1:2020 E
worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
Contents Page
European foreword . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Provider . 7
4.1 General . 7
4.2 Structure . 7
4.2.1 Management structure . 7
4.2.2 Human resources management . 8
4.3 Health and Safety Management . 9
4.4 Risk management . 10
4.5 Operational and financial capacity . 10
4.6 Business continuity management . 10
4.7 Insurances . 10
4.8 Corporate governance and compliance . 11
4.9 IT-Security Management . 11
5 Contracts . 11
5.1 General . 11
5.2 Financial terms . 11
5.3 Contractual liabilities . 12
5.4 Contract manager . 12
5.5 On-site management . 12
5.6 Customer responsibility . 12
5.7 Resources . 12
5.8 Cooperation with other relevant parties . 12
5.9 Subcontractors . 12
5.9.1 General . 12
5.9.2 Contracts . 13
5.9.3 Selection . 13
5.10 Leased workers . 13
6 Staff . 13
6.1 General . 13
6.1.1 Introduction . 13
6.1.2 Terms and conditions of employment . 13
6.1.3 Security screening. 14
6.1.4 Breach of terms and conditions of employment . 14
6.1.5 Identification of staff . 14
6.1.6 Uniform . 15
6.2 Recruitment and selection . 15
6.2.1 General . 15
6.2.2 Criteria to be fulfilled for employment . 15
6.2.3 Selection . 16
6.2.4 Interview . 16
6.2.5 Recruiting. 17
6.3 Training . 17
6.3.1 Training policy . 17
2
---------------------- Page: 4 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
6.3.2 Trainer . 17
6.3.3 Training requirements . 18
7 Service delivery . 18
7.1 Start up and contract commencement . 18
7.2 Operating procedures . 18
7.3 Communication with the customer . 18
7.4 Operational plan and rostering . 19
7.5 Service level agreement . 19
7.6 Contract termination and cessation of services . 19
Annex A (informative) Examples of critical infrastructure sectors . 20
Bibliography . 22
3
---------------------- Page: 5 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
European foreword
This document (prEN 17483-1:2020) has been prepared by Technical Committee CEN/TC 439 “Private
security services”, the secretariat of which is held by ASI.
This document is currently submitted to the CEN Enquiry.
4
---------------------- Page: 6 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
1 Scope
This document is the overarching standard for the provision of private security services for critical
infrastructure. It is complemented by vertical substandards for specific sectors with more detailed
focus on the related services such as e.g. aviation security and maritime/port security.
It specifies service requirements for quality in organization, processes, personnel and management of a
security service provider and/or its independent branches and establishments under commercial law
and trade as a provider with regard to security services.
It lays down quality criteria for the delivery of security services requested by public and private clients.
This document is suitable for the selection, attribution, awarding and reviewing of the most suitable
provider of security services.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 15602:2008, Security service providers — Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 15602 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
critical infrastructure
asset, system or part thereof which is essential for the maintenance of vital societal functions, health,
safety, security, economic or social well-being of people, and the disruption or destruction of which
would have a significant impact in a society as a result of the failure to maintain those functions
Note 1 to entry: Examples of critical infrastructure sectors are given in Annex A.
3.2
insider threat
threat posed by unauthorised access, use or disclosure of privileged information, techniques,
technology, assets or premises by an individual with legitimate or indirect access, which could cause
harm or damage
3.3
insider threat policy
policy aimed to detect and mitigate insider threats
3.4
risk assessment
systematic process for the identification, analysis and evaluation of threats to determine the impact of
the consequences of hazards and threats relative to the probability of their occurrence
5
---------------------- Page: 7 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
3.5
security analysis
total of defined organisational, personnel, technical and structural security measures for the prevention
and/or averting of dangers through written analysis of possible attack and damage scenarios with the
aim of achieving a defined level of protection
Note 1 to entry: Security analyses are based on a structured approach which generally includes the following
criteria:
— determination of the object to be protected and the protection aims;
— analysis of threats / damage scenarios / dangers;
— evaluation of probability of occurrence and potential extent of damage;
— development of measures to reduce damages and their probability of occurrence;
— development of measures to initiate security as early as possible (e.g. coordination of electronic and
mechanical security devices to trigger an alarm before the mechanical security devices have been completely
overcome);
— planning of measures and provision of means for damage control and containment in the event of
damage;
— analysis of the own risk bearing capacity and assessment of the residual risk.
Even a sophisticated security analysis is not able to eliminate the residual risk completely. For this reason, crisis
and disaster management is often introduced to protect life and property as far as possible in an emergency.
3.6
staff performance management policy
systematic process by which the provider involves its employees, as individuals and members of a
group, in improving organizational effectiveness in the accomplishment of the providers mission and
goals
Note 1 to entry: This policy is a tool which is used to communicate the organizational goal to the employees
individually, allot individual accountability towards that goal and tracking of the progress in the achievement of
the goals assigned and evaluating their individual performance. The staff performance management policy reflects
the individual performance or the accomplishment of an employee, which evaluates and keeps track of all the
employees of the organization.
3.7
sector-specific substandard
complementary vertical standards to this overarching standards within the critical infrastructure
sectors
Note 1 to entry: Examples of critical infrastructure sectors are given in Annex A.
Note 2 to entry: See Figure 1
6
---------------------- Page: 8 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
Figure 1 — Structure for sector-specific substandards
4 Provider
4.1 General
The provider shall be authorized by the competent authorities to provide private security services for
critical infrastructure if those are already specified and/or regulated by public authorities in
accordance with the national legal frameworks.
A provider shall only provide those private security services for critical infrastructure for which the
provider has obtained the necessary authorization from the competent authority corresponding to the
sector-specific substandard(s).
4.2 Structure
4.2.1 Management structure
The provider shall demonstrate that its owners, board members and management have a clean record,
e.g. not been convicted for or pending charges for any crimes such as:
a) weapons and/or drug trafficking and/or organized crime;
b) bribery and/or corruption;
c) fraud and/or money laundering and/or financing of terrorism;
d) attempting or committing terrorist offences;
e) child labour and/or trafficking in human beings;
f) intentional crimes against human beings and public or private property;
7
---------------------- Page: 9 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
g) tax evasion or evasion of social security contributions.
They need to hold the required licence for their function where legally applicable.
The provider shall:
1) have a management structure showing command, control and accountability at each level of
operation;
2) have a code of conduct on ethics, drugs and alcohol;
3) have a code of conduct on compliance and corporate social responsibility;
4) have a code of conduct about operational procedures (e.g. appearance, behaviour, punctuality);
5) clearly communicate structures and procedures to all operational levels;
6) operate a complaints management system in accordance with quality management systems;
7) have secure storage of important and confidential documents related to the contract;
8) operate under confidentiality management of information and data related to the business;
9) provide rules for making contract information available to third parties;
10) have an operational presence within an appropriate distance to the site of the provision of the
service for the duration of the contract, or at least for the duration of the execution of the services;
11) disclose the structure of its ownership as well as the curricula vitae of its management;
12) disclose any unspent criminal convictions or undercharged bankruptcy of a principal or director;
13) give information on its membership in professional organizations;
14) give information on the compliance of its activities with applicable legislation regarding the
protection of environment.
The provider shall be able to demonstrate to the potential client the above before signing the contract, if
the potential client requires so. The provider can disclose to the potential client other relevant
information such as on other certification.
4.2.2 Human resources management
4.2.2.1 General
The provider shall have a human resource policy in place, which shall include the following:
a) abide by labour and social law and collective labour agreements;
b) abide by law and regulations regarding health and safety and appropriate internal policies for
health and safety;
c) maintaining accurate information/data on staff structure and staff numbers;
d) recruitment policy including job description;
e) policies for retention of staff;
8
---------------------- Page: 10 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
f) policies for career development;
g) training policy;
h) absenteeism reduction policies;
i) policies for equal opportunities;
j) disciplinary and grievance procedures;
k) inspection/supervision;
l) operational management;
m) staff satisfaction ratios;
n) staff representation (participation in decision-making).
4.2.2.2 Staff motivation
The provider shall demonstrate its policy for motivating security staff. This policy shall include at least
the following:
— methodologies used;
— motivation measuring system;
— motivation techniques;
— responsibility on the job;
— self-management (shift work, measures against boredom);
— communication on the job (dealing with clients and colleagues);
— safety consciousness.
The provider shall inform staff entering the company about career opportunities.
4.2.2.3 Staff performance management policy
The provider shall implement a clearly defined staff performance management policy.
4.3 Health and Safety Management
The provider shall have a structured occupational health and safety management system (e.g.
ISO 45001 [10]).
NOTE ISO 45001 [10] (old: OHSAS 18001:2007 [12]) is an Occupation Health and Safety Assessment Series
for health and safety management systems. Such a management system is intended to help the provider to control
occupational health and safety risks.
The provider shall prevent occupational hazards and demonstrate that the client is always actively
involved.
Working environment shall be in line with social and technical development that has an impact on
health and safety.
9
---------------------- Page: 11 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
Work shall be planned in a manner that it can be performed in a safe and healthy environment.
The provider shall investigate accidents together with the health and safety representative of the client
and/or staff if present, continuously assess risks and take all precautions necessary.
The provider shall document the working conditions and the action plans and measures to improve
them.
The provider shall also make preventative medical care available to the employees suited to their
working conditions. In case of a health and safety incident the provider shall also make medical
treatment available at no cost to the employee.
4.4 Risk management
The provider shall install and maintain a risk management system and be able to demonstrate it (e.g.
EN ISO 22301 [3] or ISO 31000 [7]).
4.5 Operational and financial capacity
The provider shall demonstrate that he has the necessary capacity in terms of infrastructure, staff and
procedures to guarantee the full execution of all terms and clauses of the contract between the provider
and the client.
The provider shall disclose information to the potential client about its organizational structure, its
dedicated responsible management if applicable, the range of services it is authorized to provide and
the length of time it has been operating private security services for critical infrastructure.
At the request of the potential client, the provider shall also provide a project-related operational and
financial planning in case the share of the volume of the requested security services exceeds a value of
15 % in relation to the total turnover of the last closed business year of the provider.
4.6 Business continuity management
The provider shall establish a documented business continuity policy including operational contingency
plans.
The provider shall provide evidence which significant risks exist with regard to its operational
processes and procedures and the technologies used for this purpose, e.g. on the basis of EN ISO 9001
[6]. In particular, the critical processes shall be identified and suitable measures for risk minimization
shall be defined.
NOTE Further information and examples are given in e.g. EN ISO 22301 [3].
4.7 Insurances
The provider is expected to comply with international and/or national regulations and collective labour
agreements regarding insurances.
Insurances of the provider shall cover the following:
— accidents to employees while on duty (including the necessary on- and offboarding time before and
after duty);
— general liability;
— social security/public liability.
The provider shall disclose to the client information and its policy and views regarding third party
liability.
The provider shall ensure there is sufficient evidence of appropriate insurance coverage to the client.
10
---------------------- Page: 12 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
rd
When sub-contracting work to a 3 party, the provider shall ensure that a sufficient insurance covers
commensurate with the business is in place.
4.8 Corporate governance and compliance
The provider shall demonstrate a structured corporate governance policy or equivalent and shall
establish proof of it:
— code of conduct for directors and employees;
— internal and external control procedures and audits;
— reporting arrangements – financial and operational.
4.9 IT-Security Management
The provider shall establish a documented IT-security management according to existing standards, e.g.
on the basis of EN ISO/IEC 27001 [4].
5 Contracts
5.1 General
A written contract between the provider and the client shall be signed by both parties. The contract
shall state the rights and obligations of the provider and of the client including respective liabilities and
responsibilities and financial and economic aspects. The contract shall clearly stipulate the usage of
sub-contractors as well as respective conditions.
The client shall provide a security analysis, to the extent necessary to provide the security service, to
the provider. In the security analysis, critical infrastructures (see 3.1) shall be identified separately.
If the client is not able to provide a security analysis, then the provider should carry out a risk
assessment of the critical infrastructure site:
— assess the probability of a security breach and/or threat and the consequence of such an event on
the site;
— define countermeasures and the security plan;
— clarify that the proposed contract meets the risk assessment.
The security analysis/assessment is the basis for the preparation of the security plan. The security plan
should incorporate the optimization of the required services by the use of technologies, procedures and
workforce. The security plan shall contain information to ensure the ongoing provision of services and
the deployment of managers on site.
5.2 Financial terms
The provider shall disclose the following information to the potential client regarding:
— balance sheets and profit and loss statements for the past three financial years if their publication is
compulsory under the legislation or practice in the country in which the applicant is registered;
— valid tax clearance certificate where relevant;
— clearance certificate from social security authorities with regard to necessary social security fees
where relevant.
11
---------------------- Page: 13 ----------------------
oSIST prEN 17483-1:2020
prEN 17483-1:2020 (E)
5.3 Contractual liabilities
The provider’s liability for damages arising in the course of the provision of services and for which the
provider is responsible shall be agreed between the provider and the client within the framework of the
contract.
The amount of liability demanded by the client shall be limited at least in the case of simple negligence.
These limits of liability shall be regulated in the contract and shall be set in relation to the risk analysis/
assessment and the contract value. The amounted limited liability shall not exceed the insurance
coverage.
5.4 Contract manager
The provider shall appoint and present a contract manager to the client, who is responsible for the
organization and operation of the contract. This person shall have the mandate for handling all
employment issues in regard to the contract.
5.5 On-site management
If there is more than one security guard on duty at the same time at on site, an on-site operational
manager shall be appointed (e.g. senior guard, team leader, shift leader).
5.6 Customer responsibi
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.