Standards for providers 2015-16:

Security management
Summary of changes made to previous years standards

Tackling fraud and managing security

Standard Changes
1.1
Ratings section changed as follows:
Amber:
There is an individual with executive authority at the organisation who has a
clearly defined responsibility for the strategic management and support of
security work.
There is no evidence that executive oversight or strategic support is delivered
effectively for security management at the organisation.
1.2

Standard reworded as follows:

The organisation employs or contracts a qualified, accredited and nominated
security specialist(s) to oversee and undertake the delivery of the full range of
security management work.
Ratings section changed as follows:
Red:
There is no evidence that there is a qualified person(s) employed or contracted
to carry out and/or oversee the full range of security management work at the
organisation.
The security specialist(s) nominated have not successfully completed NHS
Protect's accredited security management training.
The security specialist(s) nominated do not appropriately update their skills in
line with NHS Protect continuing professional development and/or legal
requirements.
Green:
The organisation employs or contracts in a qualified security specialist(s) trained
and approved by NHS Protect and accredited by the professional accreditation
board.
The organisation ensures that the nominated person(s) attends all necessary
training and development events and undertake continuous professional
development as required to appropriately fulfil the security specialist role on an
ongoing basis.
The security specialist is involved in NHS Protect security management
activities, including attendance at regional forums.
The trained and accredited security specialist(s) oversee and undertake the
work required to meet the security management standards set by NHS Protect.
The work required to meet the security management standards is regularly
reviewed and evaluated to establish that it is effective.
Any improvements identified as a result of evaluation are implemented.

1.3

Ratings section changed as follows:

Red:
There is no evidence of any risk assessment work conducted to identify security
risks at the organisation.
Where a risk assessment has been conducted, no adequate resources have
been allocated to mitigate the risks identified within a reasonable timescale.
A security management work plan may have been developed but lacks clear and
measurable objectives.
Amber:
The organisation has carried out a risk assessment to identify security risks.
As a result of the risk assessment, appropriate levels of resources and
investment have been allocated to security management based on identified
security risks.
The organisation has a security management work plan with clear and
measurable objectives.
Green:
Security risks have been entered onto the risk register and when not included
the reasons for this are clearly documented.
Progress against the work plan is continuously monitored at a senior level to
ensure that the level of provision is sufficient to mitigate the risks and that
resources are fit for purpose.
Where necessary, additional resources are allocated to address risks as they
emerge.

1.4

Standard reworded as follows:

The organisation reports annually to its executive board, or equivalent body, on
how it has met the standards set by NHS Protect in relation to security
management, and its local priorities as identified in its work plan.
Ratings section changed as follows:
Red:
There is no evidence that an annual report demonstrating progress against
security management objectives has been completed by the organisation.
Where an annual report has been completed it does not cover all areas of
security management work as outlined in NHS Protects anti-crime strategy and
does not provide a full update on the actions taken to manage security as
outlined in the work plan for that year.
The annual report does not contain a self review against the standards and has
not been signed off at executive and/or senior management level.
Amber:
The organisation reports annually to its executive board, or equivalent body, on
security management work, directly referring to all applicable standards and
3

providing a clear update on progress against work plan objectives.

The report includes a completed Self Review Tool which has been signed off at
executive and/or senior management level and a copy is sent to NHS Protect.
The findings in the annual report and Self Review Tool are not acted on or linked
to corrective action and work planning for the forthcoming year(s).
Green:
Where standards have not been met the reasons for this are documented and
corrective action is suggested for the forthcoming years (or years) work plan
and improvements are implemented where appropriate.
The Self Review Tool feeds into work planning for the following year, provides
an update on progress and addresses any action points raised through the
quality assurance process.
1.5

Inclusion in the rationale of an explanation of what a security management

strategy is.

2.2

Standard reworded as follows:

The organisation develops and maintains effective relationships and
partnerships with local and regional anti- crime groups and agencies to help
protect NHS staff, premises, property and assets.
Ratings section changed as follows:
Red:
There is no evidence that the organisation has developed and/or maintained
effective relationships and/or partnerships with local and regional anti-crime
groups and agencies.
There may be some arrangements, but these do not cover the whole scope of
the standard in relation to the protection and security of the organisations staff,
premises, property and assets.
Amber:
The organisation can provide evidence that it has developed and maintained
effective relationships with anti-crime groups and agencies.
There is limited or no evidence of regular and sound evaluation of the
effectiveness of these relationships.
Green:
There are positive outcomes as a result of the development and maintenance of
relationships in relation to the protection of staff, premises, property and assets.
Relationships are regularly reviewed for effectiveness.

2.3

Standard reworded as follows:

The organisation has an ongoing programme of work to raise awareness of
security measures and security management in order to create a pro-security
4

culture among all staff. As part of this, the organisation participates in all
national and local publicity initiatives, as required by NHS Protect, to raise
security awareness. This programme of work will be reviewed, evaluated and
updated as appropriate to ensure that it is effective.
Further explanation included in the rationale.
Ratings section changed as follows:
Red
The organisation has not raised awareness of security measures and security
management among staff and has not created a pro-security culture.
There is some work within the organisation to raise and maintain security
awareness, but it is limited in scope and reach.
The awareness work carried out does not take identified organisational risks into
account and is not fully in line with NHS Protect strategic requirements
The organisation has not participated in any national or local publicity initiatives,
as required by NHS Protect, to improve security awareness.
Amber:
The organisation has an ongoing programme of work to raise awareness of
security measures and security management among all staff, based on local risk
and needs and in line with NHS Protects strategy.
A range of methods are used to reach the widest possible audience.
The organisation participates in all national and local publicity initiatives, as
required by NHS Protect to improve security awareness.
Advice is taken from the organisations communications staff, where appropriate,
and from the Deterrence and Engagement team in NHS Protect.
There is limited or no evaluation of awareness work carried out or, where
evaluation has been carried out, it is not on recent data or it is not sound enough
to demonstrate a positive impact.
Green:
The organisation has an ongoing programme of work to raise awareness of
security measures and security management among all staff using a range of
methods that are appropriate to different staff groups.
There is evidence that presentations and other awareness materials are
targeted to specific staff groups.
The organisation meaningfully evaluates the success of the programme of work
and measures levels of awareness.
The results of the evaluation inform planning for future awareness work.

2.4

Standard reworded as follows:

The organisation ensures that security is a key criterion in any new build
projects, or the modification and alteration (e.g. refurbishment or refitting) of
existing premises.
The organisation demonstrates effective communication between risk
management, capital projects management, estates, security management and
external stakeholders to discuss security weaknesses and to agree a response.
Ratings section changed as follows:
Red:
There is no evidence of a cross-organisational response to security
weaknesses, involving risk management, capital projects management, estates,
security management and external stakeholders.
There is no evidence that the organisation has taken a risk-based approach to
providing for a secure environment in the design of new, modified or altered
premises.
There may be some work to provide for a secure environment in the design of
new, modified or altered premises, but it is not carried out continuously, or in a
risk-based manner.
There may be some evidence of a cross-organisational response to security
weaknesses, but this is limited in the context of the standard.
Amber:
The organisation has adopted a cross-organisational approach to tackling
security weaknesses, involving risk management, capital projects management,
estates, security management and external stakeholders.
The cross-organisational approach has led to an agreed response to security
weaknesses.
There is evidence of a risk-based approach to providing for a secure
environment in the design of new, modified or altered premises. This approach
is consistently applied.
There is little or no evidence that the organisation has reviewed or evaluated the
effectiveness of its cross organisational approach to tackling security
weaknesses, or its work to provide for a secure environment in the design of its
premises.
Green:
There is evidence that the organisation evaluates the effectiveness of its crossorganisational approach to addressing security weaknesses and that, where
appropriate, changes are made to increase its benefits.
There is evidence that the organisation regularly evaluates the design of its
premises from a security perspective.
Where appropriate, the results from this evaluation lead to specific changes in
the design of premises.
6

2.5
2.6
2.7

Standard 2.5 from 2014/15 standards deleted. What was standard 2.6 becomes
standard 2.5.
What was standard 2.7 in 2014/15 becomes standard 2.6.
This was added as a new pilot standard for 2015-16. The standard reads as
follows:
The organisation uses the Security Incident Reporting System (SIRS) to record
details of physical assaults against staff in a systematic and comprehensive
manner. This process is reviewed, evaluated and improvements are made
where necessary.
Accompanying ratings also new.

3.1

Standard reworded as follows:

The organisation risk assesses job roles and undertakes training needs analyse
for all employees, contractors and volunteers whose work brings them into
contact with NHS patients and members of the public. As a result the
appropriate level of training on prevention of violence and aggression is
delivered to them in accordance with NHS Protects guidance on conflict
resolution training and the prevention and management of clinically related
challenging behaviour. The training is monitored, reviewed and evaluated.
Ratings section changed as follows:
Red:
There is no evidence that the organisation risk assesses job roles and
undertakes training needs analyses for all employees, contractors and
volunteers whose work brings them into contact with NHS patients and members
of the public.
There may be risk assessments and training needs analyses in relation to the
prevention of violence and aggression and the prevention and management of
challenging behaviour, but this has not resulted in appropriate training being
delivered, or the training does not follow current NHS Protect guidance.
Amber:
There is evidence that the organisation risk assesses job roles and undertakes
training needs analyses. This applies to all employees, contractors and
volunteers whose work brings them into contact with patients and members of
the public.
The organisation follows a risk-based approach to identifying who should receive
prevention of violence and aggression and challenging behaviour awareness
training.
The training delivered is appropriate for the individual roles involved and follows
current NHS Protect guidance.
There is little or no evidence to suggest that the training delivered in relation to
prevention of violence and aggression and the prevention and management of
challenging behaviour is effective.

Green:
There is evidence that the organisation uses sound data to regularly evaluate
the effectiveness of training delivered in relation to prevention of violence and
aggression and the prevention and management of challenging behaviour.
Where appropriate, the results from the evaluation lead to improvements in the
training.
3.2

Standard reworded as follows:

The organisation assesses the risk to its lone workers, including the risk of
violence. It takes steps to avoid or control the risks and these measures are
regularly and soundly monitored, reviewed and evaluated for their
effectiveness.
Ratings section changed as follows:
Red:
The organisation is unable to demonstrate that it has robust and systematic
measures in place to assess the risks to its lone workers.
Some risk assessments in relation to lone workers may have been undertaken
at the organisation, however it is not robust or systematic.
There is no evidence that the organisation has taken steps to avoid or control
the risks to its lone workers.
Amber:
The organisation is able to demonstrate that it has robust and systematic
measures in place to assess the risks to its lone workers.
Steps have been taken to control and minimise risks to lone workers.
There is little or no evidence that the organisation regularly evaluates the steps
taken to avoid or control the risks to its lone workers.
Green:
There is evidence that the organisation uses sound data to regularly evaluate
the effectiveness of the steps it has taken to avoid or control the risks to its lone
workers.

3.3

Standard reworded as follows:

The organisation distributes national and regional NHS Protect alerts to relevant
staff and action is taken to raise awareness of security risks and incidents. The
process is controlled, monitored, reviewed and evaluated.
Ratings section changed as follows:
Red:
There is little or no evidence that the organisation distributes national or regional
NHS Protect alerts to relevant staff.
The organisation may have issued some national or regional NHS Protect alerts
to staff, but this does not include all relevant alerts.
8

Amber:

There is evidence that the organisation issues all relevant national or regional
NHS Protect alerts to staff.
The organisation has a process to identify the appropriate staff to receive the
alerts.
The organisation can demonstrate that there is a system in place to control the
issue of alerts, which meets statutory requirements.
In addition, NHS Protect guidance in relation to the issue, distribution and
withdrawal of alerts has been taken into account.
There is little or no evidence that the organisation has monitored, reviewed or
evaluated the issue of national and regional NHS Protect alerts to see whether
they have raised awareness of the issues communicated through them.
Green:
The organisation uses sound data to evaluate the success of the alert process
and measures the levels of awareness generated by it.
Where appropriate, the results of the evaluation inform the process for issuing
alerts in order to maximise its effectiveness.
3.4
3.5
3.6
3.7

What was previously standard 3.5 in 2014/15 now becomes standard 3.4.
What was previously standard 3.6 in 2014/15 now becomes standard 3.5.
What was previously standard 3.8 in 2014/15 now becomes standard 3.6.
What was previously standard 3.9 in 2014/15 now becomes standard 3.7.
Standard reworded as follows:
The organisation has departmental asset registers and records for business
critical assets worth less than 5,000.

3.8

What was previously standard 3.7 in 2014/15 now becomes standard 3.8.
Standard reworded as follows:
The organisation has clear policies and procedures in place for the security of
medicines and controlled drugs.
The list provided in the Guidance, supporting documentation and evidence
section was changed to the following:
The NHS Security Management Manual
NHS Protect guidance Security standards and guidance for the management
and control of controlled
drugs in the ambulance sector
NHS Protect guidance Guidance on the security and storage of medical gas
cylinders
NHS Protect checklist Security of medical gas cylinders General Checklist
NHS Protect checklist Security of medical gas cylinders Physical security
and storage checklist
NHS Protect toolkit Medicine security self-assessment tool
9

 NHS Protect toolkit Medicine security Pharmacy checklist

NHS Protect toolkit Medicine security Ward/ department checklist
NHS Protect toolkit Medicine security Action plan template
NHS Protect guidance Security of prescription forms guidance
NHS Protect guidance Aide Memoire Area Teams
NHS Protect guidance Aide Memoire Prescribers
NHS Protect guidance Aide Memoire Practice managers
The organisations policies and procedures for the management of medicines
and controlled drugs
Records of the Controlled Drugs Accountable Officer, as required in the
Controlled Drugs (Supervision of
Management and Use) Regulations 2013
Job description of the Controlled Drugs Accountable Officer
Meeting minutes, action points and records of their execution
Examples of reviews of policies and procedures on the safe and secure
management of medicines and
controlled drugs
Examples of evaluation results leading to improvements in the policies and
procedures on the safe and
secure management of medicines and controlled drugs
Examples of assurance that the organisation complies with relevant legislation
and guidance
3.9

What was previously standard 3.10 in 2014/15 now becomes standard 3.9.

3.10

What was previously standard 3.11 in 2014/15 now becomes standard 3.10.
Standard reworded as follows:
The organisation records all security related incidents affecting staff, property
and assets in a comprehensive and systematic manner. Records made inform
security management priorities and the development of security policies.
The ratings changed as follows:
Red:
There is little or no evidence that the organisation maintains a detailed record of
security related incidents affecting staff, property, and assets.
The organisation maintains some records of security related incidents affecting
staff, property and assets, but they are not comprehensive, systematically made
or updated in a timely manner.
There is no evidence that the organisation has sought to use the records to
inform security management priorities and develop security policies.
Amber:
There is evidence that the organisation records security related incidents staff,
property and assets in a comprehensive and systematic manner.
There is little or no evidence that the organisation regularly and soundly reviews
or evaluates its systems for recording security related incidents affecting its staff,
property and assets.

10

Green:
The organisation can demonstrate that data from its security related incidents
affecting staff, property and assets informs security management priorities.
The organisation is able to demonstrate a link between reporting and
improvements in the level of security related incidents affecting staff, property
and assets.
There is evidence that the organisation regularly and soundly evaluates the
effectiveness of its reporting system on security related incidents affecting staff,
property and assets. Where appropriate, the findings contribute to
improvements in the management of security within the organisation.
3.11

What was previously standard 3.12 in 2014/15 now becomes standard 3.11.
Standard reworded as follows:
The organisation takes a risk-based approach to identifying and protecting its
critical assets and infrastructure. This is included in the organisations policies
and procedures.
Ratings section changed as follows:
Red:
There is little or no evidence that the organisation applies a risk-based approach
to identifying and protecting its critical assets and infrastructure.
There is little or no evidence that the protection of critical assets and
infrastructure is included in the organisations policies and procedures.
Amber:
There is evidence that the organisation applies a risk-based approach to
identifying and protecting its critical assets and infrastructure.
There is evidence that the organisation, as part of its business continuity work,
has identified its critical assets and infrastructure, risk assessed them and put in
place the appropriate control measures.
There is little or no evidence that the organisation has reviewed or evaluated its
work to identify and protect its critical assets and infrastructure, or that the riskbased approach is influencing relevant organisational polices.
Green:
There is evidence that, using its risk-based approach to identifying and
protecting its critical assets and infrastructure, the organisation makes
improvements to relevant policies.
The organisation can demonstrate that it regularly evaluates its approach to
identifying and protecting its critical assets and infrastructure and that, where
appropriate, evaluation results lead to improvements.
The organisation tests its business continuity response through rehearsals and
table top exercises in critical areas, and the outcomes lead to changes in
training, policy and processes.
11

Included in the Guidance, supporting documentation and evidence section:

Evidence of work conducted as part of the Prevent element of the governments
counter terrorism strategy
3.12

What was previously standard 3.13 in 2014/15 now becomes standard 3.12.
Standard reworded as follows:
In the event of increased security threats, the organisation is able to increase its
security resources and responses.
Ratings section changed as follows:
Red:
The organisation is unable to demonstrate that, in the event of increased
security threats, it is able to increase its security resources and responses in a
timely manner using a risk-based approach.
The organisation may be able to increase its security resources and responses
but this cannot be shown to be appropriate for the level of risk.
Amber:
The organisation can demonstrate that it has taken a risk-based approach to
security threats and is able to increase and deploy its resources in a timely
manner in response to those threats.
There is little or no evidence that the organisation regularly and soundly
evaluates its ability to deploy appropriate resources in a timely manner in the
event of increased security threats.
Green:
The organisation is able to demonstrate that arrangements for increasing its
security resources and responses following an increase in security threats
receive an appropriate level of executive and management support and are
included in the organisations risk processes.
The impact of the risk-based approach to responding to increased security
threats is regularly and soundly evaluated and relevant policies and processes are
updated as required.

3.13

What was previously standard 3.14 in 2014/15 now becomes standard 3.13.
Standard reworded as follows:
The organisation has suitable lockdown arrangements for each of its sites, or
for specific buildings or areas.
Ratings section changed as follows:
Red:
There is little or no evidence that the organisation has suitable lockdown
arrangements in place.
The organisation may have some lockdown arrangements in place, for example
12

covering only some of the appropriate sites but not all.

Amber:
The organisation is able to demonstrate that it has lockdown arrangements in
place for each of its sites or for specific buildings or areas.
There is little or no evidence that the organisation regularly and soundly
evaluates the effectiveness of its lockdown arrangements.
Green:
The organisation is able to demonstrate that its lockdown arrangements are
regularly and soundly evaluated and any findings lead to improved
arrangements.
3.14

What was previously standard 3.15 in 2014/15 now becomes standard 3.14.
Ratings section changed as follows:
Green:
The organisation is able to demonstrate that its policies and procedures in
relation to child and infant abduction have resulted in a decrease in the number
of incidents, where applicable.
There is evidence that the organisation regularly tests, monitors, evaluates and
reviews its policies and procedures on child and infant abduction. Where
required, changes are made to policies and procedures to ensure that they are
effective.

4.1

Standard reworded as follows:

The organisation is committed to applying all appropriate sanctions against
those responsible for security related incidents.
Ratings section changed as follows:
Red:
There is little or no evidence of commitment from the organisation, particularly at
board or senior management level, to applying sanctions appropriately against
those responsible for security related incidents.
Sanctions may be sought in some cases but they are not systematically applied
in relation to each security related incident.
Amber:
The organisation is able to demonstrate its commitment to applying sanctions
appropriately against those responsible for security related incidents.
The organisation has policies and procedures that support its commitment to
applying appropriate sanctions to security related incidents.
The organisation seeks to apply the full range of sanctions available and, where
appropriate, works with NHS Protects Legal Protection Unit to ensure sanctions
are applied.
Where a decision is taken not to apply sanctions, the advice received on this
matter and the reasons for the decision are documented.
13

There is little or no evidence that the organisation regularly and soundly

evaluates the effectiveness of its arrangements for applying sanctions against
those responsible for security related incidents.
Green:
The organisation shows a commitment to applying the full range of sanctions
against those responsible for security related incidents in line with NHS Protect
guidance.
All appropriate factors are considered when deciding what sanctions to apply.
There is executive support for the organisations arrangements in relation to
sanctions.
There is evidence that the organisation soundly and regularly evaluates its
sanctions arrangements and that, where required, findings lead to improvement
in the arrangements.
Injunctions to prevent nuisance or annoyance added to the guidance supporting
documentation and evidence.
4.2

Standard reworded as follows:

The organisation has arrangements in place to ensure that allegations of
security related incidents are investigated in a timely and proportionate manner
and these arrangements are monitored, reviewed and evaluated.
Ratings section changed as follows:
Red:
There is little or no evidence that the organisation has arrangements in place to
ensure that allegations of security related incidents are investigated in a timely
and proportionate manner.
Investigations may be carried out, but they are not conducted in line with
relevant legislation and NHS Protect guidance.
Amber:
The organisation can demonstrate that it undertakes investigations into
allegations of security related incidents and these are carried out in compliance
with the relevant legislation and NHS Protect guidance.
All allegations relating to security related incidents are investigated in a timely
and proportionate manner.
Allegations are investigated appropriately, either through internal investigations
or using the police.
There is little or no evidence that the organisation regularly and soundly
evaluates the effectiveness of its investigative arrangements.
Green:
The findings of investigations are reviewed and this leads to policy and
procedural changes, where
14

appropriate, with the aim of preventing security related incidents from

reoccurring.
There is evidence that the organisation soundly and regularly evaluates its
investigative arrangements and that, where required, findings lead to
improvements in those arrangements.
4.3

Standard reworded as follows:

Where appropriate, the organisation publicises sanctions successfully applied in
cases relating to: a) unnecessary access to premises; b) assaults on NHS staff;
c) breaching the security of NHS premises and property; d) acts of theft and
criminal damage.
Ratings section changed as follows:
Red:
There is no evidence that the organisation publicises successfully applied
sanctions in cases relating to unnecessary access to premises, assaults on staff,
security breaches, theft and criminal damage.
The organisation may publicise some sanctions, but this is not done in a
comprehensive and systematic manner or based on a communications strategy.
Amber:
The organisation is able to demonstrate that it has a communications strategy
which aims to publicise, where appropriate, successfully applied sanctions
relating to unnecessary access to premises, assaults on staff, security breaches,
and theft and criminal damage, with a view to producing a deterrent effect.
The organisations media policy is adhered to at all times, with due regard to
media handling guidance from NHS Protect.
There is little or no evidence that the organisation regularly and soundly
evaluates the effectiveness of its communications strategy relating to security
management or the deterrent value of publicity around sanctions.
Green:
The organisations communications strategy relating to security management is
regularly and soundly evaluated and, where required, findings lead to
improvements in the strategy.
As it is not appropriate to publicise some cases, for example due to clinical
factors, the organisations communications strategy allows for publicity of
sanctions to be considered on a case-by-case basis.
The impact of publicity in relation to applied sanctions is regularly and soundly
monitored and where appropriate, changes are made to the communications
strategy relating to security management with a view
to improving it.

4.4

Standard reworded as follows:

The organisation has a clear policy on the recovery of financial losses incurred
due to any theft of, or criminal damage to, its assets and can demonstrate its
effectiveness.
15

Ratings section changed as follows:

Red:
There is no evidence that the organisation seeks to recover financial losses due
to theft of, or criminal damage to, its assets.
There may be some activity to seek redress but this is not carried out in a clear,
comprehensive, systematic or timely manner and there is not a clear policy in
place in this area.
Amber:
The organisation has a clear, comprehensive and systematic policy for the
timely recovery of financial losses incurred due to theft of, or damage to, its
assets.
There is limited or no evidence that there is a regular and sound evaluation of
the effectiveness of this policy
Green:
The organisation is able to demonstrate that they have a policy that enables it to
consider recovery of financial losses due to theft of, or criminal damage to, its
assets on a case-by-case basis.
The impact of the recovery of financial losses due theft or criminal damage of its
assets is regularly monitored and soundly evaluated and, where appropriate,
improvements are made to the redress policy and the organisations approach to
recovery.

16