Write a security plan: How to guide
Write a security plan: How to guide – takes you through how to write a security plan for a business, step-by-step. A security plan is essential for any organisation that wants to protect its people, reputation, assets and revenue. Moreover, regulation such as Martyns Law means for places it applies to are likely to need one.
Here’s what we cover:
Contents
- What to write in a security plan – its contents
- How to write a good security plan
- When to write a security plan
- Where to write the security plan
- Who should write the security plan
- Why write a security plan
Short on time?
If you’re short on time then use the below summary:
Define the security plan’s scope and limits.
Write security risk assessment with assets, threats and vulnerabilities.
Note policies and procedures in place and status.
List back-up, encryption, incident response.
Detail cyber security measures, such as, patch management.
Describe training and awareness programs for employees.
Outline plans for regular security audits and assessments.
List relevant compliance and regulations.
Summarise the security plan’s key points.
1. What to write in a security plan – its contents
Below is a security plan template with all the common components of a security plan. Below are download buttons for a security plan in PDF or Word. Please adapt it to meet your organisation’s specific needs.
Example security plan
[Name of organisation and author’s name] Security Plan
i. Executive summary
Objective: Briefly describe the purpose and goals of the security plan. For example:
This security plan’s objectives are to review current and future:
- Threats
- Vulnerabilities
- Security measures
at site [x], following a security brach on [y] date.
Security plan template Word
Security plan template PDF
ii. Introduction
Scope: Define the security plan’s scope and limits. For example:
This security plan reviews physical security measures at [X]’s headquarters. It does not include any satellite office or location.
Key stakeholders: Identify the individuals or groups responsible for security.
Legal and regulatory compliance: List relevant laws, regulations and standards that must be followed.
iii. Risk / threat assessment
Identify, describe and list potential threats. These can include:
Natural disasters
- Flood
- Heatwave
- Landslide
Cyber attacks
- Denial of service
- Ransomware
Physical failures
- Breaches
- Unauthorised visitors
- Theft
👮 Get in depth guidance on how to write a security risk assessment.
TIP: Where to get a list of threats
A great list of threats is publicly available at the UK risk register. Here you’ll find a tremendous amount of information about risk types. They also have a useful visual display format, excerpt shown below:
Terrorist threat
Martyn’s Law will likely focus a threat assessment on terrorist attacks. Therefore, it may include the following attack methods:
- Firearms attacks
- Bladed weapon attack
- Vehicle as weapon attack
- Explosives – carried or concealed
- Explosives – person borne
- Explosives – vehicle (also drone) borne
- Drone as a weapon
- Drone borne agents – CBRN
- Chemical agent attack
- Biological agent attack
- Radiological agent attack
For an in depth explanation of attack types check out the ProtectUK website.
An example of factors that may increase the likelihood of a terrorist attack include:
- Site importance
- Very important people
- Current security measures
- Accessibility
- Adjacent public places
- Public transport
- Structural resilience
- Other buildings/structures in proximity
- Internal security measures
- Insider threat and internal controls
Risk assessment
Assess the likelihood and impact of each threat to the organisation. A common method for a risk analysis is to multiple the likelihood of an event by its impact on the business. For example:
The likelihood of an acid attack is 3 out of 5 and the impact on the business of an acid attack is 4 out of 5. Therefore, the risk is 3 x 4 = 12 out of a possible 25 (5 x 5). We could then visualise the risk on a matrix as we can with SIRV (below).
In addition, we can capture this information and have a ‘live’ risk analysis that changes over time.
Below is a risk matrix visualisation. Products like SIRV bring these to life because live data from incidents and event reports impacts the likelihood calculation.
Vulnerability Assessment
Identify current vulnerabilities and weaknesses that could be exploited.
iv. Security policies and procedures
Access Control
Define types of access and list who has access to what. In addition, include how to gain and revoke access.
Physical Security
Describe measures to secure physical locations.
Information Security
Explain how sensitive data is protected. For example:
- Encryption
- Password policies
- Data backups
- Data protection impact assessment (DPIA)
Cybersecurity
Detail measures to safeguard against cyber threats. For example:
- Firewalls
- Antivirus
- Incident response plans
Emergency response
Outline protocols for responding to different types of emergencies (e.g., fire, medical, security breach).
Incident reports
Describe the incident report system.
Security awareness training
Explain how employees or relevant individuals receive education about security risks and protocols.
Security tests and audits
Describe how regular tests and audits of security measures are conducted.
v. Physical security
Facility security
Detail the control of physical access to facilities. For example:
- Gates
- Locks
- Alarms
- Fences
- CCTV cameras
- Anti-drone measures
- Access control system
- Security guards
Visitor control
Explain the control and management of visitors.
Asset protection
Describe the protection for high value assets such as, equipment.
Security cameras and surveillance
Discuss the use of security cameras and their monitoring.
vi. Information security
- Data classification: Define categories of data and their security requirements.
- Data encryption: Specify encryption methods for sensitive data.
- User authentication: Describe user authentication processes and password policies.
- Data backup and recovery: Detail data backup strategies and disaster recovery plans.
- Security awareness training: Explain how employees or relevant individuals are educated about information security.
- Incident response: Outline the steps to take in the event of a data breach or security incident.
vii. Cybersecurity
Firewalls and intrusion detection / prevention: Describe the use of firewalls and intrusion detection/prevention systems.
Antivirus and Malware protection: Explain the use of antivirus software and malware protection.
Patch management: Detail how software updates and patches are managed.
Network security: describe measures to secure networks and communication channels.
Security monitoring and incident response: Explain how cybersecurity incidents are detected and responded to.
TIP: Visuals to avoid
Some security plans will include visuals such as spider diagrams. However, these are not great because they don’t work with lots of variables and they’re not easy to read. We recommend as a replacement, bar charts. Our guide on how to build a security dashboard looks more closely at visuals.
viii. Training and awareness
Describe the training programs for employees or relevant individuals along with efforts to raise security awareness and promote best practices.
Martyn’s Law: Terrorism protection training
Under Martyn’s Law there’s likely to be a focus on:
- Terrorism awareness
- Suspicious activity recognition
- Emergency response procedure
- First Aid and trauma response
- Communication protocols
- Use of security equipment
- De-escalation techniques
- Legal and compliance aspects
Martyn’s Law: Public awareness and communication
Martyn’s Law wants to ensure staff, the public, visitors, and potentially the wider community, are aware of the risks of terrorism and the measures in place to mitigate these risks. As a result, Martyn’s Law is likely to require a three phase approach:
i) Communication before an incident
- Public awareness: For example, signs about safe escape routes.
- Security culture promotion: For example, encourage the public to report suspicious activity (read about how 2017 Manchester Arena bombing attacker was challenged).
- Broadcast information: For example, use various channels like social media, websites and brochures
ii. Communication during an incident
- Clear and timely Information: For example, prompt messages about type of incident with regular updates.
- Use multiple channels such as, social media, text alerts and public address systems
- Coordination with authorities such as emergency services and local council
iii. Communication after an incident
- Update the public about the situation, areas to avoid and when it is safe to return to normal activities.
- Support and resources available such as counselling or assistance centres.
- Feedback and learning with the public to gather feedback on the effectiveness of the communication and the overall response.
ix. Tests and evaluation
Security audits and assessments: Outline plans for regular security audits and assessments.
Incident exercises: Describe exercises to test the effectiveness of incident response plans.
x. Compliance and reports
Compliance Requirements: List specific compliance standards and regulations relevant to the business or situation.
Report procedures: Explain how compliance is monitored and reported.
xi. Budget and resources
Budget allocation: Give a cost budget to implement and maintain security measures.
Resource allocation: Identify the personnel and resources necessary for security.
xii. Conclusion and reviews
Present a review schedule for the security plan. Typically, reviews are annual. However, ad hoc reviews are necessary after a change in the risk environment or major security incident.
Summarise the security plan’s key points and credits others involved in the plan creation.
Appendices
2. How to write a good security plan
Security plans are usually written by professionals / ‘competent people’ with experience and training by organisations such as ISRM. To write a good security plan requires a skill that takes time to develop. A well written security plan is easy to follow, objective and truthful. Here’s some tips to be a good security plan writer.
Use visuals
People love visuals and they communicate a lot of information very quickly.
Order
Under each section, write the security plan with a chronological order and detail events in a time sequence from the past to present.
Facts not Fiction
Record the facts rather than a story or narrative. For example, imagine you’re out walking and discover an injured person lying in the street. You spot someone running away from the scene. Many people would assume the runner is the assailant (this is what we see in movies all the time). However, the runner could be someone running for help.
We are tempted to assume the runner is responsible for the person’s injuries because this is a familiar story. However, report writing is not story telling. Record the incident as you find it, don’t apply judgments. Use the same rule when taking witness statements.
Specialism
Specialism in specific types of business will likely lead to a better quality security plan. For example, an entertainment venue’s primary risks will be around members of the public whereas, a pharmaceutical manufacturer’s primary risks will be around supply chain. Therefore, it’s important to recognise the experience of the person who writes the security plan will likely impact its quality.
3. When to write a security plan
Typically, a security plan is written at the commission of a new facility and a review is undertaken every year. However, ad hoc reviews may be necessary after a change in the risk environment, major security incident or change to the facility’s operations.
It’s important the security plan does not take too long to write and produce. There may be delays if the security plan’s author produces a draft and then needs stakeholder approval.
Martyn’s Law will likely require a review of the security plan every year.
4. Where to write the security plan
The security plan can be written wherever is convenient. However, it will almost certainly require an in-person visit to the facility.
Owing to the sensitive nature of the its contents, the security plan should be stored in a safe, secure place with limits to access.
Paper vs digital
Nearly all security plans are written and stored digitally. However, if the it is hand written it’s important hand writing is legible and made with permanent ink. Consider using CAPITAL LETTERS. Because capital letters slows down writing and makes each letter easier to read.
Made a mistake?
If you or someone else makes a mistake do not score through or mark out the error. Make a reference to the error and then add the correction elsewhere.
Here at SIRV we use a versioning system. Therefore, no entry is ever deleted but new versions are updated. This means there is a full audit trail of changes made.
5. Who should write the security plan
The security plan should only be written by a competent person. There is no strict definition of a competent person however, the person’s experience and skill should reflect the complexity and resource of the business. For example, it may be acceptable for a local independent cafe’s owner to write a security plan. But, for a coffee chain with hundreds of outlets, it’s likely a professional third party security consultant is appropriate.
6. Why write a security plan
A security plan is essential for any organisation that wants to protect its people, reputation, assets and revenue. Moreover, regulation means more and more businesses need one.
Hopefully, how to write a security plan shows how essential they are in making a business resilient, safe and successful.