Write a security plan: How to guide

1. What to write in a security plan – its contents

Below is a security plan template with all the common components of a security plan. Below are download buttons for a security plan in PDF or Word. Please adapt it to meet your organisation’s specific needs.

Example security plan

[Name of organisation and author’s name] Security Plan

i. Executive summary

Objective: Briefly describe the purpose and goals of the security plan. For example:

This security plan’s objectives are to review current and future:

• Threats
• Vulnerabilities
• Security measures

at site [x], following a security brach on [y] date. 

ii. Introduction

Scope: Define the security plan’s scope and limits. For example:

This security plan reviews physical security measures at [X]’s headquarters. It does not include any satellite office or location.

Key stakeholders: Identify the individuals or groups responsible for security.

Legal and regulatory compliance: List relevant laws, regulations and standards that must be followed.

iii. Risk / threat assessment

Identify, describe and list potential threats. These can include:

Natural disasters

• Flood
• Heatwave
• Landslide

Cyber attacks

• Denial of service
• Ransomware

Physical failures

• Breaches
• Unauthorised visitors
• Theft

👮 Get in depth guidance on how to write a security risk assessment.

TIP: Where to get a list of threats

A great list of threats is publicly available at the UK risk register. Here you’ll find a tremendous amount of information about risk types. They also have a useful visual display format, excerpt shown below:

Terrorist threat

Martyn’s Law will likely focus a threat assessment on terrorist attacks. Therefore, it may include the following attack methods:

• Firearms attacks
• Bladed weapon attack
• Vehicle as weapon attack
• Explosives – carried or concealed
• Explosives – person borne
• Explosives – vehicle (also drone) borne
• Drone as a weapon
• Drone borne agents – CBRN
• Chemical agent attack
• Biological agent attack
• Radiological agent attack

For an in depth explanation of attack types check out the ProtectUK website.

An example of factors that may increase the likelihood of a terrorist attack include:

• Site importance
• Very important people
• Current security measures
• Accessibility
• Adjacent public places
• Public transport
• Structural resilience
• Other buildings/structures in proximity
• Internal security measures
• Insider threat and internal controls

Risk assessment

Assess the likelihood and impact of each threat to the organisation. A common method for a risk analysis is to multiple the likelihood of an event by its impact on the business. For example:

The likelihood of an acid attack is 3 out of 5 and the impact on the business of an acid attack is 4 out of 5. Therefore, the risk is 3 x 4 = 12 out of a possible 25 (5 x 5). We could then visualise the risk on a matrix as we can with SIRV (below).

In addition, we can capture this information and have a ‘live’ risk analysis that changes over time. 

Below is a risk matrix visualisation. Products like SIRV bring these to life because live data from incidents and event reports impacts the likelihood calculation.

Vulnerability Assessment

Identify current vulnerabilities and weaknesses that could be exploited.

iv. Security policies and procedures

Access Control

Define types of access and list who has access to what. In addition, include how to gain and revoke access.

Physical Security

Describe measures to secure physical locations.

Information Security

Explain how sensitive data is protected. For example:

• Encryption
• Password policies
• Data backups
• Data protection impact assessment (DPIA)

Cybersecurity

Detail measures to safeguard against cyber threats. For example:

• Firewalls
• Antivirus
• Incident response plans

Emergency response

Outline protocols for responding to different types of emergencies (e.g., fire, medical, security breach).

Incident reports

Describe the incident report system.

Security awareness training

Explain how employees or relevant individuals receive education about security risks and protocols.

Security tests and audits

Describe how regular tests and audits of security measures are conducted.

v. Physical security

Facility security

Detail the control of physical access to facilities. For example:

• Gates
• Locks
• Alarms
• Fences
• CCTV cameras
• Anti-drone measures
• Access control system
• Security guards

Visitor control

Explain the control and management of visitors.

Asset protection

Describe the protection for high value assets such as, equipment.

Security cameras and surveillance

Discuss the use of security cameras and their monitoring.

vi. Information security

• Data classification: Define categories of data and their security requirements.
• Data encryption: Specify encryption methods for sensitive data.
• User authentication: Describe user authentication processes and password policies.
• Data backup and recovery: Detail data backup strategies and disaster recovery plans.
• Security awareness training: Explain how employees or relevant individuals are educated about information security.
• Incident response: Outline the steps to take in the event of a data breach or security incident.

vii. Cybersecurity

Firewalls and intrusion detection / prevention: Describe the use of firewalls and intrusion detection/prevention systems.

Antivirus and Malware protection: Explain the use of antivirus software and malware protection.

Patch management: Detail how software updates and patches are managed.

Network security: describe measures to secure networks and communication channels.

Security monitoring and incident response: Explain how cybersecurity incidents are detected and responded to.

TIP: Visuals to avoid

Some security plans will include visuals such as spider diagrams. However, these are not great because they don’t work with lots of variables and they’re not easy to read. We recommend as a replacement, bar charts. Our guide on how to build a security dashboard looks more closely at visuals.

viii. Training and awareness

Describe the training programs for employees or relevant individuals along with efforts to raise security awareness and promote best practices.

Martyn’s Law: Terrorism protection training

Under Martyn’s Law there’s likely to be a focus on:

• Terrorism awareness
• Suspicious activity recognition
• Emergency response procedure
• First Aid and trauma response
• Communication protocols
• Use of security equipment
• De-escalation techniques
• Legal and compliance aspects

Martyn’s Law: Public awareness and communication

Martyn’s Law wants to ensure staff, the public, visitors, and potentially the wider community, are aware of the risks of terrorism and the measures in place to mitigate these risks. As a result, Martyn’s Law is likely to require a three phase approach:

i) Communication before an incident

• Public awareness: For example, signs about safe escape routes.
• Security culture promotion: For example, encourage the public to report suspicious activity (read about how 2017 Manchester Arena bombing attacker was challenged).
• Broadcast information: For example, use various channels like social media, websites and brochures

ii. Communication during an incident

• Clear and timely Information: For example, prompt messages about type of incident with regular updates.
• Use multiple channels such as, social media, text alerts and public address systems
• Coordination with authorities such as emergency services and local council

iii. Communication after an incident

• Update the public about the situation, areas to avoid and when it is safe to return to normal activities.
• Support and resources available such as counselling or assistance centres.
• Feedback and learning with the public to gather feedback on the effectiveness of the communication and the overall response.

ix. Tests and evaluation

Security audits and assessments: Outline plans for regular security audits and assessments.

Incident exercises: Describe exercises to test the effectiveness of incident response plans.

x. Compliance and reports

Compliance Requirements: List specific compliance standards and regulations relevant to the business or situation.

Report procedures: Explain how compliance is monitored and reported.

xi. Budget and resources

Budget allocation: Give a cost budget to implement and maintain security measures.

Resource allocation: Identify the personnel and resources necessary for security.

xii. Conclusion and reviews

Present a review schedule for the security plan. Typically, reviews are annual. However, ad hoc reviews are necessary after a change in the risk environment or major security incident.

Summarise the security plan’s key points and credits others involved in the plan creation.

Appendices

Add documents, forms, or reference materials.

2. How to write a good security plan

Security plans are usually written by professionals / ‘competent people’ with experience and training by organisations such as ISRM. To write a good security plan requires a skill that takes time to develop. A well written security plan is easy to follow, objective and truthful. Here’s some tips to be a good security plan writer.

Use visuals

People love visuals and they communicate a lot of information very quickly.

Order

Under each section, write the security plan with a chronological order and detail events in a time sequence from the past to present.

Facts not Fiction

Record the facts rather than a story or narrative. For example, imagine you’re out walking and discover an injured person lying in the street. You spot someone running away from the scene. Many people would assume the runner is the assailant (this is what we see in movies all the time). However, the runner could be someone running for help.

We are tempted to assume the runner is responsible for the person’s injuries because this is a familiar story. However, report writing is not story telling. Record the incident as you find it, don’t apply judgments. Use the same rule when taking witness statements.

Specialism

Specialism in specific types of business will likely lead to a better quality security plan. For example, an entertainment venue’s primary risks will be around members of the public whereas, a pharmaceutical manufacturer’s primary risks will be around supply chain. Therefore, it’s important to recognise the experience of the person who writes the security plan will likely impact its quality.

3. When to write a security plan

Typically, a security plan is written at the commission of a new facility and a review is undertaken every year. However, ad hoc reviews may be necessary after a change in the risk environment, major security incident or change to the facility’s operations.

It’s important the security plan does not take too long to write and produce. There may be delays if the security plan’s author produces a draft and then needs stakeholder approval.

Martyn’s Law will likely require a review of the security plan every year.

4. Where to write the security plan

The security plan can be written wherever is convenient. However, it will almost certainly require an in-person visit to the facility.

Owing to the sensitive nature of the its contents, the security plan should be stored in a safe, secure place with limits to access.

Paper vs digital

Nearly all security plans are written and stored digitally. However, if the it is hand written it’s important hand writing is legible and made with permanent ink. Consider using CAPITAL LETTERS. Because capital letters slows down writing and makes each letter easier to read.

Made a mistake?

If you or someone else makes a mistake do not score through or mark out the error. Make a reference to the error and then add the correction elsewhere.

Here at SIRV we use a versioning system. Therefore, no entry is ever deleted but new versions are updated. This means there is a full audit trail of changes made.

5. Who should write the security plan

The security plan should only be written by a competent person. There is no strict definition of a competent person however, the person’s experience and skill should reflect the complexity and resource of the business. For example, it may be acceptable for a local independent cafe’s owner to write a security plan. But, for a coffee chain with hundreds of outlets, it’s likely a professional third party security consultant is appropriate.

6. Why write a security plan

A security plan is essential for any organisation that wants to protect its people, reputation, assets and revenue. Moreover, regulation means more and more businesses need one.

Hopefully, how to write a security plan shows how essential they are in making a business resilient, safe and successful.