Security Compliance Requirements for UK Businesses in 2026

Why this matters

A commercial security risk assessment should do more than justify a quote. It should help turn a broad concern such as trespass, theft, unauthorised access or poor visibility into something specific enough to act on. That matters because UK guidance is consistent on the core process: identify hazards or risks, assess them, decide on controls, record significant findings and review those controls over time. ProtectUK follows a similar logic for protective security, moving from risk identification to assessment, treatment, recording and review.

For larger organisations, that also means resisting the urge to jump straight to a service line. Manned guarding, mobile patrols and CCTV all solve different problems. Without a clear assessment, it is easy to over-resource one area, under-protect another and end up with reporting that looks busy but does not improve control. That is especially relevant where premises are public-facing, high-footfall or operationally complex. The Terrorism (Protection of Premises) Act 2025 has also raised the profile of protective-security preparedness for certain qualifying premises and events.

Start with governance, not hardware

Before looking at guards, patrol frequencies or camera counts, start by defining who owns the risk, who signs off controls and what level of exposure is acceptable. ProtectUK recommends setting the scene before the assessment begins, including governance arrangements and organisational risk appetite, so decisions are made in context rather than in isolation.

That may sound formal, but it is commercially useful. A facilities team may be focused on access control, operations may be focused on continuity and procurement may be focused on value. A risk assessment works best when those priorities are visible from the start. Otherwise, the result is often a fragmented specification: one team wants a visible presence, another wants incident evidence and a third wants cost reduction, with no agreed view of what success looks like.

Review how the site actually works day to day

A useful assessment starts with the operating reality of the site. HSE says risk identification should look at how people work, how equipment is used, the general state of the premises and non-routine operations such as maintenance, cleaning or changes in production cycles. It should also consider who might be harmed, including employees, contractors, visitors and members of the public.

For commercial security, that usually means reviewing:

• access points and blind spots

• hours of operation and out-of-hours exposure

• contractor and visitor flow

• asset value and asset location

• isolated zones, perimeters and weak boundaries

• recent changes to the site layout or use

• whether incidents cluster by time, place or activity

That step matters because the right control often depends on pattern, not just severity. A site with predictable out-of-hours vulnerabilities may need targeted patrols. A site with constant visitor traffic and multiple entrances may need static control points. A site with recurring disputes, evidential needs or poor line of sight may need CCTV designed around specific decision points rather than blanket coverage.

Look backwards before deciding what comes next

Past incidents are one of the most useful inputs into a commercial security review. HSE explicitly recommends looking back at accident and ill-health records to identify less obvious hazards, and the same logic applies in security: incident logs, access exceptions, alarm activations, theft reports, trespass attempts and contractor breaches usually reveal patterns that a one-off walkaround will miss.

The point is not just to count incidents. It is to understand what type of control would have changed the outcome. If the recurring issue is unauthorised vehicle entry, the solution may be access redesign and control procedures rather than more cameras. If the issue is repeated perimeter breach at night, targeted patrols or canine support may be more proportionate than a full-time static presence. If the problem is disputed behaviour or poor visibility in key zones, monitored CCTV and a clearer retention and escalation policy may be the stronger answer.

Decide what needs protecting and why

Many security specifications fail because they are written around services instead of priorities. A better approach is to separate protection objectives into a few simple categories:

• people

• assets

• operations

• information

• reputation

• evidence

That matters because each objective changes what “good” looks like. A people-led environment may prioritise response times, safe access and clear escalation routes. An asset-led site may focus on perimeters, storage zones and after-hours presence. An evidence-led environment may need camera positioning, audit trails and retention rules that support investigation and accountability. ICO guidance for surveillance is clear that organisations should identify the minimum personal data they need for their purpose and keep it only for as long as that purpose requires.

Assess existing controls before buying more

A risk assessment should capture what is already in place, whether it works and where the gaps sit. HSE’s template guidance is useful here because it focuses not just on hazards, but on current controls, further action needed, owners and deadlines. It also warns against copying a generic example and assuming it is enough for your business.

In security terms, existing controls may include reception processes, passes, locks, gates, lighting, alarm response, keyholding, remote monitoring, staff awareness, incident reporting and contractor management. The question is not whether those controls exist. It is whether they are effective against the site’s actual exposure.

That distinction is important. A client may already have cameras, but not the coverage, retention policy, signage or review process needed to make the footage operationally useful. They may already have a guarding presence, but without clear assignment instructions, escalation rules or management information. They may already have patrols, but at the wrong times or with no clear link to known site vulnerabilities.

Build compliance into the assessment, especially for CCTV

If CCTV is part of the shortlist, data protection should be reviewed before procurement, not after installation. The ICO says organisations using video surveillance must stay within UK GDPR and the Data Protection Act 2018, take a data-protection-by-design approach and carry out a DPIA where processing is likely to result in high risk to individuals. That includes some common commercial scenarios such as monitoring publicly accessible places on a large scale or monitoring individuals at a workplace. The ICO also says signage should clearly tell people CCTV is in operation, why it is being used and who to contact.

For clients, that means the procurement brief should not stop at image quality, storage and monitoring hours. It should also cover lawful purpose, privacy information, retention, access to footage, system ownership, subject access readiness and whether a DPIA is required. That is not bureaucracy for its own sake. It is the difference between a system that supports oversight and one that creates avoidable risk.

Check supplier assurance before comparing price

Once the site risk is clear, supplier quality becomes much easier to evaluate. The SIA says buyers can check whether a company is on its register of approved contractors, and it describes the Approved Contractor Scheme as a recognised hallmark of quality. Approved contractors are assessed across 78 areas of the business, including staff training, financial management and health and safety policies. The SIA also says approved contractors may only subcontract to other approved contractors unless special permission is given otherwise.

That does not mean every approved contractor is identical, but it does give buyers a stronger starting point for due diligence. It is also worth checking the public register of licence holders for individuals in licensable roles.

In practical terms, a pre-procurement review should cover:

• whether the provider is an SIA approved contractor

• whether licensable roles are properly covered

• how subcontracting is handled

• what management information is provided

• how incidents are escalated and reviewed

• whether service design is tailored to site risk rather than sold as a standard package

Match the service model to the risk profile

Once the assessment is complete, the service model should feel more obvious.

Manned guarding usually fits sites that need continuous control, strong access management, visible assurance or on-site response in real time.

Mobile patrols tend to work better where risk is time-based, geographically spread or intermittent, especially when the site does not justify a full-time static presence.

CCTV is often strongest where visibility, evidential review, remote oversight and pattern detection are priorities, provided governance, privacy and retention are properly addressed. ICO guidance makes clear that surveillance should be adequate, relevant and limited to what is necessary for the purpose.

In many commercial environments, the best answer is not one service in isolation. It is a layered model in which physical presence, patrol coverage, access control and surveillance each do a defined job.

A simple decision test before procurement

Before any tender, quote request or supplier shortlist, ask:

1. What are the top three security risks on this site right now?

2. Who or what is most exposed: people, assets, operations or evidence?

3. When and where does that exposure peak?

4. Which current controls are effective, and which are only giving a false sense of control?

5. What management information is needed after mobilisation?

6. If CCTV is involved, what are the privacy, retention and DPIA implications?

7. What supplier assurance is non-negotiable?

If those questions cannot be answered clearly, the specification is probably being written too early.

Final point

A security risk assessment is not just a compliance exercise and it is not a formality before procurement. Done properly, it is what stops a business from buying the wrong type of reassurance. It creates a clearer link between exposure, control, reporting and budget, which is exactly what larger commercial clients need when security decisions are expected to stand up to scrutiny.

FAQ

What should a commercial security risk assessment include?

At a minimum, it should cover site layout, access points, who may be harmed or affected, incident history, existing controls, further actions needed, ownership and review points. HSE’s risk-assessment guidance and templates both support that structured approach.

Is CCTV always the most cost-effective starting point?

Not necessarily. CCTV can be highly effective for visibility and evidence, but it does not replace physical control where access needs managing in real time. It also brings data-protection obligations around purpose, retention, signage and, in some cases, DPIAs.

Why check for SIA approved-contractor status?

Because the SIA says the ACS is a recognised quality benchmark and assesses approved contractors across 78 business areas. It also gives buyers a register they can use during due diligence.

Does this matter more now for public-facing premises?

In many cases, yes. The Terrorism (Protection of Premises) Act 2025 has put protective-security preparedness on a firmer legal footing for certain premises and events, with a tiered approach linked to use and expected occupancy.