Skip to main content
Protective security assessment methodology
Protective Security

Protective Security Assessment

An 11-stage protective security assessment framework that produces structured, auditable reports in a fraction of the time. NPSA-aligned protective security risk management — covering threat evaluation, vulnerability assessment, security requirements, and residual risk. Built for consultants who deliver rigour at volume.

Built to Save Consultant Hours

A protective security assessment involves context gathering, asset identification, threat evaluation, vulnerability analysis, risk scoring, requirements derivation, recommendation design, and residual risk assessment — then assembling all of it into a coherent client report. That process typically takes days. This framework compresses it into hours of guided review, without compromising on structure, traceability, or methodological rigour.

Why It Matters

Days to Hours

Structured intake and automated assessment reduce engagement timelines from days of manual analysis to hours of guided review.

Consistent Structure

Every assessment follows the same 11-stage framework — no gaps, no skipped stages, no consultant-to-consultant variation.

Auditable Reports

Every recommendation traces back to a registered risk, a registered asset, and a framework ID. Full traceability built in.

NPSA-Aligned

Framework grounded in NPSA protective-security principles: layered security, defence-in-depth, risk-based proportionality.

The Assessment Framework

11 Stages. Two Review Gates.

Each stage produces a structured register that feeds the next. Two SME review gates — at Risk Evaluation and Residual Risk — ensure the consultant stays in control of every finding before downstream stages build on it.

01

Context Development

Project, site, operational, and existing-security context synthesised into a structured baseline.

02

Asset Identification

Critical assets registered across people, information, equipment, and places — with criticality scoring.

03

Threat Source Assessment

Credible threat actors evaluated for intent, capability, and overall credibility.

04

Attack Method Analysis

Adversary methods assessed against sector relevance and threat-source linkage.

05

Threat Scenario Building

Credible scenarios assembled linking threat sources, methods, and target assets.

06

Vulnerability Assessment

Current-state weaknesses mapped to assets, scenarios, and severity.

07

Risk Evaluation

SME Gate

Likelihood and consequence scored per risk, producing the current-state risk register.

08

Operational Requirements

Outcome-focused security requirements derived from the risk register.

09

Physical Security Requirements

Performance-based physical security requirements with classification and priority.

10

Security Recommendations

Zoned, 5-D-tagged measures (deter, detect, delay, respond, recover) prioritised by risk.

11

Residual Risk Assessment

SME Gate

Post-treatment position with acceptance status and remaining considerations.

Structured Intake

Seven Context Areas. No Guessing.

The intake establishes context — it never asks the consultant to identify threats, score assets, or pick a strategy. That is the framework's job. The consultant provides what they know; the framework performs the assessment.

Project Information

Project name, client, purpose, project type, and regulatory or security drivers.

Site Information

Site name, location, description, function, layout, boundaries, and access routes.

Operational Information

Operational purpose, key processes, outputs, critical functions, and dependencies.

Assets

Known assets across NPSA categories — people, information, equipment, places.

Existing Security

Descriptive account of current arrangements across six security domains.

Security Context

Known concerns, occupancy, security presence, and monitoring approach.

Required Outputs

Deliverables selection, report style, and additional instructions.

The Deliverable

The Report Structure

The report interprets the approved assessment registers into client-facing prose. It never invents findings — every recommendation traces back to a registered risk, a registered asset, and a framework ID. Exportable as PDF or Word.

01

Executive Summary

Board-readable synthesis of threats, risks, recommendations, and residual position — generated last from the full report prose.

02

Background & Scope

Project context, site description, assessment drivers, scope boundaries, and methodology note.

03

Security Approach

Guiding principles — secure-by-design, layered security, defence-in-depth, risk-based proportionality.

04

Threat Evaluation

Credible threat picture: actors, capability, intent, scenarios, and threat drivers.

05

Security Laydown — Beyond Perimeter

Out-to-in zone analysis: objectives, assets, threats addressed, and recommended measures.

06

Security Laydown — Perimeter

Perimeter-layer security objectives, threats addressed, and recommended measures.

07

Security Laydown — Site

Site-layer security objectives, threats addressed, and recommended measures.

08

Security Laydown — Building

Building-layer security objectives, threats addressed, and recommended measures.

09

Security Laydown — Asset

Asset-layer security objectives, threats addressed, and recommended measures.

10

Security Design Summary

Overall security design: how recommendations satisfy operational and physical requirements.

11

Residual Risk Summary

Post-treatment residual risks, acceptance status, and remaining considerations.

12

Conclusion

Overall security position, recommended strategy, and decision-useful summary for the risk owner.

Editorial QA Pass

A final QA unit reads every section and checks completeness, terminology consistency, repetition, and traceability gaps — flagging any cited IDs that do not appear in the registers or material IDs that were never cited.

Who It's For

  • Independent security consultants running multiple concurrent assessments
  • Security firms standardising their assessment methodology across teams
  • Corporate security teams building internal protective-security capability
  • Risk managers who need auditable, traceable security documentation
For Organisations

Licensing for Security Teams

For security firms and corporate security teams running assessments at volume, the framework is available for enterprise licensing. Standardise your methodology across every consultant, every site, and every report — with the same 11-stage structure, the same traceability, and the same report format on every engagement.

Methodology Consistency

Every consultant in your team follows the same structured framework — no gaps, no variation, no methodology drift.

Report Standardisation

Every client receives the same report structure with full framework-ID traceability — ready for audit and comparison.

Volume Throughput

Run more assessments in parallel without scaling linear headcount. The framework does the heavy analysis; your team does the review.

Frequently Asked

Common Questions

What is a protective security assessment?

A protective security assessment is a structured evaluation of a site or facility that identifies critical assets, evaluates credible threats, assesses vulnerabilities, scores risk, derives security requirements, and produces zoned recommendations with a residual risk position. Our framework follows an 11-stage methodology aligned with NPSA protective security principles.

What does NPSA-aligned mean?

NPSA (National Protective Security Authority) is the UK government body that sets protective security standards and guidance. Our framework adopts NPSA principles — layered security (out-to-in zones), defence-in-depth, risk-based proportionality, and the 5 D's (deter, detect, delay, respond, recover) — ensuring assessments meet recognised UK protective security standards.

How does this compare to a traditional protective security risk assessment?

A traditional assessment typically involves days of manual analysis: context gathering, asset identification, threat evaluation, vulnerability analysis, risk scoring, requirements derivation, recommendation design, and report writing. Our framework compresses this into hours of guided review by structuring every stage and producing the report directly from the approved assessment registers — with full traceability from recommendation to registered risk to registered asset.

What is included in the protective security report?

The report includes an executive summary, background and scope, security approach, threat evaluation, five security laydown sections (beyond perimeter, perimeter, site, building, asset), security design summary, residual risk summary, conclusion, and an editorial QA verdict. Every recommendation cites the framework IDs it traces back to. Exportable as PDF or Word.

Can this framework be licensed for our organisation?

Yes. For security firms and corporate security teams running assessments at volume, the framework is available for enterprise licensing. This standardises your methodology across every consultant, every site, and every report — with the same 11-stage structure, the same traceability, and the same report format on every engagement. Contact us to discuss licensing options.

What are protective security requirements and how are they derived?

Protective security requirements are outcome-focused statements derived from the risk register — they describe what the security measures need to achieve without specifying a particular solution. Our framework produces two layers: operational requirements (what security must achieve) and physical security requirements (performance specifications for physical measures), each prioritised and linked to the risks they treat.

How long does a protective security assessment take?

The structured intake typically takes 30-60 minutes depending on site complexity. The assessment framework then processes the context through all 11 stages with two SME review gates. Compared to a traditional multi-day engagement, the framework compresses the analysis timeline significantly — the consultant's time is spent reviewing and approving, not building from scratch.

Start Your Assessment

Whether you're a solo consultant looking to compress engagement timelines or a firm standardising across a team — the framework is ready.