
Protective Security Assessment
An 11-stage protective security assessment framework that produces structured, auditable reports in a fraction of the time. NPSA-aligned protective security risk management — covering threat evaluation, vulnerability assessment, security requirements, and residual risk. Built for consultants who deliver rigour at volume.
Built to Save Consultant Hours
A protective security assessment involves context gathering, asset identification, threat evaluation, vulnerability analysis, risk scoring, requirements derivation, recommendation design, and residual risk assessment — then assembling all of it into a coherent client report. That process typically takes days. This framework compresses it into hours of guided review, without compromising on structure, traceability, or methodological rigour.
Why It Matters
Days to Hours
Structured intake and automated assessment reduce engagement timelines from days of manual analysis to hours of guided review.
Consistent Structure
Every assessment follows the same 11-stage framework — no gaps, no skipped stages, no consultant-to-consultant variation.
Auditable Reports
Every recommendation traces back to a registered risk, a registered asset, and a framework ID. Full traceability built in.
NPSA-Aligned
Framework grounded in NPSA protective-security principles: layered security, defence-in-depth, risk-based proportionality.
11 Stages. Two Review Gates.
Each stage produces a structured register that feeds the next. Two SME review gates — at Risk Evaluation and Residual Risk — ensure the consultant stays in control of every finding before downstream stages build on it.
Context Development
Project, site, operational, and existing-security context synthesised into a structured baseline.
Asset Identification
Critical assets registered across people, information, equipment, and places — with criticality scoring.
Threat Source Assessment
Credible threat actors evaluated for intent, capability, and overall credibility.
Attack Method Analysis
Adversary methods assessed against sector relevance and threat-source linkage.
Threat Scenario Building
Credible scenarios assembled linking threat sources, methods, and target assets.
Vulnerability Assessment
Current-state weaknesses mapped to assets, scenarios, and severity.
Risk Evaluation
SME GateLikelihood and consequence scored per risk, producing the current-state risk register.
Operational Requirements
Outcome-focused security requirements derived from the risk register.
Physical Security Requirements
Performance-based physical security requirements with classification and priority.
Security Recommendations
Zoned, 5-D-tagged measures (deter, detect, delay, respond, recover) prioritised by risk.
Residual Risk Assessment
SME GatePost-treatment position with acceptance status and remaining considerations.
Seven Context Areas. No Guessing.
The intake establishes context — it never asks the consultant to identify threats, score assets, or pick a strategy. That is the framework's job. The consultant provides what they know; the framework performs the assessment.
Project Information
Project name, client, purpose, project type, and regulatory or security drivers.
Site Information
Site name, location, description, function, layout, boundaries, and access routes.
Operational Information
Operational purpose, key processes, outputs, critical functions, and dependencies.
Assets
Known assets across NPSA categories — people, information, equipment, places.
Existing Security
Descriptive account of current arrangements across six security domains.
Security Context
Known concerns, occupancy, security presence, and monitoring approach.
Required Outputs
Deliverables selection, report style, and additional instructions.
The Report Structure
The report interprets the approved assessment registers into client-facing prose. It never invents findings — every recommendation traces back to a registered risk, a registered asset, and a framework ID. Exportable as PDF or Word.
Executive Summary
Board-readable synthesis of threats, risks, recommendations, and residual position — generated last from the full report prose.
Background & Scope
Project context, site description, assessment drivers, scope boundaries, and methodology note.
Security Approach
Guiding principles — secure-by-design, layered security, defence-in-depth, risk-based proportionality.
Threat Evaluation
Credible threat picture: actors, capability, intent, scenarios, and threat drivers.
Security Laydown — Beyond Perimeter
Out-to-in zone analysis: objectives, assets, threats addressed, and recommended measures.
Security Laydown — Perimeter
Perimeter-layer security objectives, threats addressed, and recommended measures.
Security Laydown — Site
Site-layer security objectives, threats addressed, and recommended measures.
Security Laydown — Building
Building-layer security objectives, threats addressed, and recommended measures.
Security Laydown — Asset
Asset-layer security objectives, threats addressed, and recommended measures.
Security Design Summary
Overall security design: how recommendations satisfy operational and physical requirements.
Residual Risk Summary
Post-treatment residual risks, acceptance status, and remaining considerations.
Conclusion
Overall security position, recommended strategy, and decision-useful summary for the risk owner.
Editorial QA Pass
A final QA unit reads every section and checks completeness, terminology consistency, repetition, and traceability gaps — flagging any cited IDs that do not appear in the registers or material IDs that were never cited.
Who It's For
- Independent security consultants running multiple concurrent assessments
- Security firms standardising their assessment methodology across teams
- Corporate security teams building internal protective-security capability
- Risk managers who need auditable, traceable security documentation
Licensing for Security Teams
For security firms and corporate security teams running assessments at volume, the framework is available for enterprise licensing. Standardise your methodology across every consultant, every site, and every report — with the same 11-stage structure, the same traceability, and the same report format on every engagement.
Methodology Consistency
Every consultant in your team follows the same structured framework — no gaps, no variation, no methodology drift.
Report Standardisation
Every client receives the same report structure with full framework-ID traceability — ready for audit and comparison.
Volume Throughput
Run more assessments in parallel without scaling linear headcount. The framework does the heavy analysis; your team does the review.
Common Questions
What is a protective security assessment?
A protective security assessment is a structured evaluation of a site or facility that identifies critical assets, evaluates credible threats, assesses vulnerabilities, scores risk, derives security requirements, and produces zoned recommendations with a residual risk position. Our framework follows an 11-stage methodology aligned with NPSA protective security principles.
What does NPSA-aligned mean?
NPSA (National Protective Security Authority) is the UK government body that sets protective security standards and guidance. Our framework adopts NPSA principles — layered security (out-to-in zones), defence-in-depth, risk-based proportionality, and the 5 D's (deter, detect, delay, respond, recover) — ensuring assessments meet recognised UK protective security standards.
How does this compare to a traditional protective security risk assessment?
A traditional assessment typically involves days of manual analysis: context gathering, asset identification, threat evaluation, vulnerability analysis, risk scoring, requirements derivation, recommendation design, and report writing. Our framework compresses this into hours of guided review by structuring every stage and producing the report directly from the approved assessment registers — with full traceability from recommendation to registered risk to registered asset.
What is included in the protective security report?
The report includes an executive summary, background and scope, security approach, threat evaluation, five security laydown sections (beyond perimeter, perimeter, site, building, asset), security design summary, residual risk summary, conclusion, and an editorial QA verdict. Every recommendation cites the framework IDs it traces back to. Exportable as PDF or Word.
Can this framework be licensed for our organisation?
Yes. For security firms and corporate security teams running assessments at volume, the framework is available for enterprise licensing. This standardises your methodology across every consultant, every site, and every report — with the same 11-stage structure, the same traceability, and the same report format on every engagement. Contact us to discuss licensing options.
What are protective security requirements and how are they derived?
Protective security requirements are outcome-focused statements derived from the risk register — they describe what the security measures need to achieve without specifying a particular solution. Our framework produces two layers: operational requirements (what security must achieve) and physical security requirements (performance specifications for physical measures), each prioritised and linked to the risks they treat.
How long does a protective security assessment take?
The structured intake typically takes 30-60 minutes depending on site complexity. The assessment framework then processes the context through all 11 stages with two SME review gates. Compared to a traditional multi-day engagement, the framework compresses the analysis timeline significantly — the consultant's time is spent reviewing and approving, not building from scratch.