Physical security assessment has a methodology problem, says Stephen Beels, pictured.
I have conducted physical security assessments for the best part of two decades as an independent consultant. Before that, I spent 30 years in the Metropolitan Police, much of it in Special Branch and Counter Terrorism, where the discipline of structured assessment was not optional, rather it was the foundation on which operational decisions were made and, in some cases, lives depended. So when I look at the state of physical security assessment practice in the commercial sector, I find it difficult not to notice the gap.
The knowledge and experience are there. I have worked alongside practitioners whose professional judgment I would trust without hesitation. What I have observed, consistently, is that the profession has never developed the methodological infrastructure to turn that expertise into outputs that are structured, evidenced and repeatable; outputs that a board of directors or an audit committee can actually interrogate and act on. That is not a criticism of individuals. It is a structural observation about a discipline that has relied heavily on the expertise of its practitioners while giving them little in the way of a shared methodology to work within.
The consequences are familiar to anyone who commissions or conducts this work. Scope varies between practitioners and between engagements whilst risk is scored intuitively, where it is scored at all. Reports are also written for security managers rather than for the governance audiences increasingly required to understand the effectiveness of their material controls. The work is often excellent in professional terms and structurally inconsistent at the same time. This at a period when governance is asking more.
Provision 29 of the UK Corporate Governance Code 2024 requires boards of ESCC-listed organisations (top-tier public companies) to declare on material controls effectiveness for financial years beginning January 2026. For a significant number of listed organisations, physical security sits within their control. The assessment output that supports such a declaration needs to be structured, calibrated and reproducible. A narrative report with intuitive risk scoring does not meet that standard.
It was that gap, between what the profession is capable of and what it currently produces, that led me to develop IPSRM, the Integrated Physical Security Review Methodology, a comprehensive document suite for the practitioner. The methodology organises assessment across three stages โ Collect, Calibrate, Communicate โ and six interdependent domains, from Strategic Threat Context through to Systemic Dependency and Resilience. It applies a defined residual risk scoring framework to every finding, classifying exposure into three priority tiers on a fixed scale that means the same thing regardless of which practitioner produces the output or which organisation commissions it. The final deliverable is an executive report structured for governance audiences, one that a senior executive with no specialist security background can read and quickly reach the conclusions that matter.
For the independent practitioner, the methodology provides a consistent, defensible evidential record that holds up to professional scrutiny, supports repeat engagements and produces reporting that executive audiences can act on. It can also be deployed under a practitioner’s own branding in client-facing work. Practitioners who deploy IPSRM under its ‘Licence and Use Framework’ do so as licensed practitioners โ a designation that carries genuine weight in competitive tendering and governance-facing engagements. Joe Connell, former chairman of the Association of Security Consultants, observed that “Stephen has really cut to the chase in developing IPSRM. Of equal value to Security Consultants and to Management Boards … I have no hesitation in commending IPSRM.”
It is that balance the methodology is specifically designed to achieve. In my experience, that is what separates a structured methodology from an informed inspection and it is a distinction the profession now needs to make.
IPSRM is available as a commercial document suite at ipsrm.org, in four tiers from ยฃ45 to ยฃ395.
About Stephen Beels
He’s an independent security consultant with over 40 years of experience including service with the Metropolitan Police. He is a former Board Director of the Association of Security Consultants (ASC) and a three-time winner of the UK Outstanding Security Performance Awards (OSPAs). Visit https://www.ipsrm.org/the-creator.
