Security Industry Compliance Checklist for UK Businesses

Running a security business in the UK means operating in one of the most heavily regulated sectors in the country. From mandatory SIA licensing to strict employer obligations and data protection requirements, the compliance landscape is broad — and getting it wrong carries serious consequences, including fines, loss of licence, and significant legal liability.

Whether you operate a door supervision company, a CCTV monitoring service, a static guarding firm, or a close protection agency, this checklist covers the key areas of compliance every UK security business must have in order. It is designed to be a working reference — practical, thorough, and actionable — not a generic overview.

We have also included guidance on where business insurance fits into your compliance framework, because while insurance is not always a legal requirement at a business level, it is frequently required by contracts, clients, and local authorities — and is an essential part of managing your exposure to risk.

1. Security Industry Authority (SIA) Licensing

The Security Industry Authority is the regulatory body for the private security industry in England, Wales, Scotland, and Northern Ireland. SIA licensing is a legal requirement under the Private Security Industry Act 2001, and operating without the appropriate licence — or employing unlicensed staff in licensable roles — is a criminal offence.

Licensable Activities

The following activities require an SIA licence at the individual level:

• Door supervision
• Security guarding
• Close protection (bodyguard work)
• Cash and valuables in transit
• Public space surveillance (CCTV)
• Key holding
• Vehicle immobilising

Approved Contractor Scheme (ACS)

The SIA Approved Contractor Scheme (ACS) is voluntary but widely expected by public sector clients and larger contracts. ACS accreditation demonstrates that your business meets the SIA's quality standards across operations, training, and management. For any security firm with ambitions to win public sector or corporate contracts, ACS status is effectively a competitive necessity.

Compliance Checklist — SIA Licensing

• All front-line staff hold valid, current SIA licences for their role
• Licence expiry dates are tracked and renewals initiated with sufficient lead time
• New recruits are not deployed in licensable roles before their licence is granted
• You have a process for verifying licence authenticity (SIA licence checker)
• ACS accreditation is in place (or planned) if targeting public sector or enterprise clients
• Records of all staff licences are maintained and available for inspection

2. Employment Law and Workforce Compliance

The security sector has historically faced scrutiny over employment practices — irregular hours, zero-hours contracts, and pressure on pay are common in lower-margin operations. Getting your employment compliance right is not just a legal obligation; it is a reputational and operational matter.

Key Employment Obligations

• National Minimum Wage and National Living Wage: All workers must be paid at least the National Living Wage (£11.44 per hour for workers aged 21 and over as of April 2024). Failure to comply results in HMRC investigation, back-payment orders, and financial penalties.
• Working Time Regulations 1998: Security operatives — particularly those working extended shifts or overnight — must not exceed an average of 48 hours per week (unless they have opted out in writing). Rest break entitlements must also be observed.
• Written Employment Contracts: All employees must receive a written statement of employment particulars on or before their first day of work.
• Right to Work Checks: You are legally required to check that every employee has the right to work in the UK before they begin employment. Failure to do so can result in a civil penalty of up to £60,000 per illegal worker.
• TUPE Regulations: If you take on a security contract from another provider, the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) may apply, requiring you to take on the existing workforce on their current terms.

Compliance Checklist — Employment

• All employees are paid at or above National Living Wage requirements
• Working time records are maintained, and 48-hour limit is monitored
• Opt-out agreements are in place where extended hours are required
• Written contracts are issued on day one
• Right to work checks are completed for every hire and documented
• TUPE obligations are assessed whenever a new contract is acquired

3. Health and Safety Obligations

Security work carries inherent physical risk — confrontation, lone working, night shifts, extreme weather, and the stress of high-alert environments. Your legal duties under the Health and Safety at Work etc. Act 1974 and associated regulations are significant.

Core Requirements

• Risk Assessments: You must carry out written risk assessments for all work activities, including site-specific assessments for each location where your operatives are deployed.
• Lone Working Policy: Many security roles involve lone working. You must have a documented lone worker policy with check-in procedures, emergency contacts, and lone worker devices or apps where appropriate.
• Manual Handling: Where roles involve physical intervention or the handling of equipment, manual handling training and assessments are required.
• Personal Protective Equipment (PPE): Appropriate PPE must be provided free of charge where identified in a risk assessment.
• Health and Safety Policy: If you employ five or more people, you must have a written health and safety policy.
• RIDDOR Reporting: Certain workplace injuries, dangerous occurrences, and occupational diseases must be reported to the HSE under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013.

Compliance Checklist — Health and Safety

• Risk assessments completed for all activities and each deployment site
• Lone worker policy is documented and communicated to all staff
• Lone worker monitoring solution is in place
• Manual handling training is provided where relevant
• PPE is provided, maintained, and records kept
• Written H&S policy is in place (required for 5+ employees)
• RIDDOR reporting procedure is understood and followed
• First aid provision is adequate for your workforce size and risk level

4. Data Protection and GDPR Compliance

Security businesses handle a significant volume of personal data — from client and employee records to CCTV footage, incident reports, and access control logs. The UK General Data Protection Regulation (UK GDPR), alongside the Data Protection Act 2018, imposes strict obligations on how this data is collected, stored, processed, and shared.

Key GDPR Obligations for Security Businesses

• ICO Registration: Most security businesses are required to register as a data controller with the Information Commissioner's Office (ICO). Failure to register is a criminal offence.
• CCTV and Surveillance: If you operate or manage CCTV systems, you must comply with the ICO's CCTV Code of Practice. This includes displaying signage, limiting retention periods, and ensuring footage is accessed only by authorised personnel.
• Data Processing Agreements: Where you process personal data on behalf of a client, a written Data Processing Agreement (DPA) must be in place.
• Data Retention Policies: Personal data — including employee files, incident records, and CCTV footage — must not be retained longer than necessary. Clear retention schedules must be documented.
• Breach Notification: Reportable data breaches must be notified to the ICO within 72 hours of becoming aware of them.
• Privacy Notices: Employees and clients must be informed how their personal data is used, via a clear and accessible privacy notice.

Compliance Checklist — Data Protection

• ICO registration is in place and up to date
• A Data Protection Officer or responsible person is identified
• CCTV systems comply with the ICO Code of Practice
• Data Processing Agreements are in place with all relevant clients
• Data retention schedule is documented and enforced
• Breach response procedure is in place, including 72-hour notification process
• Staff have received data protection training
• Privacy notices are published and up to date

5. Insurance Requirements

Insurance is a critical part of the compliance framework for any security business — both as a legal obligation and as a contractual and commercial necessity. The risks inherent in security work make adequate cover essential.

Employers Liability Insurance

This is a legal requirement if you employ anyone — including part-time workers and temporary staff. You must hold a minimum of £5 million in employers liability cover, though most insurers provide £10 million as standard. Your certificate of insurance must be displayed (or made available) to employees.

Failure to hold valid employers liability insurance can result in a fine of up to £2,500 per day.

Public Liability Insurance

While not a statutory requirement, public liability insurance is almost universally required by clients and contract terms in the security sector. It covers claims arising from injury to third parties or damage to their property in connection with your business activities. Most security contracts require a minimum of £5 million in cover, and many public sector and large corporate clients require £10 million or more.

Professional Indemnity Insurance

If your business provides any form of security consultancy, risk assessment, or advisory service — rather than purely operational security — professional indemnity insurance protects you against claims arising from alleged errors, omissions, or professional negligence. This is increasingly relevant as security firms expand into risk consultancy and technology-based services.

Cyber Insurance

Security businesses hold sensitive client data, access control credentials, and CCTV systems. A cyber breach can expose client information, trigger GDPR liability, and cause significant operational disruption. Cyber insurance covers the cost of breach response, regulatory investigations, business interruption, and third-party claims arising from a cyber incident.

Compliance Checklist — Insurance

• Employers liability insurance is in place (minimum £5m, usually £10m)
• EL certificate is accessible to all employees
• Public liability insurance is in place at the level required by client contracts
• Professional indemnity insurance is in place if advisory or consultancy services are provided
• Cyber insurance is in place, particularly if CCTV or access control data is managed
• All policies are reviewed at renewal for adequacy against current business activities and contract requirements
• Subcontractors are required to evidence their own insurance cover

6. Training and Qualifications

The SIA mandates specific qualifications as a prerequisite for obtaining a licence, but your training obligations extend further than the minimum required for licensing. Courts and tribunals will consider whether adequate training was provided when assessing liability in personal injury or negligence claims.

Key Training Requirements

• SIA-Linked Qualifications: Each licensable role has a required qualification — for example, Level 2 Award for Door Supervisors or Level 2 Award in Security Guarding. These must be completed with an Ofqual-regulated awarding body.
• Physical Intervention Training: Where operatives are authorised to use physical intervention, training must be appropriate, documented, and refreshed regularly. The BTEC Level 3 Award in Physical Intervention Skills in the Private Security Industry is widely used.
• First Aid: Most SIA licence categories require a first aid qualification as part of the licensing process. Ensure all licences include the mandatory first aid component and that certificates are current.
• Fire Safety: Operatives deployed at premises should be trained in fire safety procedures relevant to their site.
• Counter-Terrorism Awareness: The Protect Duty (also known as Martyn's Law) is expected to come into force in 2025 and will require venues with large footfall to take protective security steps, including staff training. Security businesses operating at qualifying venues should be preparing for these requirements now.

Compliance Checklist — Training

• All operatives hold the required SIA qualification for their licensed role
• Physical intervention training is documented and refreshed as required
• First aid certificates are current for all licensed staff
• Site-specific induction training is delivered and recorded for each deployment
• Counter-terrorism awareness training is in place or planned ahead of Protect Duty requirements
• Training records are maintained and stored securely

7. Contracts and Documentation

A compliant security business is also a well-documented one. Contracts, assignment instructions, incident reports, and post orders form part of both your legal protection and your operational framework.

Client Contracts

Every client engagement should be underpinned by a written contract that clearly defines the scope of services, liability limits, insurance requirements, data processing arrangements, and the basis on which the contract can be varied or terminated. A well-drafted contract limits your exposure in the event of a dispute and ensures that your insurance cover is appropriately aligned with your contractual obligations.

Assignment Instructions and Post Orders

Each deployment site should have documented assignment instructions or post orders. These set out exactly what the operative is authorised to do, how to handle specific scenarios, who to contact in an emergency, and what records to keep. Post orders provide a defence in the event of an incident — demonstrating that operatives acted within their defined remit.

Incident Reporting

All incidents — whether involving physical intervention, property damage, personal injury, or a data breach — should be documented promptly and accurately. A consistent incident reporting process supports insurance claims, legal proceedings, and continuous operational improvement.

Compliance Checklist — Contracts and Documentation

• Written contracts are in place for all client engagements
• Contracts include clear liability, insurance, and data processing provisions
• Post orders or assignment instructions are in place for each site
• Operatives understand and have access to their site-specific instructions
• Incident reporting process is standardised, documented, and followed
• All incident reports are retained securely for a minimum of 3 years (longer if litigation is anticipated)

8. Financial and Tax Compliance

Beyond operational regulation, security businesses must meet their obligations under HMRC and Companies House requirements.

Compliance Checklist — Finance and Tax

• PAYE and National Insurance contributions are calculated and paid correctly
• VAT registration is in place if turnover exceeds the registration threshold (£90,000 as of 2024)
• Auto-enrolment pension duties are met for eligible employees
• Subcontractors are correctly classified (employed vs self-employed) in line with HMRC IR35 guidance
• Annual accounts and confirmation statements are filed with Companies House on time

Protecting Your Business with the Right Insurance

Compliance creates a framework — but it does not eliminate risk entirely. Even the best-run security businesses face unexpected claims, disputes, and incidents. The right insurance cover ensures that when the unexpected happens, it does not threaten the financial survival of your business.

At Insure24, we work with security businesses across the UK to arrange cover that reflects the realities of the sector — including employers liability, public liability, professional indemnity, and cyber insurance, with limits that meet the requirements of your contracts and clients.

If you would like to discuss your cover requirements, speak to one of our advisers on 0330 127 2333 or get a quote online at www.insure24.co.uk.

Summary: Security Industry Compliance Checklist

To make this guide easy to use as a working reference, here is a consolidated summary of the key compliance areas every UK security business should cover:

1. SIA Licensing: All front-line staff licensed; records maintained; ACS accreditation in place or planned
2. Employment Law: NLW compliance; working time records; written contracts; right to work checks; TUPE awareness
3. Health and Safety: Risk assessments; lone worker policy; PPE; written H&S policy; RIDDOR compliance
4. Data Protection: ICO registration; CCTV compliance; DPAs; breach response procedure; staff training
5. Insurance: Employers liability; public liability; professional indemnity; cyber; subcontractor requirements
6. Training: SIA qualifications; physical intervention; first aid; counter-terrorism awareness
7. Contracts and Documentation: Written client contracts; post orders; incident reporting
8. Finance and Tax: PAYE; VAT; auto-enrolment; IR35; Companies House filings

Compliance in the security sector is not a one-time task — it requires regular review as legislation changes, contracts evolve, and your business grows. Building compliance into your operational processes, rather than treating it as an annual exercise, is the most effective way to manage your obligations and protect your business.