Skip to content

Strategy and Planning for Security

Strategy and planning are essential for formulating a security plan and making it a reality. Knighthood assists our customers in selecting the level that best suits their needs.

Enhanced

  • Protective security considerations are fully integrated into your business strategy and planning cycles.
  • Business strategies, security plans, and ongoing reviews are informed by up-to-date, evidence-based data to analyse threats, understand trends, and conduct forecasting.
  • Continuous improvement work helps efficiently identify, assess, and action opportunities to enhance security planning.
  • Your business continuity programme is planned and improved regularly. Exercises are conducted to ensure preparedness for disruption and embed continuity in your culture and practice.

Managed

  • Your security planning should addresses the protection of people, information, and assets within your premises
  • Plans demonstrate clear awareness and agreement about acceptable levels of security risk.
  • Security plans are reviewed every two years to ensure relevance to risk profile and sustainability
  • Executive team and relevant governance bodies regularly review tolerance for security risk and may drive out-of-cycle changes.
  • Each area of your organisation is effectively represented when security plans are developed.
  • Plans are flexible to accommodate changes in the wider business environment or assurance activity results.
  • Security planning is well informed by access to historic data and root cause analysis to identify solutions to systemic security issues.
  • Progress against security plan is tracked and reported to executive team and relevant governance bodies.
  • Business continuity management programme is in place to enable critical functions to continue to the fullest extent possible during a disruption.
  • Periodically test and review business continuity programme and other important risk mitigation.
  • Security plan is communicated and accessible to those who need it.
  • Plan is used to determine security objectives and supports broader organisational goals.
  • Plan to increase security levels at a time of heightened threat.

Basic

  • Protective security risks and needs are considered when developing strategies and business plans, though not well informed by analysis or recent threat and risk assessments.
  • Security plan is approved at an appropriate level of seniority, though may not be up to date.
  • Plan effectively mitigates some key risks.
  • People responsible for security planning are appropriately skilled, but may not have all the time or support to ensure plans are robust.
  • Security planning is not subject to central coordination or guidance, so improvement activity is inconsistently and/or inefficiently applied.
  • Basic business continuity programme in place.
  • Ad-hoc plan to increase security levels at a time of heightened threat.

Informal

  • Some security risks and requirements are considered when strategies and business unit plans are developed, but not widespread or consistent.
  • Organisation has some understanding of protective security issues but is doing little to address them.
  • Security planning is ad-hoc. Plans are partially developed and implemented but may not be current or comprehensive.
  • Tolerance levels for protective security are not specified.
  • No documented business continuity programme in place.
  • No plan to increase security levels at a time of heightened threat.