top of page


ISO 18788 Explained

ISO 18788 (and PSC.1) are Security Operations Management Systems (SOMS) with a risk based approach at their heart, and embed modern human rights good governance

In simple terms, ISO 18788 provides a framework for establishing, implementing, maintaining and improving the management of security operations.  It can be applied to Private Security Companies (PSC's), and their clients worldwide.

The standard outlines the principles and requirements for a security operations management system (SOMS). 


It is very much internationally recognized 'best practice' for managing security operations, and as a private security service provider, certification to ISO 18788 (and PSC.1) demonstrates credibility to your clients, showing effective management from board level, to physical delivery.

ISO 18788 explained

ISO 18788 at a glance

  • It is unlike any other ‘management system’ standard – think of it as a ‘Security Operations Management System’ (SOMS).

  • A risk based system for a company delivering private security services, or those contracting security services - particularly applicable in complex and high risk environments.

  • It has ‘quality’ as a core building block, which along with human rights management controls, are delivered through coherent and integrated ‘PLAN-DO-CHECK-ACT’ (PDCA) approach.

  • It helps PSCs and those who contract them to develop, implement, maintain and improve credible management control.

  • It assists PSCs and their clients to design, codify, and implement the management controls to best support them and their clients in challenging environments while taking due consideration of their human rights, legal and regulatory obligations.

ISO 18788 Structure - Key points

Like many standards, ISO 18788 is structured in the format of annex SL (renamed in 2019 as Annex L) which helps streamline the creation of new standards, and makes implementing multiple standards within one organization easier. Below we have highlighted some of the key areas of ISO 18788:

Context of the organization - This is essentially understanding the internal and external factors that affect the business and includes understanding the needs and expectations of interested parties/stakeholders; Respect for life and  human rights underpins ISO18788; organizations that conduct or contract security operations, and their clients, have an obligation to respect the lives and human dignity of both internal and external stakeholders.  Only by understanding both internal and external stakeholders will the business be able to manage risks and promote a culture of respect for human rights.


Scope - The scope identifies the 'boundaries' of the Security Operations Management System (SOMS); PSC's will operate in many different environments and in offer a variety of services (e.g. security & risk management consultancy, unarmed static guarding, armed vehicle movement, cash in transit, K9 security etc). Once the scope has been identified, all assets, activities, products and services within that scope become elements to be managed as part of the SOMS.

Leadership - The leadership of the PSC should evidence their commitment to effectively controlling their company through a reliable Security Operations Management System (SOMS), this is done in a number of ways including:

  • creating, communicating and promoting the Security Operations Policy;

  • setting objectives at all levels and functions across the business;

  • ensuring the company is appropriately resourced;

  • ensuring staff are competent to undertake their job function;

  • communicating awareness of risk and the requirements of the SOMS.

Planning - An important aspect of effective service delivery management is the planning stage (described in Clause 6 of the ISO); this sets out two sub-clauses:

  • actions to address risks and opportunities;

  • Security operations objectives and planning to achieve them (Clause 6.2).

PSC's need to reliably manage risk to the client while also managing risk to the organization and impacted stakeholders and communities. The organization needs to achieve its tactical, operational and business objectives within the context of protecting life and property of its clients, people working on its behalf and local communities, while respecting human rights. 

Support - Leadership should ensure that the resources needed to run the company reliably through their SOMS are identified.  This can range from human resources and specialist skill sets, through to the infrastructure requirements such as equipment, intelligence and technology to name a few.

Operations - Put simply, the PSC should evaluate which operations present identified significant risks, and should ensure that they are conducted in a way that will control or reduce the risk in in a manner reflective of its security operations management policy and supports the achievement of its objectives and targets.

Performance evaluation - It is best practice to monitor, measure and evaluate all important aspects of your performance - including the management of security operations to ensure there is compliance with the contractual, legal and human rights requirements identified (including applicable client contracts and local permits or licenses), as well as other wider requirements to which the organization has subscribed. Some of the performance evaluation techniques include:

  • Audit, both internal and third party, this should be planned against an audit schedule and based on your actual business processes.

  • Management review by leadership to evaluate the sustainability, adequacy and effectiveness of the management of security operations through the established SOMS controls.

  • Tests and exercises to provide resilience. 

Implications for PSC's

What does the introduction of ISO 18788 mean for those ‘conducting’ or ‘contracting’ security operations? 

bottom of page