top of page


Implications posed by the introduction of ISO 18788 for Security Operations Management

"What does the introduction of ISO 18788 mean for those ‘conducting’ or ‘contracting’ security operations?"

The release of PSC.1 in 2012 marked a step change in the standards and delivery of security services in emergent markets and complex environments. Placing a holistic, risk management approach at its heart, it helps companies both delivering, and contracting security services to put together a coherent, effective set of management controls. Boards have the ability to assure themselves that they are delivering what
they promise to their clients, and independent certification of security service providers gives the clients of those services


impartial assurance that their supplier’s systems actually work.  So the introduction of ISO 18788 at the back end of 2015 created a step change in the international arena. Taking PSC.1 and ‘internationalizing’ it through the ISO development program lies at the heart of this maturing; it was refined, drew on lessons identified through the roll-out of PSC.1, and encompassed the views of a broader international collective.

ISO 18788 Certification
ISO 18788 offers greater resonance for international commercial clients who operate in these challenging environments, NGOs who seek a non-partisan solution, and governments across the spectrum who either host, or support through contracting the services of private security companies – be that local or international. Unlike PSC.1, ISO 18788 is applicable for any type of organization conducting or contracting security operations.
ISO 18788 sets a benchmark of internationally accepted ‘best practice’ for the management of security services - including in
emergent markets and complex environments.
To now contract for security services from companies who do not meet these standards puts the client of those services at significant risk – both physically in terms of undefined training and operational capability, and at Board level through risk to company reputation.

Through encompassing the International Code of Conduct for Private Security Service Providers - international human rights norms and expected behavior are entwined in to the management of security services.  ISO 18788 therefore naturally forms the 90% requirement for ICoCA membership, and directly contributes to the clients of PSCs achieving their voluntary obligations, including for example under the United Nations Guiding Principles for Business and Human Rights (UN GPs), the UN Global Compact, with it's Sustainability Development Goals (SDGs), and the extractive industry's Voluntary Principles for Security and Human Rights (VPSHR) initiative.  The later for example recognizes the need for private security to observe, among other aspects, emerging best practices developed by industry. The introduction of ISO 18788 sets that benchmark.
So here’s the conundrum that only a client of a PSC can truly manage, for without the demand for this benchmark, PSCs will continue to observe their own parochial “we’re the best, we’re unlike any other PSC” mantra, instead.....

Now that best practice for the management of security services has been codified internationally through the release of ISO 18788, and governments and commercial companies are recognizing it, does the failure to require certification to ISO 18788 (or PSC.1) as part of any due diligence process risk undermining the credibility of company ethical commitments, and more importantly, risk the company’s reputation and commercial viability should something go awry and they have consciously ignored accepted ‘best practice’?

(The thoughts here are merely echoes of the rambling mind of Tony Chattin, MD, MSS Global)

bottom of page