Public sector organisations face a security challenge that private businesses rarely do. They must protect buildings that are open to the public by design, operate within procurement frameworks that add time and process to every decision, justify spending to elected members or NHS boards who may not understand security risk, and maintain compliance with a raft of overlapping legal obligations. This guide is written for the estates managers, facilities leads and security officers who have to navigate all of that while actually keeping their buildings safe.
The most common mistake public sector organisations make when improving their security is starting with technology. A council leader sees a CCTV camera at another authority and wants one. A facilities manager reads about access control and decides it is the answer. The technology might well be right, but without a clear threat picture, there is no way to know whether it is solving the actual problem.
A useful threat picture for a public sector building covers four areas. First, what has actually happened? Look at incident logs, police reports and insurance claims for the last three years. Patterns in the data are more reliable than gut feeling. Second, what are the high-value assets? Not just financial assets, but data, critical infrastructure, vulnerable people and continuity of essential services. Third, who has legitimate access and how is that managed currently? Fourth, what are the regulatory obligations that apply to this building, and where is the organisation currently non-compliant?
This does not need to be a lengthy formal document. A one-page summary covering these four areas gives any security project a foundation that can be justified to a budget holder and used to evaluate whether a proposed solution is proportionate.
Public sector security procurement is slower and more complex than in the private sector, and for good reason. But the frameworks that exist are also genuinely useful if you know how to use them.
Crown Commercial Service frameworks cover a range of security services and allow direct award or mini-competition without a full OJEU process. This saves months of procurement time and gives organisations access to suppliers who have already been evaluated for quality, financial standing and compliance. NSI and SSAIB certification is a relevant quality indicator that procurement teams can use to shortlist suppliers without needing deep technical knowledge of the security industry.
The most common procurement mistake is specifying the technology before the requirement. A specification that says "supply and install 24 IP cameras" is harder to evaluate and more likely to produce inconsistent quotes than one that says "provide CCTV coverage of all building perimeters and main public access areas, with remote access and 30-day retention." The second specification allows suppliers to propose the right solution rather than the cheapest box that meets the letter of the spec.
Budget planning should account for total cost of ownership, not just installation. A CCTV system installed for £30,000 will cost a further £3,000 to £6,000 per year in maintenance, monitoring and licensing. Approval processes that only consider capital costs frequently lead to systems that cannot be maintained properly once they are installed.
Local authorities typically manage dozens of buildings. NHS trusts manage hundreds. The operational challenge is not installing a good system in one building, it is maintaining consistent security standards across an entire estate with finite resource.
The buildings in any public sector estate are rarely equal in their security requirements. A council chamber has different risks to a depot. A busy GP surgery has different needs to a community hall that is used three evenings a week. Treating every building the same wastes budget on low-risk sites and under-protects high-risk ones.
A tiered approach works well. Define three or four security tiers based on asset value, occupancy type, public access level and regulatory obligation. Assign each building to a tier and define the minimum security standard for each tier. This gives estates teams a consistent framework for prioritising upgrades, responding to incidents and planning capital expenditure.
Technology helps, but only if it is designed for multi-site management from the outset. A CCTV system that requires a local NVR at every site is harder to manage than one with cloud storage and a single management interface. An access control system that requires an engineer visit to add or remove a user is not suited to an organisation with high staff turnover across multiple locations. These operational considerations should be part of the specification, not an afterthought.
Public sector organisations are subject to more security-related compliance obligations than most, and the obligations are not always well understood by the people responsible for meeting them.
UK GDPR and the Data Protection Act 2018 apply to any building that uses CCTV, access control or any other system that processes personal data. The organisation is the data controller and must be able to demonstrate lawful basis, appropriate retention, secure storage and a process for handling Subject Access Requests. The ICO has enforcement powers and has issued fines to public bodies.
The Surveillance Camera Code of Practice applies specifically to local authorities and police, and more broadly to any public body operating cameras in public spaces. It sets out 12 guiding principles covering purpose, transparency, proportionality and accountability. Compliance is assessed against these principles, not against a checklist.
The Regulatory Reform (Fire Safety) Order 2005 places a legal duty on the Responsible Person in every non-domestic premises. Security systems must not compromise fire safety — door locks must fail safe, access control must integrate with fire alarm systems, and evacuation procedures must account for locked zones.
Cyber Essentials is increasingly expected of public sector suppliers and, for organisations that handle NHS or government data, may be a contractual requirement. IP-connected security systems are part of the network and must be included in the scope of any Cyber Essentials assessment. Default passwords, unpatched firmware and open ports on security cameras are common findings.
Security investment in the public sector competes with social care, housing, highways and every other demand on a finite budget. A business case that frames security purely in terms of risk rarely wins. One that frames it in terms of cost avoidance, insurance compliance, regulatory obligation and operational continuity tends to do better.
The numbers that support a security business case in the public sector are usually available internally. Incident logs show the cost of responding to break-ins, vandalism and theft. Insurance records show premium increases linked to claims. HR records show the cost of staff absences caused by security-related incidents. Procurement records show the cost of replacing stolen equipment. Adding these up typically produces a figure that makes a security investment look very different to a pure cost.
Regulatory non-compliance is another strong lever. If a council is operating CCTV without a published policy, or an NHS trust has fire doors that do not release on alarm activation, these are not optional risks. Framing the investment as correcting a compliance gap rather than adding a new capability changes the conversation with finance and legal teams.
Most public sector estates teams are generalists managing a huge range of building services. Security is one specialism among many. The question of when to bring in external expertise is less about budget and more about risk.
For routine maintenance of existing systems, in-house resource or a simple maintenance contract is usually appropriate. For system upgrades, new installations or significant changes to security arrangements, specialist input saves money in the long run. A system designed by a qualified security engineer and installed by an NSI or SSAIB-certified company is more likely to be right first time, more likely to satisfy an insurer's requirements, and more likely to be maintainable over its operational life.
The certification of the installer matters more than many procurement teams realise. NSI NACOSS Gold certification is not a marketing badge. It requires regular independent audit of the company's quality management system, technical competence and installation standards. An NSI-certified installation comes with a level of assurance that a self-certified one does not.
We work with local authorities, NHS trusts and government bodies across the UK. A free site survey gives you an honest picture of where your estate stands and what needs to change.
Get in Touch →