Skip to Content
TS-RDC-07 Trust & Stewardship Risk, Data & Compliance CORE Compliance v2.9.7

On-site security governance

Evaluates the framework for managing physical security risks, fulfilling the Amānah to protect life (Ḥifẓ al‑Nafs) and property. This proactive governance builds stakeholder confidence, ensures operational resilience, and safeguards all individuals and assets within the organization's premises. Scope includes all premises under the charity’s control (including entrances/exits, prayer halls, classrooms, offices, car parks, storage rooms, and any on-site events/peak services), and interfaces with safeguarding, H&S, and data protection (CCTV/access logs).

Assessment Questions
  1. How are responsibilities for on-site security governance defined, assigned, and overseen within the organization?
  2. Describe the process for conducting physical security risk assessments, and how the findings are used to improve security controls.
  3. How does the organization ensure that all personnel (including contractors) are aware of and comply with on-site security policies?
  4. What is the framework for managing and responding to physical security incidents, including investigation and learning from breaches?
  5. How is the effectiveness of the on-site security framework measured, reviewed, and continuously improved to ensure resilience and stakeholder confidence?
  6. How do you ensure CCTV/access control complies with UK GDPR (lawful basis, DPIA, retention, SAR handling)?
  7. Describe your peak service/crowded-place plan and how it is tested and improved (e.g., Jumu‘ah/Eid).
Evidence Requirements
  • Documented On-site Security Policy and Governance Framework.
  • Records of physical security risk assessments and corresponding mitigation plans.
  • Organizational chart and role descriptions defining security responsibilities (e.g., Security Committee charter).
  • Security incident logs, investigation reports, and evidence of corrective actions taken.
  • Evidence of security awareness training for staff and specialized training for security personnel (Training Matrix).
  • Visitor management logs and access control system reports.
  • Minutes from management or committee meetings where on-site security is reviewed.
  • CCTV DPIA (where applicable), retention schedule, and signage record.
  • Peak-event security plan and steward rota.
  • Key/card audit logs and contractor vetting records.
Scoring Guidelines
LevelRatingDescription
5 5/5 Proactive, intelligence-led and continuously improving security culture (trend analysis of incidents/near-misses, horizon scanning via ProtectUK/CTSA updates), regular multi-scenario exercises, and demonstrable year-on-year risk reduction.
4 4/5 Good security plan, regular internal assessment, annual drill conducted, and measures implemented
3 3/5 Basic plan, irregular assessment, limited training
2 2/5 Minimal or informal security measures with significant gaps
1 1/5 No security plan or assessment.

Related Criteria

TS-RDC-01 Multi‑scenario financial stress‑testing documented TS-RDC-02 Complaints & whistle-blowing mechanism TS-RDC-03 Due-diligence on delivery partners TS-RDC-04 Serious-incident reporting & escalation TS-RDC-05 Cyber-security baseline (NCSC Cyber Essentials – UK)
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 11:07:51.977657

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json

Sign in to post a comment.

Back to Criteria