On-site security governance
Evaluates the framework for managing physical security risks, fulfilling the Amānah to protect life (Ḥifẓ al‑Nafs) and property. This proactive governance builds stakeholder confidence, ensures operational resilience, and safeguards all individuals and assets within the organization's premises. Scope includes all premises under the charity’s control (including entrances/exits, prayer halls, classrooms, offices, car parks, storage rooms, and any on-site events/peak services), and interfaces with safeguarding, H&S, and data protection (CCTV/access logs).
| Metric | Security Performance Index |
|---|---|
| Target | Various |
| Frequency | Quarterly |
| Method | Composite: Drill times, Training % (>95%), Action closure (<90d), Incident trends. |
| Unit | Composite |
Level 1: Initial/Ad-hoc
On-site security measures are informal, ad-hoc, and primarily reactive to incidents. There are no documented policies or assigned responsibilities.
Level 2: Developing
Basic security policies and procedures (e.g., access control, visitor logs) are documented. Responsibilities are assigned, but implementation is inconsistent and lacks a formal governance structure.
Level 3: Established
A formal on-site security governance framework is established and consistently implemented. Regular physical security risk assessments are conducted, and mitigation plans are tracked. Staff receive basic security awareness training.
Level 4: Advanced
The security governance framework is integrated with the organization's overall risk management and business continuity strategies. Technology is effectively used for surveillance and access control, and performance is measured against defined metrics. Continuous improvement processes are in place.
Level 5: Optimizing
A proactive, forward-looking security culture is embedded throughout the organization, reflecting the principles of Amānah and shared responsibility. The organization uses intelligence-led planning and regular drills to anticipate threats, setting a benchmark for excellence in protecting life and property.
Organisation Types
By Organisation Size
| Size | Applicability | Notes |
|---|---|---|
| Micro | exempt | Formal RACI matrices, SMT escalation, and dedicated roles (DPO, Site Manager) are highly disproportionate for volunteer-run groups. |
| Small | partial | Requires basic physical security risk assessments and a simple policy, but complex RACI and out-of-hours cover are scaled down. |
| Medium | partial | Needs documented policies and risk assessments; however, role mapping can be consolidated as they may lack a distinct SMT or dedicated DPO. |
| Large | full | |
| Major | full |
Applicable When
- The organization has physical premises where people are present.
- The organization has assets (physical or intellectual) to protect on-site.
Not Applicable When
- The organization operates entirely remotely and has no physical presence.
- The organization has no assets to protect.
Related Criteria
Discussion (1)
📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json
Sign in to post a comment.