Personnel Security

PER003

Risk-based approach

Implementing personnel security measures can be costly or disruptive. Your security measures must be considered in light of your organisation’s security context, potential threats and risk appetite.

A risk-based approach to protective security ensures your personnel security policies, practices, and investments are right for the risks your organisation faces.

Our model for the ongoing management of insider risk in organisations is based on three key activities.

  • Assess your personnel security risks
  • Manage your personnel security risks
  • Evaluate how effectively you are managing your personnel security risks. 

Assess your personnel security risks

You should identify the potential sources of personnel security risk facing your organisation, the way these might present and the types of threat they pose. Your risk assessment should identify roles, or groups of people, who have greater potential to cause harm due to their access to sensitive, valuable or classified information or assets.

Examples of risks your organisation could face are unintentional leaks, theft of intellectual property, fraud, or criminal gain.

Go to Risk assessment for personnel security for more information.

Manage your personnel security risks

Each stage of the personnel lifecycle presents distinct challenges. You should consider personnel security from the time you begin recruitment/procurement, when you hire/engage someone, and through to the moment they leave — possibly even after they leave. Implement appropriate measures to treat personnel security risk in each of these stages. 

To manage personnel security risks, you must continually and consistently apply the security measures you have identified to all people working for your organisation.

Go to Managing Insider Risk for more information.

Evaluate how effectively you are managing your risks

Threats faced by an organisation change over time. This means that you must consider whether your understanding of the sources of personnel security risk is accurate and up to date.

You must also consider whether your security arrangements and practices are still effective and suitable. Identify what works well and what doesn’t, and adjust your arrangements accordingly.

Go to Evaluating your personnel security for more information.

Page last modified: 3/10/2018