Go back

Article

16 Nov 2025

NPSA Security Planning Guidance 2025: What Responsible Persons Should Know

A practical breakdown of the UK NPSA 2025 Security Planning Guidance and its implications for organisations responsible for protective security, highlighting how the update shapes risk-based planning, governance, training, proportionality, and the ongoing management of security plans.

In 2025, the National Protective Security Authority (NPSA) released its Security Planning Guidance, updating material previously issued under the Centre for the Protection of National Infrastructure (CPNI). The document remains a key reference for what a credible and defensible Site Security Plan (SSP) should contain. The latest update strengthens expectations not only about the content of security plans, but also how they are managed, reviewed, integrated and governed over time.

The change doesn’t redefine security planning – it raises the baseline. The emphasis has moved decisively away from static, technical plans and towards demonstrable, accountable, and continually reviewed protective security practice.

From “having a plan” to “being able to show it works”

One of the most significant shifts in the 2025 guidance is that an SSP is no longer considered sufficient simply because it exists. The expectation is that it:

  • Reflects real, current site use rather than an assumed or legacy design

  • Is owned and maintained through clear accountability, rather than existing without an identified responsible role

  • Aligns with other operational plans (e.g. fire safety, continuity, cyber, event layouts, and crowd management)

  • Is reviewed and adapted as site use, occupancy or risks change.

The SSP is expected to function as a living record rather than a document filed once and left untouched.

This shift aligns with the principles underpinning Martyn’s Law: proportionate, risk-based, and continually managed protective security, rather than compliance through paperwork. For most operators, it requires a more operational mindset — treating the plan as an ongoing management tool rather than a compliance submission.

Expanding the threat landscape

Another clear signal from NPSA’s 2025 edition is the explicit inclusion of state-sponsored sabotage as a defined threat, alongside terrorism.

For those responsible for premises or critical services, this broadens the protective security boundary. Protective security considerations may need to address not only physical attacks but also interference or infiltration that could be physical, digital or insider enabled. The guidance encourages risk owners to think holistically, rather than separating “cyber” and “physical” concerns, recognising them as part of a single continuum of protective security.

Security culture and training

The latest guidance places increased emphasis on how personnel are prepared to deliver protective security, not just on the physical or technical measures in place. This reflects a central principle: a control is only as effective as the people authorised to activate, operate, or supervise it.

In practice, the SSP may need to set out, where relevant:

  • Who receives training, when, and in what procedures

  • How security roles and responsibilities are communicated, including to contractors and service providers

  • How training and readiness adapt to changes in site use, layout, or emerging risks

  • How ongoing awareness is maintained beyond initial induction (e.g. refreshers, briefings, onboarding)

  • How the organisation assures itself that personnel understand their responsibilities.

Training and human readiness are treated as integral to the viability of the security plan, rather than as supporting detail.

Proportionate measures based on live risk assessment

Proportionality has always been part of SSP development. The 2025 edition clarifies that proportionate measures are not generic or inherited controls. They should be selected and justified on the basis of a current, site-specific risk assessment, rather than a standard list of measures applied by default.

In practice, this means the SSP should be able to explain, where relevant:

  • Why a given measure has been selected

  • How it relates to the current risk picture

  • How it will be maintained, exercised, or adapted as the site changes

Two sites with similar layouts may require different security approaches depending on use, occupancy, access, and threat context, so proportionality applies to operational reality, not only cost.

Accountability and integration

Perhaps the most practical addition to the 2025 guidance is its emphasis on clear accountability. An SSP should identify who is responsible for security at the site and how the plan will be maintained and reviewed. The accountable person is not expected to implement every control, but to ensure that the measures in the plan are realistic, resourced, and understood.

The guidance links this accountability to integration across disciplines. Security cannot be separated from operations, facilities, or IT. Plans should align with other frameworks already in place – such as emergency response, fire safety, continuity management, and contractor control.

This emphasis addresses a common flaw in older plans: well-written documents that contradict how a site actually functions. A single access gate described as “secured at all times” might, in reality, be opened daily for deliveries. A refuge area designated for invacuation might double as a storage zone. Integration is how these mismatches are identified, and how credibility is maintained.

From intent to implementation

The guidance emphasises that SSPs should be understood, applied, and kept under review. This implies that organisations may need to demonstrate how their plans operate in practice, not just how they are written.

That evidence may include, for example, version control, exercise logs, photos, emails and incident/test records. The emphasis is not on documentation for its own sake, but on demonstrable awareness, governance and follow-through.

For multi-site operators and local authorities, this is where structured risk-assessment tools become highly valuable. A single system that allows consistent data capture, versioning, and cross-site comparison can transform what was once a static record into a defensible evidence base. This is clearly aligned with the direction of travel implied by the guidance.

What it means in practice

The update does not mean starting from scratch. The core methodology – assessing threats, identifying vulnerabilities, and defining proportionate controls – remains valid. What changes is how that information is managed and reviewed.

Duty-holders now have an implied responsibility to:

  • Demonstrate that security decisions are grounded in up-to-date operational reality

  • Ensure the plan supports dynamic use of space, not just architectural layout

  • Identify accountable roles and responsible personnel clearly

  • Show how the plan aligns with other disciplines, such as access control and emergency response

  • Reflect updates when the site, tenants, audience, or threat environment changes

The measure of a good security plan is no longer size or complexity – it is accuracy, adaptability, and the ability to demonstrate implementation in practice.

Looking ahead

The 2025 NPSA guidance does not introduce a new model for protective security – but it strengthens and clarifies the governance standards expected of any SSP. SSPs must be tailored, risk-informed, aligned with other organisational plans, and subject to structured review and adaptation over time.

While the guidance does not explicitly reference Martyn’s Law, its emphasis on governance, evidence and proportionate risk management is closely aligned with the direction of that legislation. The guidance reinforces that site security planning must be accountable and proportionate, and that organisations should be able to demonstrate how the plan is understood, applied, and kept under review.

For organisations that already maintain structured assessments, documented reviews of SSPs, and integrate governance and version-control, the guidance affirms their current approach as good practice. For other organisations, it highlights a clear divergence between written strategy and operational reality – a gap that may expose them to legal, financial, and reputational risk.

Final insight

Security planning is now positioned alongside disciplines such as health and safety or business continuity: documented, accountable, and expected to evolve. The 2025 NPSA update does not ask for perfection; it reinforces alignment with real site use, clear ownership, and the ability to demonstrate that SSPs are understood and applied in practice.

This shift represents a clearer expectation that protective security plans are living management tools rather than static documents.

Related Solution

Protect Duty Compliance & Audit Report (PDR) helps organisations apply the updated NPSA Security Planning Guidance by translating security planning expectations into a structured, exportable Site Security Plan. It records existing procedures and protective measures, assigns accountability, and logs when plans were last reviewed, tested, or adapted.

PDR can also map measures to relevant threat types and resilience functions, and support organisations in preparing for Martyn’s Law, helping create a defensible record of how security plans are maintained over time.

Explore PDR →

 

National Protective Security Authority (NPSA). Security Planning Guidance. Published July 2025; webpage last updated September 2025. United Kingdom.