Adopting a Baseline Security Approach for Design and Construction of Built Assets

Version:1.0 - Published: October 2017


In 2015 the first edition of PAS 1192-5 (Specification for security-minded building information modelling, digital built environments and smart asset management) was published. It identifies the need to take appropriate and proportionate measures to protect asset information, providing useful guidance for asset owners and stakeholders. Importantly PAS 1192-5 sets out a triage process to identify the need for a security-minded approach with recommendations where the outcome of this triage process is that the built asset and/or a neighbouring built asset has a degree of sensitivity. But what should we (clients and design and construction team members) do, when the triage process results in 'no identified need for more than baseline security measures.' Do we know what this means - does 'baseline' mean do nothing more than we would usually do?

The guidance and information you will find here provides useful tips and things to think about in adopting baseline security measures and it provides direction and context to published standards and recognised initiatives. It is relevant for any organisation engaged in initiating, leading and/or delivering design and construction projects.

Who needs to do what and when?

There are three primary roles to think about in terms of baseline security for design and construction projects:

  1. The Employer/Client
  2. The Information Manager
  3. The Design and Construction team members


Who? Does what? When?


Undertakes the security triage process

As soon as possible in RIBA stage 0 or 1

Authors (or a party on their behalf authors) the Employer's Information Requirements (EIRs)

Information manager

Implements the EIRs

Throughout the project, once the EIRs is available

The design and construction team members

Work in accordance with the EIRs

Throughout the project, once the EIRs is available

Articulate how they are working in accordance with the EIRs in the project's BIM Execution Plan (BEP)

Everybody is responsible for making sure that the ethos of the baseline security requirements are adopted.

Are you a project team member?

 Before appointment

 Anyone planning to engage with a BIM project will need to understand the security concerns and requirements of the Employer/Client and demonstrate their ability to meet them.

 While baseline needs will differ by project and Employer/Client, organisations can plan for consistent issues:

  • Understand the types of security risk in a project or organisation
  • Familiarise yourself with IT resilience standards – 10 Steps and Cyber Essentials
  • Consider the approach to file naming and document control
  • Recognise that data and information, including your own, should be protected and prepare to work in this way

 When planning to host a CDE:

  • Seek security assurances
  • Plan a clear, navigable folder structure to aid consistency and allow controls to be applied
  • Consider access controls and permissions, their application and monitoring

Post appointment

Be clear in any BEP response that security requirements are understood and demonstrate how you meet them.

Always be aware of security requirements and abide by them - this includes making sure new team members are appropriately briefed. Consider your use or email and social media and any non-disclosure requirements.

If hosting the CDE or document management system:

  • Apply access controls and permissions and monitor their use.
  • Use file naming and information structure to manage data and protect file contents
  • Plan for the transfer of project information in a secure manner.

 Ultimately it's about being confident in the resilience of your organisation and systems, applying the security requirements to manage risk and achieving a successful project outcome.


Baseline security process map

The following process map sets out a basic approach to determining and implementing baseline security requirements. Selecting steps in the map will reveal simple guidance and will provide links to relevant standards and templates.




The following people contributed to the development this guidance:

The UK BIM Alliance also thanks Alexandra Luck, technical author of PAS 1192-5:2015 for her guidance and overall contribution.