ACS Assessor Guide - Security Industry Authority

ACS Assessor GuideSection 4 – Criterion Specific Guidelines: Criteria 22.1 An SIA Approved Contractor can demonstrate that it has identified and understands its key service delivery processes.2.1.1 Key service delivery processes have been identified and are understood by all.Documentation for key internal processes should be sufficient to ensure that processes canbe understood and carried out by someone new to the job with the minimum of input.Although these may be informal there should be some methodology in place that allows forissues and improvements to be raised.All applicant organisations should have defined the processes required to deliver services toall customers. These processes can be defined at a number of levels forming a QualityManagement System such as that required by ISO9001. At their lowest level the processeswould take the form of assignment instructions, which inform the employee how to deliverto a specific client or site. This would be the minimum requirement for approval against theACS Standard.All processes required to deliver services should have associated standards of operation withperformance targets and should be regularly tested to ensure that standards are beingachieved. The approach to testing can range from a contractual arrangement with anexternal supplier/customer e.g. Security Watchdog to an internally developed and deliveredtesting regime. It is up to the applicant organisation in consultation with its customers todetermine what approach best fits its needs.The assessor should expect to find some level of documentation around these processes.The scope should cover the full range of processes used to manage service delivery. Thelevel of detail required in the documentation would be in relation to the size of the applicantorganisation.However the assessor must be assured that there are clear, accurate and up to dateassignment instructions in place for all contracts. Verbal communication only of assignmentinstructions would not be acceptable.Within larger organisations formal documentation, usually in the form of a QualityManagement System should be in place, even if the applicant organisation is not ISO9001certificated. This should cover internal procedures as well as those affecting service delivery.The level of detail within the Quality Management System should be appropriate to the sizeof the organisation. Formal processes should be in place to ensure that issues andimprovements are handled at an appropriate level within the applicant organisation. If it ispossible to make local changes to procedures, i.e. at individual customer sites, then evidencemust be presented on how this is controlled.Evidence that processes are being followed should be presented to the Assessor whoshould confirm that they are implemented where relevant within the applicant organisationand that they are used at all times.Key service delivery processes must be tested. Testing must go beyond routine sites visits andinspections.Ref: ISO9001Examples could include: Processes key to the success of the business are understood by management. Management conducting penetration testing exercisesGood practice: Key Processes are formally managed with owners, targets, benchmarking and review. Changes to processes are made as a result of incidents and complaints.Linkages with other Indicators:1.2.3 Procedures have been defined to ensure compliance to working standards or ‘codes of practice’and are fully implemented.35The contents of this publication are copyright ©2013 Security Industry Authority, all rights reserved. No part of the contents may be reproduced or transmitted in any form, by any means without prior written permission of the copyright owner.