National Security Inspectorate Sentinel House, 5 Reform Road Maidenhead SL6 8BY Website: nsi.org.uk Page 1 of 18 © NSI 2019 Code of practice for companies that provide real-time counter- eavesdropping detection services NCP 112.3 April 2019 Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 2 of 18 April 2019 © NSI 2019 This code of practice is to be read in conjunction with the NSI Regulations and the relevant NSI Gold or Silver approval criteria. No company shall hold out or claim that it adheres to this Code, save by virtue of holding NSI approval, or having obtained the written permission of NSI. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 3 of 18 April 2019 © NSI 2019 Revision history Version Date Summary of changes 3 Apr 2019 Updates to Sections 4.1 Structure; 4.6 Document control and records. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 4 of 18 April 2019 © NSI 2019 Contents 1 Introduction ……………………………………………………………………………………………………………….. ……………. 6 2 Scope ……………………………………………………………………………………………………………….. ……………………….. 6 3 Terms and definitions …………………………………………………………………………………… ………………………… 7 4 The organisation ……………………………………………………………………………………………………………….. ……. 7 4.1 Structure ……………………………………………………………………………………………………………………………………………. ………………….. 7 4.2 Finances ……………………………………………………………………………………………………………………………………………. …………………… 7 4.3 Insurance ……………………………………………………………………………………………………………………………………………. …………………. 8 4.4 Premises ……………………………………………………………………………………………………………………………………………. …………………… 8 4.5 Business Operating Man ual ……………………………………………………………………………………………………………….. ……………… 8 4.6 Document control and records ……………………………………………………………………………………………………………….. ……….. 8 4.7 Administration control ……………………………………………………………………………………………………………….. ………………………. 9 4.8 Contracts ……………………………………………………………………………………………………………………………………………. …………………. 9 4.9 Engineering work instructions ……………………………………………………………………………………………………………….. ………. 11 4.9.1 Planning ……………………………………………………………………………………………………………………………………………. …… 11 4.9.2 Installation pract ices ……………………………………………………………………………………………………………….. ………….. 11 4.9.3 Maintenance practices ……………………………………………………………………………………………………………….. ………. 11 4.10 Document control and records ……………………………………………………………………………………………………………….. …….. 11 4.11 Sub – contracting ……………………………………………………………………………………………………………………………………………. …… 12 4.12 Complaints ……………………………………………………………………………………………………………………………………………. ……………. 12 5 Personnel ……………………………………………………………………………………………………………….. ………………. 12 5.1 Security screening and personnel identification …………………………………………………………………………………… …… 12 5.2 Training ……………………………………………………………………………………………………………………………………………. …………………. 13 6 Service provision ……………………………………………………………………………………………………………….. ….. 13 6.1 Equipment for real – time counter eavesdropping detection systems ………………………….. ………………………… 13 6.2 Functionality of real – time counter eavesdropping detection systems ………………………….. ………………………. 13 6.3 Planning, installation, maintenance and repair …………………………………………………………………………………… ……… 14 6.3.1 Planning ……………………………………………………………………………………………………………………………………………. …… 14 6.3.2 Installation, maintenance and repair – general ………………………………………………………. …………………….. 14 6.3.3 Installation and handover ……………………………………………………………………………………………………………….. …. 15 6.3.4 Maintenance and emergency repair …………………………………………………………………………………… …………… 16 Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 5 of 18 April 2019 © NSI 2019 6.4 Monitored systems ……………………………………………………………………………………………………………………………………………. 17 6.5 Website facility ……………………………………………………………………………………………………………………………………………. …….. 17 6.6 Test equipment care and maintenance …………………………………………………………………………………… …………………… 18 7 Response services ……………………………………………………………………………………………………………….. … 18 Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 6 of 18 April 2019 © NSI 2019 In this document, material (such as guidelines, information, recommendations, advice) that does not form a mandatory requirement of this code of practice is shown in italics 1 Introduction In the absence of any specific British Standard or other publicly available code of practice, The National Security Inspectorate may approve companies to the principles of ISO 9001 and, for ‘service’ c ompanies, the general recommendations given in BS 7499, but with additional requirements for basic job training and specialist training, where considered appropriate. In certain cases, it becomes apparent that there is a particular need to specify requirements for a company providing specific services and a dedicated code of practice is then produced. This NSI Code of Practice has been developed to provide guidelines for the operation and management of a company providing real-time counter eavesdropping detection services. This Code acts both as a means of advising such companies of the NSI approval criteria and to form a consistent basis for inspecting all aspects of these services. No company shall hold out or claim that it adheres to this NSI Code of Practice, unless compliance with the same has been confirmed by NSI and approval granted. Note: Where any person engages in a licensable activity as designated in the Private Security Industry Act 2001 that person has to be licensed in accordance with that Act. It is an offence to engage in licensable activity without a licence. The Act can be found online at http://www.the-sia.org.uk . 2 Scope This code of practice gives requirements for companies that provide real-time counter eavesdropping detection services, including the planning, installation, maintenance and repair of such systems. Note: See also the NSI Regulations. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 7 of 18 April 2019 © NSI 2019 3 Terms and definitions 3.1 Customer: Individual(s) or a corporate body contracting to use your services. 3.2 Sub-contractors: An individual, or other organisation that is contracted by you to assist with the delivery of the contracted service, or provide the service on your behalf. 3.3 Real-time counter eavesdropping detection services: The service provided to detect the presence of real-time technical surveillance (eavesdropping) devices at a customer’s premises. 3.4 Technician: A person competent to conduct physical and technical searches, using appropriate equipment to detect technical surveillance (eavesdropping) devices. 3.5 You: The individual or organization that provides technical surveillance counter- measures services. In this document, material (such as guidelines, information, recommendations, advice) that does not form a mandatory requirement of this Code is shown in italics. 4 The organisation 4.1 Structure You must possess a clearly defined management structure showing effective control and accountability at each level of the operation. Details of the ownership of the organisation and the pr incipals’ curricula vitae must be available. Any unspent criminal convictions or undischarged bankruptcy of a principal or director must be disclosed on request. You must have appropriate registration with the Information Commissioner Office (ICO) in compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA). 4.2 Finances You must have sufficient working capital for its requirements. The capital reserves of the organisation must be sufficient for current and planned needs. You must , under normal circumstances, be able to present two years’ audited trading accounts, except if it is starting as a subsidiary of an established organisation, and/or staff experience and substantial financial backing are evident. You must prepare annual accounts, in accordance with applicable accounting standards. The accounts must include complete details of expenditure and income, and must be certified by an accountant or solicitor. Accounts must be made available for examination. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 8 of 18 April 2019 © NSI 2019 4.3 Insurance You must possess employer’s liability insurance, public liability insurance and products liability insurance extending to wrongful advice and failure to perform. 4.4 Premises You must have an administrative office, and/or operational centre, where records, professional and business documents, certificates, correspondence, files and other documents necessary for conducting business transactions must be kept in a secure manner. 4.5 Business Operating Manual You must operate to a company Business Operating Manual covering the topics given in this code of practice. The Business Operating Manual must be so structured that it can be updated easily as circumstances demand. In the case of an NSI Gold approved company, the Business Operating Manual (Quality Manual) must comply with BS EN ISO 9001. All your staff should be familiar with the general structure and content of the Business Operating Manual. Each individual should have detailed knowledge of and familiarity with the sections that relate to them and to their work, sufficient to discharge their duties and to carry out their work tasks. We recognise that some sections may not be relevant to all staff. For example, technical work instructions may not need to be issued to office- based staff. 4.6 Document control and records You must make sure that the Business Operating Manual, work instructions, other documented information appropriate to the Business Operating Manual and all the customer’s contr actual documents, are authorised and subject to amendment controls. You must maintain separate records (hardcopy or electronic) for each customer, employee, sub-contractor and supplier. The records should be held in a secure manner, but should be easily accessible to authorized persons. Amended or updated records should be identifiable by date and clearly distinguishable from previous versions. Information stored in an electronic retrieval system should be regularly backed-up and adhere to current GDPR requirements. You must keep records of contractual documents and of work carried out (including instructions, checklists and results) for a period of two years after a contract has ended. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 9 of 18 April 2019 © NSI 2019 An employee’s basic records (as detailed in BS 7858) should be kept f or at least 7 years from the cessation of their employment. Note: Minimum periods for retention of records can be reviewed if applicable for particular purposes, especially with regard to potential liabilities for civil action. You should clearly define the location of records and documentation, both local and centralized. Archived records should be clearly indexed. 4.7 Administration control The Business Operating Manual must say how you control administration. It must cover such processes as handling enquiries, preparing quotations, planning and controlling installations, planning and controlling maintenance, and such activities as purchasing and stock control, document and data control, filing of correspondence and system information. It must contain (or call-up) a code of conduct for staff and suitable health and safety policy statements. 4.8 Contracts You must adhere to a code of business ethics and selling practice the same as that for other NSI approved companies. You must not engage in misleading, unfair or pressurised selling techniques and you must adopt and keep to high standards of fairness and integrity. You must not claim that the system and/or any of the equipment used for your real- time counter eavesdropping detection service comply with standards for intruder and hold-up alarms (PD 6662, EN 50131 and so on), CCTV (NSI NCP 104, EN 50132, BS 8418 and so on) or access control (NSI NCP 30 or EN 50133 and so on). Your contracts for installing and/or maintaining the system must be in writing. You need to provide details, terms and conditions for each customer and, as a minimum, these must include: i) reference to this code of practice and the fact that alarms generated by the system are not eligible to be passed to the police; ii) whether the equipment is to be supplied on an outright sale basis or whether it is leased; iii) the period of guarantee or warranty; iv) the initial contract price and any annual charges for maintenance and monitoring; v) your customer’s obligations and your obligations concerning the ini tial installation, including what should happen if the customer changes their mind about having the installation when the installation is taking place; Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 10 of 18 April 2019 © NSI 2019 vi) your customer’s obligations and your obligations concerning any subsequent work carried out to the system, stating which work will be chargeable and which will not; This statement should provide clear guidance as to when call-out, labour and material charges will be applied. vii) the arrangements for routine maintenance inspections (if any) and repair; viii) your right of access for the purpose of maintaining, repairing and inspecting the equipment; ix) conditions regarding non-interference with relevant parts of the system (such as the sensor unit) by people other than your company and representatives of your company; x) terms and conditions concerning retention and use of data, as necessary for you to comply with your obligations under the GDPR and Data Protection Act; xi) the method(s) used for transmitting any alarms and/or signals to an ARC (for example GSM or GPRS or other technology such as IP); xii) the arrangements for contacting you for help with operating the system; xiii) agreed escalation and response procedures should be clearly documented; and xiv) a Service Level Agreement (SLA) which should form part of the terms and conditions of business. The above list is not intended to be exhaustive. It is intended to give you an indication of the type of detail that contract details, terms and conditions should contain. We recommend that you get professional advice when you are drawing up your full terms and conditions of contract, to ensure that they are fair and reasonable and that they do not break the applicable law. Each of your contracts must be supported by and refer to a clear specification for the service. The specification needs to include a list all the equipment that is supplied. You must not start to install the system until you have received either: a) your customer’s signed a cceptance of the contract; or b) where oral acceptance has been given, you have sent your customer a written confirmation of that oral acceptance. In all cases where maintenance and/or repair service is discontinued, you must immediately inform the customer in writing. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 11 of 18 April 2019 © NSI 2019 4.9 Engineering work instructions You must have engineering work instructions documenting how people used by your company (including sub-contractors) are to carry out planning, installation, maintenance and repair of systems supplied by you. The purpose of the work instructions is to provide guidance and clarification and expansion of the technical requirements and to provide specific instructions which your company requires people to follow. These work instructions do not need to duplicate the technical requirements. 4.9.1 Planning A record of any survey carried out shall be kept on file. The work instructions should include a checklist of items which need to be discussed with the customer, for example perceived risks, desired facilities, budgetary limitations and so on, and also items which need to be considered when surveying the premises/protected area, for example coverage, blind spots and so on. It is prudent to keep a record of significant aspects of discussions held with the customer covering the customer’s needs, expectations, patterns of use of the premi ses, and any criteria or constraints stated by the customer that may affect decisions regarding the planning. 4.9.2 Installation practices The work instructions relating to installation practices must provide general technical guidance and they must include specific guidance on installation, commissioning, engineering checks, electrical measurements, objective tests, system handover, completion certificate and system amendments. 4.9.3 Maintenance practices The work instructions relating to maintenance practices must provide guidance to technicians carrying out routine maintenance and/or repair tasks and they must include specific guidance on the use of technical checklists, report forms, on-site records and actions to be taken. 4.10 Document control and records You must make sure that the Business Operating Manual, the engineering work instructions and all the customer’s contractual documents, for example specification and so on are authorised and subject to amendment controls. When you change a document you must clearly show this, so that a reader can see that authorised changes have been made. You must keep records of contractual documents and of work carried out (including checklists and test records) for a period of two years after a contract has ended. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 12 of 18 April 2019 © NSI 2019 4.11 Sub-contracting You are allowed to use any suitable sub-contract worker for carrying out installation and/or maintenance and/or repair of the system on site, provided that he or she is an established and long-standing sub-contract worker having knowledge and experience o f your company’s standards, procedures, practices etc., and whose work is routinely subject to documented internal audit by your company. You must accept full responsibility for the work, statements, acts and omissions of your sub-contractors representing you or using your name or logo. Where you use sub-contract workers they must be individuals who have been security screened in accordance with BS 7858 (see section 5.1). You must keep records of the work carried out by sub-contract workers. You must have a written agreement between your company and the sub-contract worker (or between your company and the organisation supplying the sub-contract worker) covering confidentiality of information, training and assignment to agreed tasks. If your use of sub-contractors leads to a level of complaints that we consider to be unacceptable, then we may place restrictions on your use of sub-contractors as we see fit until such time as the complaints reduces to a level that we consider acceptable. We will withdraw the facility for you to use sub-contractors if it becomes clear that you cannot ensure that your sub-contractors do meet, and will continue to meet, your requirements and our requirements. 4.12 Complaints You must have a written procedure covering the prompt handling and timely resolution of all complaints, whether from customers, emergency service authorities, or genuine community representatives. You must handle complaints in keeping with your written procedure. Further guidance on complaints management can be found in BS ISO 10002. 5 Personnel 5.1 Security screening and personnel identification As a minimum, you must keep to the recommendations given in BS 7858: British Standard code of practice for security screening of individuals employed in a security environment. You need to have a written procedure covering security screening of personnel, including any sub-contract workers. You need to keep records of all screening processes. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 13 of 18 April 2019 © NSI 2019 Evidence of valid Government Security Clearances, above Counter Terrorist Checks, may be used in lieu of BS 7858 requirements. You must issue a photo ID card to each member of your staff and to each sub-contract worker who represents your company. The photo ID card must clearly give the identity of the holder, the signature of the holder, the name, address and telephone number of the business, and an expiry date. 5.2 Training You must keep training records for all staff, and also for any sub-contract workers, to demonstrate that appropriate skills have been gained by those undertaking specific tasks. These records need to cover installing, maintenance and repair service. You need to include specific skills needed for office or administration staff. 6 Service provision 6.1 Equipment for real-time counter eavesdropping detection systems Equipment for the system must comply with all statutory and regulatory requirements including those for electrical safety, electromagnetic compatibility and the permitted use of wireless communications. This includes all necessary markings, which shall be clear, unambiguous and meet all necessary requirements. 6.2 Functionality of real-time counter eavesdropping detection systems The system shall have means to ensure that access to operate the system is restricted only to authorised persons (for example by password or code number, which may be entered manually or kept in a hand-held device). The system shall have means to ensure that access to information and data held by the system is restricted only to authorised persons (for example by password or code number, which may be entered manually or kept in a hand-held device). If you install a sound generating device (for example to provide local audible warning of a hazard) you must ensure that you do not breach any local or national noise pollution regulations and you must take care to locate the device so as not to cause harm or injury to individuals (for example due to excessive sound levels close to the ear). It is custom and practice nowadays to fit a cut-out device that limits the time that sound is generated to a maximum of 15 minutes. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 14 of 18 April 2019 © NSI 2019 6.3 Planning, installation, maintenance and repair 6.3.1 Planning You must ascertain the needs and expectations of your customers and then plan the system installations so as to meet these needs and expectations. You should provide the customer with a proposal detailing where all the components and equipment are to be installed. It is considered best practice that, prior to installation, a full technical surveillance counter-measures sweep of the area is conducted. This should be agreed with the customer. 6.3.2 Installation, maintenance and repair – general Installation, maintenance and repair of the system must be carried out with competency by at least one trained and experienced technician, who may also be the proprietor or a director of your company. You must ensure that all system installation, maintenance and repair work meets electrical safety requirements (for example BS 7671) and Part P of the Building Regulations in England and Wales (or the corresponding Building Regulations in other countries of the United Kingdom) and is in accordance with good engineering practice. Where appropriate, you should agree with the customer who has responsibility for the provision of mains power supply. This agreement should be documented. If you have responsibility for arranging the mains power supply, whether by fused spur or socket-outlet, you must ensure the electrical safety of the relevant circuit(s) or the socket-outlet by carrying out the appropriate BS 7671 inspections and tests on the electrical installation of the building. Examples of appropriate electrical safety checks include inspecting and testing the main earthing arrangements at the main distribution board of the building, including the main equi-potential earth bonding arrangements, inspecting and testing the means for automatic disconnection of supply (fusing or circuit breakers), and so on, as well as checking earth loop impedance, and polarity at the socket-outlet. You must ensure that all the power supplies, components and cables are correctly rated and are suitable for continuous use (including when at maximum load) and that they will not pose an electrical safety hazard or a fire safety hazard. Consideration should be given to providing an alternative power supply (for example a standby battery, or batteries) in case there is a failure of the mains power supply. Batteries, including those included in wireless components, should be replaced at intervals that are consistent with manufacturers’ recommendations. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 15 of 18 April 2019 © NSI 2019 If the customer is allowed to replace batteries, you must provide the customer with full and detailed instructions on how to achieve this so as not to endanger their safety. Some customers might not be able to replace batteries and, in these cases, you should put in place appropriate arrangements for changing the batteries. Interconnections within the system, which may be wired or wireless, shall provide a reliable means of communication between the central controller (the PC or “hub”) and the various sensors in use and any communicating equipment, and so on. Occasionally, wireless interconnections can be adversely affected by local interferences such as overhead electricity cables and/or nearby high power transmitters such as those used at airfields. When you install a system you must carry out a suitable survey of possible influences to ensure that the chances of such interference are minimal. If you connect to the public telecommunications network, either directly or via other equipment (such as a router) you must ensure that the equipment and the ways that you do this meet with all the relevant regulations for telecommunications, including those for electrical safety, and that they do not breach the requirements of the relevant telecommunications service provider(s). 6.3.3 Installation and handover Installation must normally be by prior appointment. You must agree (or have agreed) with your customer where all the components of the system are to be installed before you start the installation. This does not prevent you from changing/improving the locations of the components during the installation, provided you agree this with the customer and the customer is content. You must ensure that all cables are installed neatly and are held firmly in place so that they do not present a trip hazard or an electrical safety hazard. If you need to lift carpets, ceiling tiles, and/or other fittings and fixtures you must get your customer’s permission to do this and/or allow the customer to use their own preferred contractor. You must take into account the nature and use of the premises and where necessary you must provide physical protection for cables and equipment to help minimise damage and to avoid any danger to the occupants. If you are sending signals to an alarm receiving centre you must test that all the different types of signals are received correctly at the alarm receiving centre. If there is a link from the system to a website you must test that communications between the system and the website are working correctly. You must clean-up all debris and waste materials created during the installation before you leave the premises and you must leave the premises in a clean and tidy condition. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 16 of 18 April 2019 © NSI 2019 Before you leave the premises you must: i) provide the customer with instructions on how to operate the system (or say where the customer can easily obtain the instructions); ii) where required, provide the customer with a full demonstration on how to operate the system and look after it; and iii) where required, ensure that your customer is content with the installation, and how to operate it, and you must obtain their signature to that effect. There may be instances where full commissioning cannot be completed until remote monitoring has been conducted. Such situations should be explained to the customer. 6.3.4 Maintenance and emergency repair You must be able to offer routine maintenance and emergency repair of the system. Where a system is monitored by an alarm receiving centre, it must be conditional upon the system being and remaining the subject of a maintenance service agreement covering routine maintenance and emergency repair. You must be properly equipped with resources (people, vehicles and equipment) to enable you to supply routine maintenance and emergency repair of the system in accordance with the terms and conditions of your contract. The frequency of routine maintenance should be at least one per annum or in accordance with manufacturer’s recommendations. You must provide the customer with a schedule of all the routine maintenance checks that will be carried out and you must provide the customer with a record (or records) to show that you have carried out all the necessary checks as and when routine maintenance takes place. Where possible, before you leave the premises, you should check and test the system to see that it is in full working order. If anything is not working properly, and cannot be corrected at the time of a routine maintenance visit, you must inform the customer. If this happens you should return to the premises within twenty-one days, or at a later time if the customer agrees, to resolve the problem. If you are called-upon to repair a system you must carry out the emergency repair in accordance with the terms and conditions of your contract with the customer, including keeping to relevant timescales. Suitably qualified persons should be available to respond by attendance on site within the time agreed upon in any contract between you and your customer. An emergency repair visit should normally result in rectification, not merely investigation of a fault, and the attending technician should carry all appropriate tools and have rapid access to any reasonable spare parts to facilitate this. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 17 of 18 April 2019 © NSI 2019 You are not obliged to carry out emergency repair of a system that is not the subject of a maintenance service agreement. However, you must ensure that you uphold any statutory consumer rights (for example in relation to warranty). You should be able to offer support to the system (spare parts) for a period of at least five years from handover date. 6.4 Monitored systems If you provide monitoring of the system, the monitoring must take place at an alarm receiving centre (ARC). The ARC must keep to the recommendations given in BS 5979: British Standard code of practice for remote centres monitoring fire and security systems. However, any alarms generated by the system must not be passed to the police. Where you contract with another party to provide monitoring of the system, you must only use ARCs that are approved by NSI (or other ARCs recognised by an independent third-party approvals organisation acceptable to NSI and complying with BS 5979). 6.5 Website facility If you provide a website facility to enable customers to have remote access to the system via the internet you must host the website facility in your own secure premises or in the premises of the ARC that you use. It is preferable to limit remote access to non-security applications. You must ensure that customers can only gain access to information about their own system (for example, by restricting access using passwords or code numbers) and that they cannot gain access to information about other customer’s systems You must take adequate precautions against malicious attempts to gain access to the information held on the computer servers that host the website facility. A suitable secure interface, proportional to the monitoring requirements, should be in place. The precautions should be reviewed on at least an annual basis and you must update the precautions as necessary to take account of new and emerging threats. You must provide customers with a documented manual and/or an on-line help facility to enable them to understand how to use the website. If you provide a telephone support line for customers wanting help using the website, you must state clearly the telephone charges (if any) associated with using the telephone support line, either from a land-line or from a mobile phone. If you provide an on-line technical support facility (for example email address), you must state clearly the charges (if any) associated with using the on-line support. Code of practice for companies that provide real – time counter – eavesdropping detection ser vices NCP 112.3 Page 18 of 18 April 2019 © NSI 2019 6.6 Test equipment care and maintenance You must take reasonable and appropriate steps to make sure that essential test equipment is functional and that it gives indications which are accurate within appropriate tolerances. Your procedures for caring and maintaining test equipment need to be in writing as part of the Business Operating Manual. Test equipment should be calibrated at specified intervals against measurement standards traceable to national measurement standards. 7 Response services The Business Operating Manual must say how you provide a response service. It must cover such processes as dealing with an alarm and notifying the customer. Escalation and response requirements should be in accordance with your procedures, and stated in the agreement between the customer and you.