National Security Inspectorate Sentinel House, 5 Reform Road, Maidenhead, SL6 8BY E: nsi@nsi.org.uk | W : nsi.org.uk © NSI 2016 Dated: 02 August 2016 To: All NSI Approved Companies and Applicants where the scope of approval includes the provision of keyholding and response services TECHNICAL BULLETIN No: 0031 Guidance on the implementation of BS 7984-1:2016, the British Standard Code of Practice for Keyholding and response services (Supersedes BS 7984:2008) BS 7984-1:2016 shows an effective date of 30th April 2016 and is now available through licensed outlets including NSI who can supply copies at a discounted rate. Implementation timescale for Applicant Companies With immediate effect Applicant Companies will be audited against the 2016 edition and any Improvement Needs recorded against clauses of the Standard will have to be satisfactorily addressed before approval can be granted. Implementation timescale for existing Approved Companies Companies holding NSI approval to BS 7984:2008 will be expected to upgrade to BS 7984-1:2016 by the end of August 2017. NOTE REGARDING THE STATUS OF BS 7984-1:2016 Although issued as a code of practice by the British Standards Institution, it is important to note that compliance with the recommendations given in BS 7984-1:2016 is regarded as mandatory for all companies wishing to maintain an NSI approval with respect to the provision of keyholding and response services; subject to any additional clarifications and guidance included within this Technical Bulletin or issued subsequently. The recommendations given in BS 7984-1:2016 must therefore be regarded as requirements in relation to NSI approval for provision of keyholding and response services. Technical Bulletin No. 0031 © NSI 2016 DETAILS OF THE CHANGES (Highlighted under the clauses of the new Standard) Comments under each clause of BS 7984-1:2016 consist of a summary of the main changes when compared with the corresponding clause within BS 7984:2008 Where the actual wording of the standard is quoted it is reproduced in bold text. Where it is considered relevant to further clarify the specified requirement, additional guidance is included in italics. We will consider alternative methods of achieving compliance with specified requirements where these can be demonstrated to be equivalent. FOREWORD The overall structure of the Foreword remains unchanged. The section on information about this document now gives a bullet point summary of the principal changes to the document. The presentational conventions section still makes it clear that the recommendations within the St andard are expressed in sentences in which the principal auxiliary verb is “should”. However for approval under the NSI Scheme the note regarding the status of BS 7984-1 on page 1 of this Bulletin makes it clear that the requirements of BS 7984-1 are mandatory for NSI approval. Therefore, all references to “should” within the Standard must be read as “shall” as they are not an option. Some clauses within the Standard use the word “may”; unless it is stated otherwise under the relevant clause, it is accepted that such references act as an alternative to the primary requirement. Where “can” is used it is to express possibility e.g. a consequence of an action or event. The reference to the Private Security Industry Act 2001 is retained principally to draw attention to the fact that individuals carrying out licensable activities as defined in the Act are required to be licensed. Organizations wishing to maintain NSI Approval need to be able to demonstrate that all relevant personnel hold the appropriate SIA Licence or, if they are a SIA Approved Contractor, that they are covered by a Licensing Dispensation Notice. INTRODUCTION This is a new heading and reads as follows: This British Standard gives recommendations for keyholding and response services. It details the manner in which an organization manages the service provision of keyholding and how it should respond to an event. In addition to key management, it further details what is expected of a response centre and vehicles used for the storage of keys. Elements of keyholding are also contained in BS 7499; however, BS 7499:2013, 5.4.2.2 clearly states that where an operational vehicle is required for keyholding and alarm response, the response is to be carried out in accordance with BS 7984. Technical Bulletin No. 0031 © NSI 2016 NOTE BS 7984-2 covers response services provided to lone workers. This British Standard is intended to be used in conjunction with the National Occupational Standards for responding to keyholding attendance requests and covers the following activities: a) Response to keyholding attendance requests; b) Attendance at sites in response to keyholding attendance requests; c) Locating causes of security and safety alarms; d) Making premises secure and complete keyholding attendance; e) Preserving potential evidence of security breaches; f) Dealing with conflict when making keyholding attendances; and g) Carrying out site inspections to support keyholding activities. Although this British Standard is aimed at organizations that provide keyholding and response services on a contracted basis, its provisions and guidelines could be equally applicable to those companies operating an in-house service provision. 1 SCOPE Additional elements have been added and include: Keyholding response services and mobile patrols as a shared service on a contracted basis This British Standard does not apply to lone worker response services, static site guarding and mobile patrol services and is covered in the guidance note below: NOTE. Recommendations for lone worker response services are given in BS 7984- 2. Recommendations for static site guarding and mobile patrol services are given in BS 7499. This British Standard assists procurers of keyholding and response services such as security companies and agencies, building management companies, local authorities and those promoting compliance. 2 NORMATIVE REFERENCES Significant changes with reference to the following: The following standards have been removed from normative references, but some are now included in the Bibliography: BS 5839-1, Fire detection and alarm systems for buildings – Code of practice for system design, installation and servicing Technical Bulletin No. 0031 © NSI 2016 BS 5979, Remote centres receiving signals from fire and security systems – Code of practice BS EN 50131 (all parts), Alarm systems BS EN 50131-1, Alarm systems – Intrusion and hold-up systems – Part 1: System requirements BS ISO 10002, Quality management – Customer satisfaction – Guidelines for complaints handling in organizations 3 TERMS AND DEFINITIONS Some additional definitions have been added and some minor amendments made to existing definitions as detailed below: 3.1 Assignment Instructions. A note has been added detailing that the document can be either a hard copy or an electronic copy. 3.6 Keyholding. This definition is now only about the holding of keys, as the element regarding response – ‘Attending a customer’s premises in response to an event’ has been removed to form part of the new definition at 3.7. This change has been made to provide clarity and clearly differentiate between the two operations. 3.7 Keyholding response. A new definition that reads Service whereby the organization holding keys to a customer’s premises attends in response to a request . 3.8 Keys. The word physical has been added to the previous definition and now reads Physical instrument or data allowing authorised access to a customer’s premises . 3.13 Secure Facility. The word facility has been replaced and now reads Place in which keys and/or assignment instructions are stored and from which they are provided in responding to an event . 3.14 Subcontract. A new definition that reads All, or part, of a contract assigned to another service provider, where the subcontracted services provider is responsible for service delivery including the supply and management of their employees in fulfilment of the subcontract . 3.15 Subcontract Service. A new definition that reads Provision of services on behalf of a principal contractor . 3.16 Subcontracted Services Provider. A new definition that reads Self-employed individual or a company that is contracted to provide service delivery on behalf of the principal contractor. A note is also included to clarify the principal contractor’s Technical Bulletin No. 0031 © NSI 2016 position and reads The principal contractor is ultimately responsible and accountable for service delivery to the customer . 4. THE ORGANIZATION AND DOCUMENTED INFORMATION 4.1 Structure There are no real changes apart from the addition of two new reference notes: NOTE 2. Attention is drawn to the Data Protection Act 1998 [3] and the rights of an individual regarding access to information about their convictions and cautions. This note relates to the new law that came into effect in March 2015 where anyone can apply for Subject Access to use the information for their own purposes, but should not be required to provide the information as the basis for a condition of employment or a contract for goods or services; nor can you apply for Subject Access on behalf of someone else. The Information Commissioner’s Office (ICO) recognises that the practice, known as ‘enforced subject access’ is not the legitimate means of doing so. Anyone who provides information from a Subject Access disclosure, rather than the formal criminal record check system, ‘runs the risk of sharing more information than they need to.’ The organization should operate a documented complaints management system. NOTE 3. Guidance is given in BS ISO 10002. 4.2 Finances There is a minor change in the first paragraph with regard to sufficient working and fixed capital, with both of these now being removed. The requirement for 2 years of audited accounts has also been removed and replaced in the second paragraph with 2 years of annual trading accounts that have been certified by an accountant. An additional element in the case of new start-up businesses has been added: where management accounts should be made available to show that the organization can demonstrate it has the funding available to achieve its plan for the business . The NSI approach to assessing funding available to the company to achieve its plan for the business, is to view the resources, financial projections and available balance sheets at the application stage in order to take a view whether the organization has the resources to finance its current and projected customer base, particularly if there are any delays in payment of invoices for contracted services. When forming its view, NSI may take account of the extent and nature of past business experience of the Principals of the company. Technical Bulletin No. 0031 © NSI 2016 4.3 Insurance Insurance requirements remain commensurate with the business undertaken and the number of persons employed but there are now additional more explicit types of cover listed. They include: loss of keys, consequential loss of keys, fidelity guarantee, professional indemnity and wrongful arrest. A note has also been added as follows: NOTE. The following insurance cover could also be considered: legal expenses, directors’ and officers’ liability. 4.4 Documented information This clause replaces 5.6 ‘ Documents and Data ’ from the 2008 version and the following additional notes for reference and guidance have been added: NOTE 1 Attention is drawn to the Data Protection Act 1998 [3]. NOTE 2 Further information on the management of electronic data can be found in BS ISO/IEC 27001 and BS ISO/IEC 27002. Guidance on the storage of electronic media can be found in PD 5454. Amendments have also been made to the record element of this clause with additional emphasis for all records to be maintained for at least 12 months after termination of the contract . The list of contractual records has been extended to also include: training records, rosters and risk assessments. 4.5 Subcontracted services This clause replaces 5.5.1 ‘ Suppliers of subcontract labour ’ from the 2008 version and has been reworded. There is now no definitive clause referenced that subcontract service providers have to follow but an all-encompassing statement that reads: The subcontracted services provider should also follow the recommendations given in this British Standard. The organization should satisfy itself that these recommendations have been followed. There should be documented evidence that due diligence has been carried out. Whereas in the previous version the requirement was for an organization just to satisfy itself that the standard recommendations had been followed, there is now a more specific requirement to undertake due diligence and maintain records of this. Technical Bulletin No. 0031 © NSI 2016 5 PREMISES 5.1 General Clause 5 was previously headed resources but this clause reads similarly to premises within the previous standard. There is a subtle change in terminology in that the words, documents and records have been replaced with documented information . 5.2 Secure facility There are significant changes to this clause with the removal of previous detail stipulating the requirements for a secure facility. There are now only two elements listed as opposed to three and they are as follows: A soundly constructed building, protected by a remotely monitored intruder alarm conforming to PD 6662:2010, grade 3, containing a dedicated room or lockable cabinets provided for the storage of keys; cabinets should be securely fixed to the fabric of the building. Where there is a shared occupancy, the intruder alarm system for the secure facility should be under the sole control of the organization. A vehicle fitted with an alarm, an immobilizer, containing a lockable means of storing keys, which should be securely fixed to the body of the vehicle being used for the storage of keys. 5.3 Response centre 5.3.1 General There are slight modifications to this clause in terms of rewording and the removal of all of the procedural manual requirements. The opening sentence now reads Where the organization operates a response centre, it should perform the following functions: The reason for the recording function previously at point c) has been removed and now just states: c) recording, in accordance with 5.3.3, all appropriate routine and emergency matters; Likewise point d) has also been made more concise and now reads: d) r ecording movement of the customer’s keys held by the organi zation. The previous requirement to have the response centre “Situated within premises owned or leased by the organization or associate organization, or contracted out to a supplier who complies with the provisions of this standard” has been removed with the new requirement now only stating: The response centre should be housed within a secure facility, and be a restricted area, accessible only to authorized personnel. Visitors should be accompanies at all times by an authorized person. Technical Bulletin No. 0031 © NSI 2016 A note has been added to clarify response centre access and reads: NOTE Authorized personnel are to be defined by senior management. The procedural manual elements have all been removed and are now detailed as ‘Procedural Instructions’ and form the structure in 5.3.2 – Operations. 5.3.2 Operations This clause has changed significantly in that it has been formed from an amalgamation of the 2008 clauses 6.7.4, 6.7.5 and the procedural elements of 6.7.1. The main content and requirements from the above clauses remain; apart from the elements detailed below: Controllers are now referred to as response centre staff. As detailed earlier the procedural manual has been replaced with procedural instructions but the requirement to have them readily available within the response centre remains extant. The information that response centre staff are to have immediate access to mirrors the former requirements. One of the previous requirements of the 2008 clause 6.7.4 – “Controllers should receive and record check calls from keyholding response officers at intervals specified in the assignment instructions.” has not been transferred to this clause and is covered in operations under 7.5.2. 5.3.3 Records There is one minor change to the content with the removal of the requirement to keep records of keys for a minimum of 12 months after the completion of a contract. However, this requirement has not been abolished and 4.4 ‘ Documented information ’ along with 7.2.2 ‘ Contract records ’ clearly state that all records concerning a contract should be maintained for at least 12 months. 6 PERSONNEL 6.1 Employees 6.1.1 General Minor change in terminology with the use of supervisory personnel instead of supervisory staff. 6.1.2 Selection and screening The following changes were made to this clause: In the third paragraph the ability to demonstrate good reading, writing and verbal communication has been replaced with satisfactory . Technical Bulletin No. 0031 © NSI 2016 The previous paragraph in this clause relating to procedures to monitor health and physical ability of employees has been removed and now features in 6.1.3 Health. The requirements regarding driving licen ce checks has been extended in line with last year’s changes with the abolishment of the counterpart and introduction of the DVLA digital enquiry service. The paragraph now reads: Employers should validate the employee’s driving licence against company pol icy for those employees whose duties involve driving. The employer should check the employee’s driving licence and carry out a DVLA licence check on the employee every six months. Records should be maintained and retained. NOTE 2. The employer may use an automated system to receive authorised notifications of licence changes via the DVLA. Organizations will need to keep a record of the check through the DVLA shared licence service, which allows users to generate a code to share with a third party. 6.1.3 Health More specific detail has been added, starting with a more robust opening statement regarding employees being sent an employment medical questionnaire; Prospective employees should be sent an employment medical questionnaire, with questions that relate to, or are intrinsic to, the job function (this can be sent with the offer of employment). Two additional notes have also been added: NOTE 1 The offer of employment is conditional on the results of the medical questionnaire supplied, as there might be medical considerations which could fundamentally inhibit the employee from carrying out the job. NOTE 2 Attention is drawn to the Equality Act 2010 [5]. It is worthy of note that the 2008 requirement for employees to demonstrate good general health, good eyesight (including colour vision), hearing and sense of smell has been removed. As part of the job application process, we still expect the organization to assess whether the employee is able to do the job. 6.1.4 Terms and conditions of employment No real changes except for the inclusion of a job description and the term vetting has been replaced with screening . Technical Bulletin No. 0031 © NSI 2016 6.1.5 Disciplinary code No real changes except NOTE 1 has been expanded to read: NOTE 1 An example of such a licence would be a Security Industry Authority (SIA) licence, see the SIA website for details. 6.1.6 Identification No change. 6.2 Equipment and uniforms 6.2.1 Uniform The third paragraph has now been removed along with the requirement for the uniform to be readily distinguishable from the emergency services or armed forces. 6.2.2 Vehicles The previous first paragraph has now been removed and added as a NOTE with use of the word desirable now included: NOTE Unless they are involved in covert operations or otherwise excepted from doing so under contract, it is desirable for operational vehicles to clearly display the organization’s name, badge or logo, and telephone number. Three new elements have been added to the vehicle requirements and they are as follows: c) allow for the organization to ascertain the destination or location of the vehicle at all times, for example, through the fitting of a tracking device, or a GPS signal; d) be inspected by the driver at the start of each shift to ensure that it is appropriate for the intended use; i) not carry any passengers not on official duty. 6.2.3 Other equipment No change. 6.2.4 Equipment records More detail has been added to the second and third paragraphs to provide an explanation for the requirement to maintain records of equipment repairs and vehicle maintenance. Additionally, in terms of records of equipment, the requirement is only for records of equipment repaired to be kept and not records of equipment calibrated. However the records must be kept for at least 12 months, or longer if there has been an accident and a claim has been made. Technical Bulletin No. 0031 © NSI 2016 6.3 Training 6.3.1 General No change. 6.3.2 Induction training Content is generally the same with just a bit more role specific emphasis with reference to the completion of induction training. Induction training should be completed before the keyholding response officer is deployed on operational duties. 6.3.3 Basic job training The core requirements remain the same and in line with those issued by the Sector Skills Body (SSB) but there are two new elements to this clause. A note has been added as a reminder that when conducting licensable activity that an SIA licence is required in accordance with the PSIA 2001. The note reads as follows: NOTE SIA licensing requirements apply if working in licensable security activity. A person falling within the definition of licensable conduct under the Private Security Industry Act 2001 [1] is required to be licensed in accordance with that Act. The final paragraph is a new requirement and reads as follows: The employer should carry out a gap analysis for security personnel holding a door supervision licence (including those who have transitioned from a door supervisor licence to security guarding) or close protection licence who wish to work in the security guarding area. Any training identified by the gap analysis should be provided. This is in line with the requirements of BS 7499: 2013 clause 5.5.3 and ensures the correct competencies of officers during the recruitment process. If there are any training deficiencies identified due to an individual previously operating working within a different security area, then additional training can be initiated. 6.3.4 Keyholding and response officer training The competency requirements as defined by the SSB are now much more prescriptive and are as follows: a) collate and confirm information about attendance requests; b) prioritize keyholding response attendances and other actions; c) allocate resources for keyholding response; d) take responsibility for keys and site information and equipment; Technical Bulletin No. 0031 © NSI 2016 e) travel between sites safely and efficiently; f) carry out dynamic risk assessments on arrival; g) enter sites and premises; h) maintain the security of premises whilst locating sources of alarms; i) determine causes of alarm activations; j) confirm physical security of premises and set security systems; k) complete keyholding attendances; l) preserve the integrity of potential evidence; m) record and report details of potential evidence; n) recognize potential conflict situations; o) respond to conflict situations; p) inspect sites to collect information to support keyholding activities; q) produce keyholding site inspection reports and assignment instructions; and r) maintain records, keys and equipment to support keyholding activities. National Occupational Standards (NOS) for keyholding and response officer training were developed and published in November 2014 through the SSB. NOS are statements of the standards of performance individuals must achieve when carrying out functions in the workplace, together with specifications of the underpinning knowledge and understanding. Evidence must be available to demonstrate that keyholding and response officers have received a minimum of 16 hours training covering the above requirements. The requirement also includes the need for an examination which could simply be completion of a multi-choice paper but there should be a clearly defined pass level that the potential keyholding response officer is expected to achieve. Failure to achieve the required pass level must trigger re- training for the elements that the officer has failed to demonstrate an adequate understanding of. The requirement for a performance assessment within the first three months of employment has been retained. As a minimum the assessment should confirm that the keyholding response officer understands his duties and responsibilities covered by item a) to r) of the list of requirements for keyholding and response officer training, detailed in paragraph 6.3.4. 6.3.5 Response centre training Apart from the use of staff instead of personnel there are no changes to the requirements. Technical Bulletin No. 0031 © NSI 2016 6.3.6 Takeovers This clause has been condensed and puts the onus on meeting the standard when acquiring personnel through a takeover. It now reads: If employees are acquired through a takeover, the organization should identify their training needs and address them in line with the recommendations in this British Standard. Organizations should assess the competence levels of all employees acquired through takeover and provide any additional or refresher training identified through this assessment. 6.3.7 Refresher training No significant change. 6.3.8 Contingency training No change. 6.3.9 Training records Records held directly by the organization now have to be retained for a period of seven years and a new note has been added to reflect the Skills Funding Agency’s Learning Records Service (LRS), which reads: NOTE Attention is drawn to the Skills Fun ding Agency’s Learning Records Service (LRS). Organizations can complete a Personal Learning Record for each employee, which stores all the employee’s learning achievements. Details of courses recently completed (starting from the 2007/08 academic year) or currently in progress with a recognized learner are automatically added to the register. This includes courses from school and further education, but not higher education. The student can also add course details themselves. Information about the purpose of LRS can be found at www.gov.uk/government/collections/learning- records-service. 7 SERVICE PROVISION 7.1 Sale of services 7.1.1 Contacting prospective customers Slight modifications have been made to the wording of this clause and there is now clearer guidance on the nature of the information you can ascertain from your enquiries, as opposed to the 2008 version. The last sentence is now in line with BS 7499: 2013 clause 6.1.1 and reads: Enquiries should not be made of their existing operational security arrangements (i.e. sensitive information), however general service requirements can be ascertained. Technical Bulletin No. 0031 © NSI 2016 7.1.2 Customer information No significant changes apart from the introduction of suitable media as a means of providing customer information which is line with progress in technology. There are now clear statements outside of the basic information that is required to be provided to customers that organizations must provide if applicable or the customer requests it. Where the following items apply to the organization, this information should also be provided: 1) details of any trade association membership, claims of compliance with industry standards, and/or details of certification by a UKAS-accredited (United Kingdom Accreditation Service) certification body and SIA Approved Contractor Scheme status; 2) registered number, address and date of registration, if the organization is an incorporated company; 3) any previous name(s) of the organization; and 4) details of any parent organization (e.g. immediate holding company) or ultimate holding company. If requested by a potential customer, the organization should supply additional information as follows: i) terms and conditions of employment of the keyholding response officers; NOTE Terms and conditions of employment might include the average hourly rate of pay and the maximum number of hours in a typical working week. ii) type and extent of insurance cover; iii) reference sources for details of previous or current work carried out by the organization; and iv) organization chart, and details of the number of employees, employee qualifications and number of personnel on supervisory/management duties alone. 7.1.3 Quotations No significant changes. Technical Bulletin No. 0031 © NSI 2016 7.2 Contracts 7.2.1 General The requirements have been simplified and condensed, with the removal of the last paragraph from the 2008 version. 7.2.2 Contract records This is a new sub-clause but most of the subject matter detailed below was previously included under Documents and data: Copies of records relating to the contractual agreement between the customer and the organization should be retained in a customer file. These records should include pre-contract documentation, site inspection reports, agreed assignment instructions, receipts for keys and any customer correspondence. These records should be retained and controlled in accordance with 4.4. 7.3 Initial site inspections Slight changes to this clause with the removal of the paragraph relating to the taking over of existing assignments from previous providers. 7.4 Assignment instructions The clause has been reworded and condensed slightly with the assignment instruction content requirements being reduced but not limited to six headings. Assignment instructions should include, though not be limited to, details of the following: a) hazardous conditions (health and safety assessments); b) agreed means of access; c) method of operating/re-setting alarm; d) client specific instructions; e) location of main services; and f) contingency plans. 7.5 Keyholding and response to events 7.5.1 General No change. 7.5.2 Keyholding response officers Minor modifications here with all check call requirements remaining extant. Technical Bulletin No. 0031 © NSI 2016 With regard to records from an event, the address of any persons present has been replaced with contact details and authorisation to depart can now also be given from your organization as opposed to just the client previously. 7.5.3 Follow-up No change. 8 KEY MANAGEMENT 8.1 General No real changes. 8.2 Initial key receipt Slight change with the key register to be annotated once the keys are initially deposited within a secure facility. The statement ‘and not left unattended during transit.’ from the 2008 version has also been removed. However, this clause now clearly states that keys should be deposited within a secure facility without delay and details recorded in the key register. 8.3 Control of keys There have been significant changes in this area with a lot of the previous practices and requirements being removed. A commentary has been added as follows: This sub-clause refers to control of physical keys. For guidance on control of data, see 4.4. Key seals cannot be re-useable with access to them being restricted to authorised personnel only. In terms of key audits the weekly check has been withdrawn and there is now a greater onus on inspecting the keys that have been issued on their return. At the end of each event, keys that have been issued should be returned and inspected to ensure that the keys remain securely affixed. The requirement for quarterly management checks of all stored keys still remains. Documentation requirements are more precise in terms of a ‘Key management log’ but also in the information that needs to be recorded within. A key management log should be maintained and stored securely, recording date, time and reason for use (see 5.3.3). Technical Bulletin No. 0031 © NSI 2016 8.4 Returning and disposal of keys More explicit requirements have been added in terms of unclaimed keys on cessation of contracts and the last sentence now reads: If keys are unclaimed on cessation of a contract, they should be securely disposed of after one month and a record of the method of disposal retained for seven years. 8.5 Key storage at customer facilities This clause has been totally changed with more definitive guidance and requirements being added due to the potential security risks posed from housing keys in external boxes or vaults and also to put in place the necessary safeguards to the company as result of this. Organizations carrying out keyholding and response services should request a specific written acknowledgement and acceptance from the customer of any potential security risks relating to keys and/or electronic security systems (e.g. intruder alarms or CCTV) from the use of external boxes or vaults, and should also recommend that the customer consults their insurer(s) before signing it. If the customer is reluctant to provide a written acknowledgement, the organization should retain evidence that they have made the customer aware of the potential security risks. Keys held in an external box or vault are not deemed to be under the organization’s control, and the provisions of 8.1 to 8.4 should not be applied to their management and control. Sub-clause 7.1.3 l) of BS 7984-1:2016 requires that the quotation document should state the obligation of the customer to satisfy themselves that if an external key storage facility at the customer premises (see 8.5) is to be used that this method of storage is acceptable to their insurers. The potential risks to key security from using such boxes or vaults are of concern to insurers. Some insurers take the view that use of site keyboxes at alarmed premises (particularly at premises fitted with alarm systems providing alarm ‘confirmation’, unset by use of a physical device (a fob or key) which will need to be stored alongside the keys) is a potentially serious security weakness. This is because any intruder gaining access to the key box (either opening it at the premises, or removing it and then opening it elsewhere before returning to the premises) will have in their possession the physical means to unlock the premises and to unset the intruder alarm. This would give unfettered access to the whole premises, with the potential for serious damage or loss. The situation is further complicated in that there is no widely recognised security standard for the manufacture or construction of external key boxes. In certain circumstances, if a key box is used without the express knowledge and consent of the insurer, there might be a risk of an insurance claim being refused. It is important that any key box be of secure and robust construction (and securely attached to the building, or securely anchored to the ground), having regard to the perceived level of risk. Technical Bulletin No. 0031 © NSI 2016 There are a number of different types of key boxes commercially available. Generally, they can be divided into two categories: anti-tamper key safes that are wired into the intruder alarm system stand-alone key units without any link to an intruder alarm. CENELEC Technical Specification CLC/TS 50131-7:2010 (application guidelines for intruder and hold- up alarm systems) states (at H.27) that the following issues should be considered in relation to external boxes for retaining keys: supervision against opening and removal; concealment of external wiring or provision of the appropriate level of tamper protection; adequate level of lock security according to the risk assessment. In view of these factors, the following additional requirements apply under this NSI Technical Bulletin. Where a contract (or a proposed contract) includes the supply of an external key storage facility at the customer premises or is based on the use of such a facility: 8.5.1 The quotation or specification shall include a statement in the terms set out in Section A.1 of Appendix A to this NSI Technical Bulletin (or in words to like effect). 8.5.2 The contractual documents shall include a statement intended to be signed by the customer, in the terms set out in Section A.2 of Appendix A to this NSI Technical Bulletin (or in words to like effect). 8.5.3 The NSI approved company’s procedures for the control of keys shall take into account the need to ensure there are adequate controls in place to minimise the potential for misuse or un- authorised access. The approved company shall be able to demonstrate a reasoned case that the controls are adequate, having regard to the perceived nature and extent of the risk and the other material circumstances. 8.5.4 The NSI approved company shall retain evidence that it has informed its own insurer that it supplies external key storage facilities at customer premises and/or that it provides response services involving the use of external key storage facilities at customer premises, and evidence that the insurer has accepted the risk. Technical Bulletin No. 0031 © NSI 2016 Appendix A Model or example statements and declarations for use where a key storage facility at customer premises is supplied or used (or is to be supplied or used) A.1 Model or example statement (for quotation or specification) It is important you should be aware that the use of a key storage facility at a customer’s premises by means of an external box or vault might not be as secure as the methods described in clause 5.2 of the British Standard code of practice for keyholding and response services BS 7984: 2016. The potential risks to key security from using such boxes or vaults are of concern to insurers. In certain circumstances, if a key box or vault is used without the express knowledge and consent of the insurer, there might be a risk of an insurance claim being refused. It is essential therefore that you check with your insurer and that you satisfy yourself that this method of storage is acceptable to your insurer. In premises that have an intruder alarm system, the following statement shall also be included: If there is an intruder alarm system at your premises, you should also consider the following: arranging for your intruder alarm company to provide supervision of the key box or vault against opening and removal concealing the external wiring (if any) providing an appropriate level of tamper protection. A.2 Model or example customer declaration We confirm we are aware that the use of a key storage facility at a customer’s premises by me ans of an external box or vault might not be as secure as the methods described in clause 5.2 of the British Standard code of practice for keyholding and response services BS 7984-1: 2016. We are aware that the potential risks to key security from using such boxes or vaults are of concern to insurers. We are aware that, in certain circumstances, if a key box or vault is used without the express knowledge and consent of the insurer, there might be a risk of an insurance claim being refused. We acknowledge and accept the potential risks to key security from the use of such boxes or vaults. We confirm we have checked with our insurer and we have satisfied ourselves that this method of storage is acceptable to our insurer. [Or (where a customer is un-insured or self-insures) the following text may be used in place of the immediately preceding sentence: We confirm we are un-insured or we self-insure and that we fully accept the potential risks associated with this method of storage]. Technical Bulletin No. 0031 © NSI 2016 In premises with an intruder alarm system, the following customer declaration should also be included: We confirm we have considered the following, and we have discussed these matters with our intruder alarm provider: arranging for your intruder alarm company to provide supervision of the key box or vault against opening and removal concealing the external wiring (if any) providing an appropriate level of tamper protection. Signed Date Name of signatory (in block capitals) Position held For and on behalf of (name of customer company or organization)