1. Does PAS 1192-5 apply to my built asset?
To establish whether PAS 1192-5 applies to a built asset, the Employer or the Asset’s Owner should apply the Security Triage process set out in the PAS (Clause 5). This will help determine the level of security-minded approach required for the asset, the associated asset information and any other asset information held pertaining to neighbouring built assets.
2. As an organisation with an existing built asset, how can we determine if there are any security issues concerning our asset information?
CPNI has prepared a guidance document setting out questions which an organisation can ask of itself and its supply chain in order to understand what information it, or others, holds in relation to its built assets. The questions will also help in assessing the availability and accessibility of that information, and any associated potential impact on the security of the asset, its users or services [add link].
3. Doesn’t the protection of digital asset information just require good cyber security?
Assuring the security of a built asset and related asset information requires a holistic approach – encompassing the aspects of people and process, as well as physical and technological security (see clause 4.3 of PAS 1192-5).
4. How does PAS 1192-5 fit with other government guidance and codes of practice on security?
PAS 1192-5 deals specifically with the security-minded approach to building information modelling, digital built environments and smart asset management. However, the policies, processes and procedures it specifies should, where appropriate, be cross-referenced to the other security management policies and plans which the employer or asset owner has in place, as well as relevant government guidance and codes of practice on wider security issues.
5. Why can’t we just apply ISO 27001?
ISO 27001 sets out the information security requirements for an individual organisation. BIM and smart asset management, as well as future digital built environments, are inherently collaborative processes involving the sharing of large amounts of digital models, data and information between the broad range of organisations in a supply chain, from multinational companies to sole traders. In addition, requiring the application of ISO 27001 may be too onerous for many within this diverse range of enterprises, in particular SMEs and sole traders. It is recommended that the Cyber Essentials Scheme be adopted as a minimum cyber security standard (see clause 5.6 of PAS 1192-5)
6. Is the PAS only relevant to Level 2 BIM?
The PAS is specifically aimed at Level 2 BIM, but also provides a foundation to support the evolution of future digital built environments, for example intelligent buildings, infrastructure and Smart Cities. However it does not detail technical architectures for their implementation. In addition, although the processes contained within it may be applicable to other data management systems, this PAS does not specifically address issues relating to those systems.
7. Why can’t the Built Asset Security Manager role be fulfilled by the Information Manager on the project?
The Information Manager exists only during the course of a project and is a role fulfilled by the supply chain. However, the Built Asset Security Manager is directly accountable to the Employer or Asset Owner for the design, implementation and operation of an appropriate security regime throughout the asset’s lifecycle.
8. Does the Built Asset Security Manager have a role outside a project?
The Built Asset Security Manager has a key role in security-minded delivery of projects. There is also a need for this function to continue throughout the lifecycle of a sensitive built asset in order to ensure appropriate and proportionate measures are maintained to protect asset information. On smaller projects, the role is likely to be a part-time function and fulfilled by an individual who may undertake or be responsible for security and other duties.
9. Does PAS 1192-5 place any new responsibilities on the Information Manager?
The Information Manager will have to work closely with the Employer’s Built Asset Security Manager in the delivery of the Built Asset Security Information Requirements (BASIR). (See Clauses 6 & 10).
Notes:- Images re-produced with the kind permission of the British Standard Institute.
SFT would like to thank the Centre for the Protection of National Infrastructure (CPNI) and A.Luck Associates in the creation of this section.