Security within the construction sector is becoming increasingly important. This is not just in terms of the physical controls and guarding, or security-minded behaviour by personnel, but also in respect of how we manage risks arising from unauthorised access to, and manipulation or sharing of, data, information and systems

The increasing use of digital technologies in the design, construction and operation of buildings and infrastructure are transforming the way that architecture, construction and engineering industries work. It will be essential for organisations within these industries to embrace the concept of collaborative working, not only through greater openness and transparency but also through the sharing and use of large amounts of digital information.

These advances offer significant and exciting opportunities to asset owners and supply chains to seek innovative solutions to deliver future fiscal, functional, sustainability and growth objectives. However, with the increasing use of, and dependence on information and communications technologies, there is a need to be aware of the vulnerability issues which can arise, and to take appropriate and proportionate control measures to deliver the trustworthiness, safety, resilience and security of digital built assets.

It is imperative therefore that even in a BIM Level 1 environment that there is appropriate governance and accountability in the collaborative use of information.  Therefore, SFT are advocating the adoption of PAS 1192-5:2015 Specification for security-minded building information modelling, digital built environments and smart asset management.

This standard specifies requirements for security-minded management of BIM and digital built  environment. It outlines the cyber-security vulnerabilities to hostile attack when using BIM and provides an assessment process to determine the levels of cyber-security for BIM collaboration which should be applied during all phases of the site and building lifecycle. Whilst the standards assume a BIM Level 2 environment the principles of this standard can still be practically applied in a BIM Level 1 environment.

PAS 1192-5:2015 was commissioned by the Centre for the Protection of National Infrastructure (CPNI), who provided the technical authors for its development with British Standards Institution (BSI) facilitating its production and input from a panel of industry experts. The Publicly Available Specification (PAS) has been developed to integrate a security-minded approach into the construction lifecycle processes.

Recognising that good cyber security alone will be insufficient to protect built assets and related asset information in the collaborative environments which successful BIM Level 1 implementation needs, the PAS requires the implementation of a holistic approach, addressing security around the aspects of people and process, as well as physical and technological security.

The full PAS 1192-5 can be downloaded free of charge from British Standard Institute (BSI) Level 2 BIM portal

Further guidance to support the implementation of PAS 1192-5 is available at:

Who should use it?

PAS 1192-5 is intended for use by asset owners or, within a project, the Employer. It will also be of interest and relevance to other organizations and individuals involved in the design, construction, maintenance and management of built assets, including those who wish to protect their commercial information and/or intellectual property.

How do I use it?

PAS 1192-5 provides a security-minded framework for applying an appropriate and proportionate approach to managing the security risks that affect a built asset, in whole or in part, asset data and information.

It specifies the processes which will assist organisations in identifying and implementing measures to reduce the risk of loss or disclosure of information which could impact on the safety and security of:

  • personnel and other occupants or users of the built asset and its services;
  • the built asset itself;
  • asset information; and/or
  • the benefits the built asset exists to deliver.
  • A built asset may comprise a building, multiple buildings (e.g. a site or campus) or built infrastructure (e.g. roads, railways, pipelines, dams, docks, etc.). It may include associated land or water, for example, the catchment area for a water company or the navigation channels for a dock and may comprise a portfolio or network of assets.
  • The PAS adopts a risk management based approach, leading to the production of a Built Asset Security Strategy and Built Asset Security Management Plan. It also introduces the need for a suitably qualified and experienced Built Asset Security Manager to take responsibility for the development, implementation and maintenance of security mindedness throughout the asset lifecycle.

Departmental Security Policies

It is recommended that, where appropriate, PAS 1192-5 be used in conjunction with, and any Built Asset Security Management Plan cross-referenced to, other security management policies and plans in place, including those relating to cyber security and cyber resilience.

Cyber Security in Scotland

The Scottish Government published a Cyber Resilience Strategy for Scotland in November 2015. This document should also be read and considered in the development of departmental cyber resilience strategies.

Summary of the PAS 1192-5 Process 

More information on PAS 1992-5 process and asscoiated sub tasks can be foudn at the following link