1.3 Security Industry Standards & Continuous Improvement

Key Takeaways

  • ANSI/ASIS/RIMS RA.1-2015 provides a generic Plan-Do-Check-Act (PDCA) model for conducting security risk assessments and impact analyses.
  • ANSI/ASIS PSC.1 sets auditable, PDCA-based requirements for the quality management of private security company operations.
  • ANSI/ASIS SPC.1-2009 addresses organizational resilience through security, preparedness, and continuity management systems, while ISO 31000 is the international risk-management standard used alongside ASIS RA.1.
  • The Plan-Do-Check-Act cycle — plan objectives, implement, check performance, and act on corrective findings — underlies continuous improvement across ASIS/ISO security management standards.
  • Continuous assessment and improvement relies on audits, KPI tracking, gap analysis, benchmarking, and periodic management review to keep a security program aligned with evolving risk.
Last updated: July 2026

Why Standards Matter to a Security Program

Security management standards give a program a documented, auditable, and internationally recognized structure rather than an ad hoc set of practices unique to one organization. For the CPP exam, candidates must know the major ASIS International standards — most published jointly as ANSI/ASIS standards — and related ISO standards that shape modern security program management, and understand how organizations use structured continuous-improvement processes to keep programs effective as risks evolve.

Key ASIS/ANSI and ISO Standards

StandardFull Title / Scope
ANSI/ASIS/RIMS RA.1-2015Risk Assessment — a generic model for conducting risk assessments (including impact analyses) for risk-management decision-making, built on the Plan-Do-Check-Act (PDCA) cycle
ANSI/ASIS PSC.1Management System for Quality of Private Security Company Operations — auditable requirements, based on PDCA, for third-party certification of private security service providers
ANSI/ASIS SPC.1-2009Organizational Resilience: Security, Preparedness, and Continuity Management Systems — a holistic management-systems approach to improving an organization's resilience and preparedness
ISO 31000Risk Management — Guidelines — the international risk-management standard that ASIS RA.1 is designed to be used alongside
ISO 22301Business Continuity Management Systems — the international standard for planning, establishing, and maintaining business continuity capability (covered further in the Crisis Management domain)

These standards share a common structural logic: they are built on management-system thinking, meaning they specify not just what controls a program should have, but how to plan, implement, check, and continually improve that program — the same Plan-Do-Check-Act cycle borrowed from general quality-management practice (ISO 9001) and applied throughout the security standards landscape.

The Plan-Do-Check-Act (PDCA) Model

  • Plan — establish objectives, assess risk, and design the processes needed to deliver a security outcome.
  • Do — implement the plan: deploy the controls, train personnel, execute procedures.
  • Check — monitor and measure results against the plan through audits, KPIs, and incident review.
  • Act — take corrective and preventive action based on what the "Check" phase reveals, then feed those lessons back into the next planning cycle.

This same PDCA logic underlies both the ANSI/ASIS RA.1 risk-assessment standard and the broader idea of continuous assessment and improvement that the CPP Body of Knowledge expects of every security program, independent of any single standard a given organization has chosen to certify against. The PDCA structure itself originates in general quality-management practice — most directly the international quality-management-system standard ISO 9001 — and ASIS deliberately built its security-specific standards on the same management-system architecture so that a security program could be integrated into, or audited alongside, an organization's existing quality, environmental, or occupational-health management systems rather than requiring an entirely separate audit framework.

Certification, Audit, and Organizational Use

Some ASIS/ANSI standards, such as PSC.1, are designed to support third-party certification — an accredited external auditor formally certifies that a private security company's management system meets the standard's requirements, giving clients an independently verified basis for vendor selection. Others, such as RA.1, function primarily as a methodology reference that an internal security team applies without necessarily pursuing external certification. A CPP-level manager needs to know which category a given standard falls into, because it determines whether the organization is committing to recurring external audits and surveillance visits (as with certification-oriented standards) or is simply adopting a documented internal methodology (as with a risk-assessment framework like RA.1).

Continuous Assessment and Improvement Processes

A mature security program does not treat its policies, procedures, and controls as fixed once implemented. It maintains an ongoing cycle of:

  • Internal and external audits — periodic, structured reviews checking whether controls operate as designed and remain compliant with policy and applicable standards.
  • Metrics and KPI tracking — quantitative indicators such as incident rates, response times, audit-finding closure rates, and training completion, tracked over time to detect drift.
  • Gap analysis — comparing current-state controls against a target standard or the organization's own risk tolerance to surface deficiencies.
  • Benchmarking — comparing program performance against industry peers or published standards to identify where the program lags accepted practice.
  • Management review — periodic senior-leadership review of program performance, audit results, and changing risk conditions, closing the loop back into strategic planning.

Why Alignment to Standards Matters

Aligning a program to recognized standards such as RA.1, PSC.1, or ISO 31000 provides several practical benefits tested on the CPP exam: it creates a defensible, documented methodology that can withstand legal or regulatory scrutiny after an incident; it enables consistent risk assessment across multiple facilities or business units that might otherwise apply inconsistent, informal judgment; and it gives a program a structured basis for continuous improvement rather than improvement driven only by reacting to the most recent incident. A security manager who can point to a standards-based methodology, rather than informal judgment alone, is better positioned to defend program decisions to executives, auditors, and — if necessary — a court. This is also why exam scenarios often pair a named standard with the specific management-system function it governs: recognizing that RA.1 governs risk assessment while PSC.1 governs contract-security-company quality, for example, is a distinction the CPP exam expects candidates to make correctly.

Test Your Knowledge

Which ANSI/ASIS standard provides a generic model, built on the Plan-Do-Check-Act cycle, specifically for conducting risk assessments and impact analyses to support risk-management decisions?

A
B
C
D
Test Your Knowledge

In the Plan-Do-Check-Act cycle applied to a security management system, which phase involves monitoring and measuring program performance against established objectives through audits and KPIs?

A
B
C
D
Test Your Knowledge

A security director compares her program's controls against ANSI/ASIS PSC.1 requirements and documents several unmet requirements. This comparison process is best described as which continuous-improvement activity?

A
B
C
D