← Back to blog
Compliance Guide

The Complete BS7858:2019 Compliance Guide for UK Security Companies

If you manage hiring, vetting, or deployment in a UK security business, this guide gives you a practical, plain-English path to BS7858:2019 compliance.

Published by Patrovix Ltd. Last updated: April 2026 Reading time: 30–40 minutes

Disclaimer

This guide is for informational purposes and reflects BS7858:2019 as of April 2026. It is not legal advice. Always consult the current BSI publication and obtain professional advice for your specific operating context.

Introduction: Why BS7858 matters

In many security businesses, contract risk does not start on-site — it starts in the vetting file. One missing check, unexplained gap, or expired licence can undermine an otherwise strong operation.

BS7858:2019 gives you a repeatable standard for proving that your people are properly screened before deployment. Done well, it protects your clients, strengthens tender credibility, and reduces audit stress for operations and compliance teams.

What is BS7858:2019?

BS 7858:2019 is a code of practice for screening people employed in security environments. In simple terms, it defines the evidence and checks you should complete before trusting someone in a role with access to risk-sensitive sites, assets, systems, or people.

Who must comply?

  • ACS-certified suppliers (mandatory as part of ACS expectations)
  • Security firms bidding for public/private contracts requiring BS7858-aligned screening
  • In-house teams deploying SIA-licensed personnel into regulated or sensitive roles

Key 2019 changes vs 2012

  • Greater emphasis on watchlist/sanctions checks
  • Directorship checks via Companies House
  • Stronger focus on ongoing monitoring and annual reviews
  • Role-based risk assessment expectations before deployment decisions

The 10 core screening requirements (full detail)

  1. Identity verification: confirm legal name, date of birth, and identity using acceptable original documents.
  2. Right to work: verify legal permission to work in the UK and diarise follow-up checks where status is time-limited.
  3. 5-year history: evidence continuous employment/education/unemployment history for the prior five years.
  4. 31-day gap rule: every gap over 31 consecutive days must be explained and evidenced.
  5. Address history: capture and verify relevant addresses for the screening period.
  6. DBS checks: complete the DBS level required by role (Basic/Standard/Enhanced).
  7. SIA licence verification: confirm licence type, status, holder details, and expiry.
  8. Financial probity: review adverse financial signals relevant to role risk.
  9. Directorship & sanctions: run Companies House and sanctions/watchlist checks.
  10. Medical declaration: collect and process fitness-related declarations in line with GDPR/Equality obligations.

Tip: treat these 10 requirements as one connected workflow, not 10 separate admin tasks. Most audit failures happen in the handoffs between checks.

Step-by-step screening workflow (10 stages)

  1. Role risk assessment and screening level definition
  2. Candidate consent + privacy notice
  3. Collect complete application and 5-year timeline
  4. Identity + right-to-work verification
  5. Submit DBS and background checks
  6. Reference chasing and independent verification
  7. Medical declaration review
  8. Compile and quality-check vetting file
  9. Adverse-findings risk decision and sign-off
  10. Schedule ongoing monitoring and review dates

Conditional deployment rule: if you deploy before full completion, identity and right-to-work must already be complete, risk rationale must be documented, outstanding checks must have deadlines, and supervision controls must be active. A valid SIA licence remains non-negotiable for licensable roles.

Record keeping, 7-year retention, and GDPR obligations

  • Store all evidence, correspondence logs, outcomes, and decision rationale in a single auditable file.
  • Retain records for at least 7 years (or as contract/regulatory needs require), then securely delete in line with policy.
  • Apply UK GDPR principles: purpose limitation, minimisation, access control, audit logging, and secure processing of special-category data.

Annual re-vetting and ongoing compliance triggers

BS7858 is not a one-time onboarding exercise. Build a rhythm of annual review plus event-driven re-vetting when circumstances change.

  • SIA licence status change (expiry, suspension, revocation)
  • Time-limited right-to-work status approaching expiry
  • New criminality/adverse risk disclosures
  • Promotion or transfer into higher-risk duties
  • Safeguarding, client, or conduct incidents triggering reassessment

11 common compliance mistakes (and fixes)

  1. Accepting unverified references → confirm source identity independently before sign-off.
  2. Missing >31-day gap evidence → enforce a mandatory gap checklist.
  3. Deploying with incomplete controls → document conditional deployment rules and deadlines.
  4. No SIA re-check cadence → implement automated or scheduled verification.
  5. Scattered records across inboxes/drives → centralise in one auditable system.
  6. Insufficient directorship/sanctions checks → include full 2019 requirement set.
  7. No documented adverse-findings decision → record risk rationale every time.
  8. Over-retention or under-retention → maintain and enforce retention policy.
  9. Weak GDPR controls on sensitive data → tighten access, lawful basis, and logs.
  10. Not accounting for overseas periods → obtain equivalent checks where possible and document limits.
  11. No annual compliance cycle → define ownership, cadence, and evidence standards for recurring re-vetting.

Consequences of non-compliance

  • ACS performance impact and possible status risk
  • Contract breach or termination on regulated contracts
  • Civil liability exposure after incidents
  • Criminal risk where unlicensed deployment occurs
  • Insurance coverage disputes due to compliance failures
  • Long-term reputational damage affecting future tenders

BS7858 and the SIA Approved Contractor Scheme (ACS)

ACS audits look beyond policy documents. Auditors want to see that day-to-day practice matches your written process — especially evidence quality, completion standards, traceability, and ongoing re-check discipline.

Outsourcing checks does not outsource accountability. The deploying organisation remains responsible for final compliance outcomes.

Build your own compliant vetting process (with checklist template)

Use this starter checklist template for each candidate and do not mark a file complete until every required item is evidenced.

  • [ ] Identity documents verified (A/B evidence logged)
  • [ ] Right-to-work verified and expiry reminders set
  • [ ] Full 5-year history verified
  • [ ] All 31+ day gaps evidenced and signed off
  • [ ] Address history captured and checked
  • [ ] DBS check submitted/reviewed
  • [ ] SIA licence validated and next re-check date set
  • [ ] Financial probity completed
  • [ ] Directorship/sanctions checks completed
  • [ ] Medical declaration reviewed under GDPR controls
  • [ ] Final risk decision approved + annual review scheduled

Frequently Asked Questions

1. Is BS7858:2019 a legal requirement?
It is a British Standard (code of practice), but in practice it is often mandatory via ACS expectations and contractual terms.

2. Does it apply to agency and subcontract guards?
Yes—deployer accountability still applies, so assurance and evidence are essential.

3. What if a reference cannot be obtained?
Log attempts, capture alternative evidence, and document a risk-based decision.

4. Can DBS Update Service replace new checks?
It can support ongoing monitoring, but employers must still verify level, status, and relevance.

5. How strict is the 31-day gap rule?
Any gap over 31 days should be evidenced and signed off with rationale.

6. What happens if an SIA licence lapses after onboarding?
Do not deploy in licensable roles until licence status is valid again.

7. How long should vetting records be kept?
Typically at least 7 years, subject to legal/contractual requirements and GDPR controls.

8. What is the fastest way to improve compliance maturity?
Standardise workflows, centralise evidence, automate reminders, and run recurring internal file audits.

About Patrovix

Patrovix is a security operations platform built for UK security providers, with structured BS7858 workflows, SIA licence monitoring, evidence tracking, and audit-ready records.

See how Patrovix supports BS7858 compliance