Management, compliance & auditing

New BSIA cybersecurity code of practice for security system installers

October 29, 2020 by Susan Morrow


The mitigation of cybersecurity threats comes down to a collaborative effort in applying the right controls across all points of attack. One of the complicating factors in this is the expanding supply chain. Cybercriminals are increasingly targeting the supply chain, seeing weakness across multiple entry points as a way into the top of the chain. A 2019 Symantec study shows how serious supply chain targeting has become. The report found that supply chain attacks increased by 78% over the previous year.

Supply chains can be massive. The DoD supply chain, for example, has a value of over $93 billion and includes over 300,000 contractors. Supply chain vendors connect across multi-cloud infrastructures and communicate using disparate and often uncontrolled endpoints. This complex matrix has not been lost on industry bodies, who offer guidance in protecting the supply chain.

One such body is the British Security Industry Association (BSIA). The group recently released a new code of practice for installers responsible for safety and security systems.

What is the BSIA CySPAG code of practice?

BSIA’s Cybersecurity Product Assurance Group (CySPAG) has developed a Code of Practice (CoP) to offer guidance on security as supply chains become increasingly connected. This hyper-connectivity has increased the level of cyber-threats against a supply chain, which means this guidance is a useful document to any organization that is a supply chain vendor or runs a supply chain.

The CySPAG CoP remit is to deliver best practice guidance for any entity that installs systems and equipment throughout any part of a supply chain.

The CySPAG CoP covers the following aspects:

  • Design
  • Planning
  • Operation
  • Installation
  • Commissioning
  • Maintenance (of installed devices, applications and systems that could be compromised in a cyber-attack)

However, it is worth noting that the CySPAG code of practice is not about prescribing specific cybersecurity countermeasures. Rather, the CoP looks to develop appropriate contingency planning measures. Ultimately, this helps ensure that clients are offered assurance that connected systems have been designed, installed and maintained, to best practice cybersecurity guidelines.

Core parts of the CySPAG code of practice

The core moving parts of the code of practice are:


Any documentation that has specifics of the design and implementation of systems should be securely stored.


Any persons responsible for installation and maintenance should be of a required competence and appropriately trained.

Security policy

An installation organization should have documented security policies.

The CySPAG code of practice recognizes that responsibility is a shared endeavor between the manufacturer, the installing organization and the client.

The guidelines also refer readers to the UK’s Cyber Essentials guidance from the National Cyber Security Centre.

Important documentation requirements

Documentation is a key component of the code of practice. Documentation is seen as important to produce and maintain across the entire life cycle of installation and maintenance. Documentation that is seen as a “must have” is:

  • System cybersecurity policy: The baseline document that outlines security strategy
  • Roles and responsibilities register: Related to persons responsible for the ongoing security of the installed system
  • Back-ups: Details on backup and restore processes
  • Passwords: Policies that are based on the guidance from UK Cyber Essentials
  • Updates: Updates and patching policies
  • Communications plan: Event notification process
  • Training record: Documented training records for security roles
  • Nominated person acceptance: Record of acceptance of the installed system
  • Maintenance schedule: Record of maintenance events
  • Design survey for cybersecurity: Survey on design decisions
  • System design: Full documentation on system design, to include network topology, encryption, protocols and so on
  • As fitted records: Detailed documentation on components and configuration settings

Why place any cybersecurity responsibility on installers?

Misconfiguration of security systems is a serious problem that opens doors for cybercriminal activity. McAfee found that, on average, an enterprise has 14 misconfigured IaaS instances resulting in an average of 2,269 misconfiguration incidents per month. Some of the world’s largest data breaches, including the 2018 Capital One breach, were caused by a misconfiguration issue that was then exploited by a hacker. The serious outcomes from, and almost ubiquitous nature of, system and service misconfiguration, has led OWASP to add misconfiguration to their top ten web security issues.


Security is a cross-party responsibility. Each stakeholder in the functioning of a supply chain needs to take a role to ensure secure operations. The BSIA CySPAG code of practice outlines how installers fit into this 360-degree view of securing systems across a supply chain. 

Much of the requirements of the code of practice involve policy and documentation. However, this acts as a cross-reference and check to ensure that good security is practiced and maintained throughout the supply chain to a standardized set of requirements. It is also worth noting that while this is a UK initiative, the guidelines are applicable on a global scale, just as cybercrime has a global reach. 



ISTR 2019: Cyber Criminals Ramp Up Attacks on Trusted Software and Supply Chains, Symantec Enterprise Blogs

Installation of safety and security systems: Cybersecurity code of practice, BSIA

McAfee Cloud Adoption and Risk Report, McAfee

Defense Industrial Base Sector, Cybersecurity & Infrastructure Security Agency

Posted: October 29, 2020
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.