About IPSRM™

The structural argument for a mature, integrated physical security assessment discipline.

Physical security assessment has three structural failures.

  • Evidence is gathered without a consistent domain framework, producing incomplete and incomparable records.

  • Risk is scored intuitively rather than transparently, making findings difficult to defend or reproduce.

  • Outputs are structured for operational audiences rather than the governance decision-makers who need to act on them.

The result is a discipline that is professionally capable but structurally inconsistent — and increasingly inadequate for the governance demands now placed on it.

Physical security is not a knowledge problem. The practitioners exist, the experience exists, and the professional judgment exists.

What has been missing is the methodological infrastructure to translate that knowledge into outputs that governance-facing stakeholders can receive, interrogate, and act on. IPSRM™ provides it.

Boards and audit committees need structured, evidenced, reproducible assessment output. Most current practice cannot produce it. The governance environment has changed. The methodology infrastructure to meet it has not — until now.

The Problem

Watch an 8-minute narrated introduction to IPSRM™ — the methodology, how the suite is organised, and how it deploys across a physical security engagement.

IPSRM™ addresses these structural failures through a three-stage operational framework:

Collect. Calibrate. Communicate.

Each stage is governed by defined instruments, explicit criteria, and documented reasoning.

Collect structures evidence gathering across six interdependent assessment domains — from strategic threat context through to systemic resilience. Every observation is domain-attributed and grounded in evidence, not assumption. The result is a complete, consistent evidence base that holds up to scrutiny.

Calibrate applies a transparent risk scoring framework to every finding. Residual Impact and Residual Likelihood are scored against the site-specific threat environment, producing a Residual Risk Score on a 1–25 scale. Findings are categorised into three priority tiers. Calibration reasoning is documented for every material finding — making scores defensible, reproducible, and comparable across engagements.

Communicate produces a six-section Executive Report structured for governance audiences. A senior executive with no specialist security background should be able to read the Executive Summary and understand the organisation's exposure position, the priority findings, and the direction of travel required — without reading technical appendices.

The Solution

Joe Connell MBE — Former Chairman, Association of Security Consultants and the Security Commonwealth, OSPA Lifetime Achievement Award 2023

“Stephen Beels has really cut to the chase in developing IPSRM™. Of equal value to Security Consultants and to Management Boards, this intuitive process guides and supports the Security Consultant through the identification and potential mitigation of physical security threats and risks. At the same time it provides a sound evidential basis and guidance for owners and Management Boards for meeting their legal and operational responsibilities to implement adequate controls.

The IPSRM™ package is logically presented and well supported with highly professional documentation which can easily be assimilated in user and client interfaces.

I have no hesitation in commending IPSRM™ to security professionals and businesses of all shapes facing threats and risks to physical security.”

The Methodology

The three stages operate as an integrated sequence, delivering a board‑grade executive report as the final output:

IPSRM™ Methodology Overview

Get IPSRM™

Not ready to purchase? Download a sample extract from the Practitioner Guide.

  • COLLECT —

    Evidence across six domains

    Every IPSRM™ assessment begins with structured scoping — organisational context, asset profile, threat environment, operational model, stakeholder expectations. Assessment then proceeds systematically across six interdependent domains:

    D1: Strategic Threat Context — the calibration floor. Sets the threat profile against which all subsequent findings are assessed.

    D2: Adversarial Pathways — access routes and pathway feasibility against controls in place.

    D3: Structural Protection Architecture — layered controls, access systems, CCTV, barriers and zoning.

    D4: Operational Control Discipline — the policy versus reality gap.

    D5: Control Lifecycle Integrity — maintenance, testing, firmware and audit trails.

    D6: Systemic Dependency & Resilience — power, network, monitoring and third-party dependencies.

  • CALIBRATE —

    The Risk Engine

    For each identified risk, two scores are assigned: Residual Impact (RI) and Residual Likelihood (RL), each on a 1–5 scale.

    These multiply to produce a Residual Risk Score (RRS) on a scale of 1–25. Each RRS maps to one of three tiers:

    Tier 1 (RRS 16–25): Critical Structural Exposure. Board escalation required.

    Tier 2 (RRS 6–15): Material Exposure. Planned remediation required.

    Tier 3 (RRS 1–5): Managed Exposure. Structured monitoring.

    Calibration reasoning for every Tier 1 and Tier 2 finding is documented in the Assessment Workbook. Every score is reasoned, every finding is traceable, every recommendation is proportionate.

  • COMMUNICATE —

    Executive reporting


    The Executive Report is structured in six sections:

    Executive Summary, Structural Exposure Overview, Priority Risk Register, Direction of Travel, Methodology Statement, and Scope and Limitations.

    The governing principle is clarity over volume.

    A senior executive with no specialist security background should be able to read the Executive Summary and understand the organisation's exposure position, the relative priority of identified risks, and the direction of travel required — without reading technical appendices.

Who IPSRM™ is for

Independent security consultants A rigorous, repeatable methodology that makes assessment work defensible, consistent, and legible to governance audiences. Deploy IPSRM™ in client engagements to produce outputs that withstand professional scrutiny and support your professional defensibility.

In-house security leaders A methodology for demonstrating assurance to boards, audit committees, and regulators. IPSRM™ produces the structured, evidenced output that enterprise risk functions can use — and that Provision 29 material controls declarations require.

Governance and assurance professionals Physical security assessment output compatible with material controls frameworks and Provision 29 requirements. IPSRM™ bridges the gap between operational security practice and board-level governance.

Get IPSRM™