About IPSRM™

The structural argument for a mature, integrated physical security assessment discipline.

IPSRM™ is available to practitioners under licence — bringing structured, board-ready physical security assessment into your practice.

External Recognition

IPSRM™ and the methodology challenge within physical security assessment have also been discussed within industry publications, including an article published by Professional Security Magazine.

Featured in Professional Security Magazine, April 2026

Industry Perspective

Early feedback from experienced practitioners and security leaders has consistently focused on the need for:

  • - greater assessment consistency,

  • - clearer governance reporting,

  • - improved methodological discipline within physical security practice.

Leadership Testimonial

Joe Connell MBE — Former Chairman, Association of Security Consultants and the Security Commonwealth, OSPA Lifetime Achievement Award 2023 — says:

  • “Of equal value to Security Consultants and to Management Boards, this intuitive process guides and supports the Security Consultant through the identification and potential mitigation of physical security threats.”

IPSRM™ addresses these structural failures through a three-stage operational framework:

Collect. Calibrate. Communicate.

Each stage is governed by defined instruments, explicit criteria, and documented reasoning.

Collect structures evidence gathering across six interdependent assessment domains — from strategic threat context through to systemic resilience.

Calibrate applies a transparent risk scoring framework to every finding. Residual Impact and Residual Likelihood are scored against the site-specific threat environment, producing a Residual Risk Score on a 1–25 scale.

Communicate produces a six-section Executive Report structured for governance audiences.

Physical security assessment has three structural failures.

  • Evidence is gathered without a consistent domain framework, producing incomplete and incomparable records.

  • Risk is scored intuitively rather than transparently, making findings difficult to defend or reproduce.

  • Outputs are structured for operational audiences rather than the governance decision-makers who need to act on them.

The result is a discipline that is professionally capable but structurally inconsistent — and increasingly inadequate for the governance demands now placed on it.

Boards and audit committees need structured, evidenced, reproducible assessment output. Most current practice cannot produce it. The governance environment has changed. The methodology infrastructure to meet it has not — until now.

The Problem

The Solution

For a full understanding of the need for methodology in physical security assessment, read the IPSRM™ Perspective Paper here: Reframing Physical Security Reviews

How the three-stage operational framework delivers

  • COLLECT —

    Evidence across six domains

    Every IPSRM™ assessment begins with structured scoping — organisational context, asset profile, threat environment, operational model, stakeholder expectations. Assessment then proceeds systematically across six interdependent domains:

    D1: Strategic Threat Context — the calibration floor. Sets the threat profile against which all subsequent findings are assessed.

    D2: Adversarial Pathways — access routes and pathway feasibility against controls in place.

    D3: Structural Protection Architecture — layered controls, access systems, CCTV, barriers and zoning.

    D4: Operational Control Discipline — the policy versus reality gap.

    D5: Control Lifecycle Integrity — maintenance, testing, firmware and audit trails.

    D6: Systemic Dependency & Resilience — power, network, monitoring and third-party dependencies.

  • CALIBRATE —

    The Risk Engine

    For each identified risk, two scores are assigned: Residual Impact (RI) and Residual Likelihood (RL), each on a 1–5 scale.

    These multiply to produce a Residual Risk Score (RRS) on a scale of 1–25. Each RRS maps to one of three tiers:

    Tier 1 (RRS 16–25): Critical Structural Exposure. Board escalation required.

    Tier 2 (RRS 6–15): Material Exposure. Planned remediation required.

    Tier 3 (RRS 1–5): Managed Exposure. Structured monitoring.

    Calibration reasoning for every Tier 1 and Tier 2 finding is documented in the Assessment Workbook. Every score is reasoned, every finding is traceable, every recommendation is proportionate.

  • COMMUNICATE —

    Executive reporting


    The Executive Report is structured in six sections:

    Executive Summary, Structural Exposure Overview, Priority Risk Register, Direction of Travel, Methodology Statement, and Scope and Limitations.

    The governing principle is clarity over volume.

    A senior executive with no specialist security background should be able to read the Executive Summary and understand the organisation's exposure position, the relative priority of identified risks, and the direction of travel required — without reading technical appendices.

Who IPSRM™ is for

Independent security consultants A rigorous, repeatable methodology that makes assessment work defensible, consistent, and legible to governance audiences. Deploy IPSRM™ in client engagements to produce outputs that withstand professional scrutiny and support your professional defensibility.

In-house security leaders A methodology for demonstrating assurance to boards, audit committees, and regulators. IPSRM™ produces the structured, evidenced output that enterprise risk functions can use — and that Provision 29 material controls declarations require.

Consultancy practises A multi-site estate and complex environment structured threat-context-based assessment, calibrated and tiered risk profile and unified board report with remediation tracking.

Governance and assurance professionals Physical security assessment output compatible with material controls frameworks and Provision 29 requirements. IPSRM™ bridges the gap between operational security practice and board-level governance.

IPSRM™ is applicable across jurisdictions. The methodology architecture and calibration framework are jurisdiction-neutral.

IPSRM™ is deployed under licence. Both the Practitioner Licence and the Professional Licence grant the right to use the methodology commercially and to carry a named professional status — Licensed IPSRM™ Practitioner or Licensed IPSRM™ Professional — in proposals, engagement letters, and client-facing materials.

Find out what a licence includes

Please note: IPSRM™ is currently undergoing a controlled editorial and publication refinement process ahead of broader release. During this period, direct self-service purchasing has been temporarily paused while the methodology suite, supporting documentation and practitioner ecosystem are aligned to final publication standard.

Enquiries and expressions of interest remain welcome.