The part that protects everything the others built.
Parts 1 to 4 manage the information, they make sure the right thing is produced, governed, exchanged, and accepted. Part 5 does the other half. It protects that information: it decides what is sensitive, who may see it, and what happens when something goes wrong.
The security-minded approach is not a bolt-on for defence projects. ISO 19650-5 applies to every project. What changes per project is how much of it activates, and that is decided by a single first move called the triage. About sixteen minutes of reading.
How do we protect sensitive information without locking down the whole project?
You triage it. Before the EIR is issued, the appointing party runs every category of information the project will produce through one test, could compromise cause harm? Most categories come back no, and flow through the standard CDE unchanged. A minority come back yes, and those get classified and given controls in proportion to the harm. The triage is the first move in 19650-5, and the document it produces governs everything security does for the rest of the project.
Step 1, identify every category
List every kind of information the project will produce, exchange, or store: architectural and structural and MEP models, drawings, schedules, specifications, reports, photographs, cost data, the programme. Nothing is exempt from being looked at, that is what "applies to every project" means in practice.
Some categories announce themselves: security system layouts, CCTV coverage maps, access-control specs, structural vulnerability assessments, data-centre infrastructure plans. The triage is how you catch the ones that don't.
Step 2, assess against three harms
For each category, ask whether compromise could cause harm of three kinds. This is the whole test.
- Harm to individuals, physical-safety risk or privacy violation. Revealed security layouts let someone plan an intrusion; exposed occupant data breaches privacy.
- Harm to organisations, commercial loss, reputational damage, competitive disadvantage. Cost data leaked to a competitor; design IP shared without authorisation.
- Harm to national security, compromise of defence, critical infrastructure, or intelligence capability. Military layouts or nuclear control systems exposed.
A category is sensitive if compromise could cause harm of any of the three. No to all three, and it follows the standard CDE flow. Yes to any, and it goes on to be classified.
Step 3, classify the sensitive minority
Sensitive isn't one thing. The standard grades it into four levels, each carrying its own ceiling of harm.
- Standard, no specific sensitivity, negligible harm. Public floor plans, marketing renders, landscape layouts.
- Sensitive, limited harm: financial loss or reputational damage. MEP layouts, structural loads, equipment specs, cost data.
- Highly sensitive, serious harm: physical danger or major loss. Security systems, CCTV, access control, safe rooms, data-centre power.
- Critical, could endanger life or national security; maximum controls. Military layouts, nuclear controls, defence communications.
Each sensitive category is recorded with a written justification and an approver's sign-off, so the classification is defensible, not a hunch.
Step 4, controls in proportion
The level sets the controls. This is the heart of the security-minded approach: a category classified Highly Sensitive gets stronger access, encryption, vetting and audit than one classified Sensitive, and Standard information is not burdened with controls it doesn't need. The full matrix is below; the principle is one line. Proportionate, never blanket.
The triage doesn't stop there. It is documented, folded into the EIR and BEP, and then reviewed at every stage gate and whenever scope changes, because what's sensitive on a project rarely stays still.
Deep diveThe triage team, the controls matrix, regulatory precedence, and the review schedule
Who runs the triage
ISO 19650-5 puts the triage on the appointing party, supported by a defined team. It is not delegated to the delivery team to figure out.
| Role | Why they're in the room |
|---|---|
| Client Security Officer | Owns the client's security posture; chairs the triage |
| Information Security Advisor | Brings the threat and controls expertise |
| BIM Advisor / BIM Manager | Maps sensitivity onto information categories and the CDE |
| PM Consultant Representative | Carries the triage into programme and procurement |
| Lead Design Consultant Rep. | Knows what the design will actually produce |
| Sector Regulator Rep. | Only where a sector regulator applies |
The proportionate-controls matrix
Each classification level pulls a defined set of minimum controls across eight areas. This table is the security-minded approach made concrete, read down a column to see everything a level requires.
| Control area | Standard | Sensitive | Highly Sensitive | Critical |
|---|---|---|---|---|
| CDE access | All teams via RBAC | Named individuals, need-to-know | Restricted CDE zone, manager approval | Isolated / air-gapped, vetted personnel |
| Authentication | Password (MFA recommended) | MFA required | MFA + device certificate | MFA + biometric / clearance |
| Encryption | Standard TLS | Encrypted in transit | At rest + in transit | End-to-end, no remote access |
| Download control | Standard | Log all downloads | Restricted, watermarked | No downloads, no USB, no print |
| Audit | Standard trail | Enhanced, periodic review | Quarterly audit + access review | Continuous monitoring |
| Personnel | Standard onboarding | NDA signed | Enhanced vetting + NDA | Security clearance required |
| Physical | Standard office | Restricted screen visibility | Secure room for access | Air-gapped facility, CCTV |
| Disposal | Standard deletion | Secure deletion logged | Certified destruction | Witnessed destruction + certificate |
A project may add its own controls on top, required by the client, a sector regulator, or local law.
Where local law beats the standard
The triage maps requirements against applicable regulation, data-protection law, national cybersecurity standards, regional data-management policy, financial-zone and free-zone rules, sector regulators. The rule when they conflict is simple: where a local requirement exceeds ISO 19650-5, the local requirement wins. The standard is a floor, not a ceiling.
The review schedule
The triage is a living document, not a one-time form. It is re-run at: initial inception, the Concept / Developed Design / Technical Design stage gates, construction commencement, any scope change, any new party appointment, and handover to operations. New information categories and changed scope both re-open the question.
The triage decides what to protect. Three layers decide how: the CDE itself, the people who use it, and the plan for when it fails.
Turning a classification into real protection
A classification on a register protects nothing on its own. It has to become settings, signatures, and a tested plan. The proportionate controls land in three places, the technical layer inside the CDE, the personnel layer around the people, and the response layer waiting for the day something goes wrong. Each one inherits its strictness from the triage.
Layer 1, CDE security zones (technical)
The CDE doesn't just hold information in four states (Part 1), for sensitive projects it holds it in nested security zones. Each inner zone inherits every control of the zones around it and adds its own.
Standard → Sensitive → Restricted → Isolated. A user in the Restricted zone also carries Standard and Sensitive controls. The zones map straight onto the classification levels: Standard information lives in the ordinary 01–04 folders; Sensitive in a 05_SENSITIVE area with named access and MFA; Highly Sensitive in a 06_RESTRICTED area with encryption and watermarking; Critical in an isolated, often air-gapped space.
The settings sharpen as you go in: MFA moves from recommended to mandatory to hardware-token to biometric; session timeout tightens from 60 minutes to 10; downloads go from allowed, to logged, to approval-only, to blocked; audit review goes from quarterly to real-time. Same CDE, graduated controls.
Layer 2, vetting and NDAs (personnel)
People are vetted in proportion to what they'll see, and only people who touch Sensitive information or above. Anyone on Standard information alone follows ordinary onboarding.
Access is never granted on a job title; it's granted on a legitimate need-to-know, and the vetting depth climbs in three tiers. Sensitive access needs identity verification, a signed NDA, and security-awareness training. Highly Sensitive adds a background check, references, a criminal-record check, an enhanced NDA, and verified device security. Critical adds government clearance, a full ten-year investigation, a dedicated managed device, and biometric facility access. Every individual is reviewed, and access is revoked cleanly on departure, accounts disabled, cached data deleted, NDA obligations carried out the door.
Layer 3, the breach response plan (response)
The last layer assumes the first two will one day be beaten. The breach response plan is written, approved, and distributed before information production begins, not drafted in the panic of an actual incident, and tested with a tabletop exercise inside the first month.
It defines what a breach is, who the incident commander is, how fast to respond by severity, and the five stages of getting through one: detect and contain, assess, notify, remediate, and learn. The plan that matters is the one already on the wall when the call comes in.
Deep diveThe vetting tiers, the breach protocol, and the NDA that follows people home
Vetting requirements by level
Read across a row to see how a single requirement escalates with sensitivity.
| Requirement | Sensitive | Highly Sensitive | Critical |
|---|---|---|---|
| Identity | 1 form of ID | 2 forms of ID | 2 forms + govt clearance |
| Background check | Not required | 5-year employment history | 10-year full investigation |
| Criminal check | Not required | Required | Required + financial |
| References | Not required | 2 professional | Enhanced |
| NDA | Standard | Enhanced | Enhanced + monitoring consent |
| Briefing | General awareness | Specific handling | Counter-intelligence |
| Device | Standard | Encrypted, managed, remote wipe | Dedicated managed device |
| Physical access | Standard office | Standard office | Secure facility, biometric |
| Access approval | Discipline Lead + BIM Manager | Client Security Officer | Senior Client Rep. |
| Review frequency | At project end | Every 6 months | Every 3 months |
What the NDA actually binds
The confidentiality agreement is signed before CDE access is granted, by everyone touching Sensitive information or above. It binds eight obligations worth knowing by heart: access only through the authorised CDE; never download or cache on personal devices, USB, or personal cloud; use only for the role; disclose to no one outside the access matrix; never discuss in public or on personal messaging, WhatsApp, Telegram, personal email; report any breach or lost device immediately to the incident commander; on departure, return or certify destruction of everything held; and, the clause people forget, obligations survive the appointment, staying in force for years (indefinitely for national-security work) after the last access. Breach exposes the individual to revoked access, dismissal, civil and criminal liability, and regulator reporting.
The five-stage breach protocol
| Stage | Objective | The moves that matter |
|---|---|---|
| 1 · Detect & contain | Stop the spread, preserve evidence, first 60 minutes | Notify the incident commander; suspend affected access; isolate systems; do not delete logs, emails or files; start the incident log |
| 2 · Assess | Establish scope and severity | What was compromised, at what classification, how, who had access, who received it; reconstruct the timeline from audit logs; assign severity |
| 3 · Notify | Tell the right parties in the right order | Internal first, then regulators in their required timeframes, personal data "without undue delay," defence "immediate", then affected individuals |
| 4 · Remediate | Close the hole | Confirm root cause; patch it; re-issue all credentials; correct the access matrix; re-classify if needed; verify third-party access |
| 5 · Document & learn | Make the next breach less likely | Full incident report; lessons-learned workshop; update the triage and the breach plan; re-brief teams; close and archive |
Severity sets the clock and the escalation: Low, within 24 hours, CDE admin and BIM manager. Medium, 4 hours, adding the PM and security officer. High, 1 hour, incident commander, legal, and regulator notification. Critical, immediate, pulling in the defence or intelligence authority and law enforcement.
Continuous and proportionate
Two words carry the whole of 19650-5. Proportionate: controls match harm, no more and no less, so the project stays workable while the genuinely sensitive minority stays protected. Continuous: the triage is re-run at every stage gate, because a project that was low-sensitivity at concept can become high-sensitivity once the security systems and data-centre details arrive.
Get this right and security disappears into the process, a few zones in the CDE, a few NDAs, a plan in a drawer. Get it wrong and it shows up as either a project nobody can work on, or an incident nobody was ready for.
Deep diveThree ways the security-minded approach fails
Skipping the triage. The most common failure, and the most expensive. ISO 19650-5 applies to every project; the triage is what decides which controls activate. Skip it and you have no documented, defensible position the day an incident happens, and no basis for the access decisions you've been making all along.
Blanket lock-down. The over-correction. Treating everything as sensitive buries the team in MFA prompts, download blocks, and vetting for files that are public anyway. Controls that don't match harm get worked around, and the workarounds are the real breach.
A plan that was never tested. A breach response plan written, filed, and never exercised is a plan nobody can execute under pressure. The tabletop in the first month isn't a formality; it's where you find the contact who left, the control that was never configured, the laptop that was never encrypted, while it's still cheap to fix.
Further reading
- ISO 19650 series, BSI, Part 5 covers the security-minded approach in full.
- UK BIM Framework, security-minded information management guidance.
If you remember a handful of things, remember these.
It applies to everything. ISO 19650-5 is not a defence-only standard. Every project runs the triage; what differs is how much of it activates.
The triage is the first move. Before the EIR, test every information category against three harms. No harm → standard flow. Harm → classify and control. Most stays standard; a minority is sensitive.
Controls come in proportion. Four levels, Standard, Sensitive, Highly Sensitive, Critical, each pulling a defined set of access, encryption, vetting, audit, physical and disposal controls. Never blanket.
Three layers turn classification into protection. CDE security zones (technical), vetting and NDAs (personnel), and a pre-written, tested breach response plan (response).
Continuous and proportionate. Re-triage at every stage gate. Match controls to harm. Security built into the process, not bolted on the end.
That's the five parts. Here's the whole picture.
Part 1 set the foundation, Part 2 ran the delivery phase, Part 3 carried it into operation, Part 4 governed the exchanges, and Part 5 protected all of it. ISO 19650 holds together because the parts depend on each other, requirements cascade into delivery, delivery into operation, all of it exchanged through the CDE and protected by the triage.
The hub page pulls the five into a single executive summary, with the diagrams in one place. Start there if you want the map, or take the next step.
- Read the executive summary, the five parts on one page: the ISO 19650 guide hub.
- Download the Developer Pack, the 24 templates this guide is built from, including the Security Triage Report, Breach Response Plan and Personnel Security NDA. Sequenced for the appointing party: get the pack.
- Talk to JES, 260+ ISO 19650-aligned BIM professionals across the UAE, Saudi, UK, Germany and the Netherlands: book a discovery call.
