Part 5 · Security

The part that protects everything the others built.

Parts 1 to 4 manage the information, they make sure the right thing is produced, governed, exchanged, and accepted. Part 5 does the other half. It protects that information: it decides what is sensitive, who may see it, and what happens when something goes wrong.

The security-minded approach is not a bolt-on for defence projects. ISO 19650-5 applies to every project. What changes per project is how much of it activates, and that is decided by a single first move called the triage. About sixteen minutes of reading.

Security is not a vault you build at the end. It is a question you ask at the start, of every piece of information: could this cause harm if it got out?

Skip that question and you have no defensible position the day an incident happens.

How do we protect sensitive information without locking down the whole project?

You triage it. Before the EIR is issued, the appointing party runs every category of information the project will produce through one test, could compromise cause harm? Most categories come back no, and flow through the standard CDE unchanged. A minority come back yes, and those get classified and given controls in proportion to the harm. The triage is the first move in 19650-5, and the document it produces governs everything security does for the rest of the project.

The security triage Run on every project, before the EIR. One question, asked of every information category. Every information category models · drawings · specs · reports Could compromise cause harm? tested against three harms: individuals · organisation · national security NO STANDARD baseline CDE flow, RBAC, audit trail, the Part-1 controls YES CLASSIFY & ACTIVATE Sensitive · Highly Sensitive · Critical controls scale to the harm CDE zones technical Vetting + NDA personnel Breach plan response CLASSIFY IN PROPORTION most information stays standard a minority sensitive illustrative The split is illustrative, not a measured ratio, proportion varies by project. Re-run the triage at every stage gate.

Step 1, identify every category

List every kind of information the project will produce, exchange, or store: architectural and structural and MEP models, drawings, schedules, specifications, reports, photographs, cost data, the programme. Nothing is exempt from being looked at, that is what "applies to every project" means in practice.

Some categories announce themselves: security system layouts, CCTV coverage maps, access-control specs, structural vulnerability assessments, data-centre infrastructure plans. The triage is how you catch the ones that don't.

Step 2, assess against three harms

For each category, ask whether compromise could cause harm of three kinds. This is the whole test.

  • Harm to individuals, physical-safety risk or privacy violation. Revealed security layouts let someone plan an intrusion; exposed occupant data breaches privacy.
  • Harm to organisations, commercial loss, reputational damage, competitive disadvantage. Cost data leaked to a competitor; design IP shared without authorisation.
  • Harm to national security, compromise of defence, critical infrastructure, or intelligence capability. Military layouts or nuclear control systems exposed.

A category is sensitive if compromise could cause harm of any of the three. No to all three, and it follows the standard CDE flow. Yes to any, and it goes on to be classified.

Step 3, classify the sensitive minority

Sensitive isn't one thing. The standard grades it into four levels, each carrying its own ceiling of harm.

  • Standard, no specific sensitivity, negligible harm. Public floor plans, marketing renders, landscape layouts.
  • Sensitive, limited harm: financial loss or reputational damage. MEP layouts, structural loads, equipment specs, cost data.
  • Highly sensitive, serious harm: physical danger or major loss. Security systems, CCTV, access control, safe rooms, data-centre power.
  • Critical, could endanger life or national security; maximum controls. Military layouts, nuclear controls, defence communications.

Each sensitive category is recorded with a written justification and an approver's sign-off, so the classification is defensible, not a hunch.

Step 4, controls in proportion

The level sets the controls. This is the heart of the security-minded approach: a category classified Highly Sensitive gets stronger access, encryption, vetting and audit than one classified Sensitive, and Standard information is not burdened with controls it doesn't need. The full matrix is below; the principle is one line. Proportionate, never blanket.

The triage doesn't stop there. It is documented, folded into the EIR and BEP, and then reviewed at every stage gate and whenever scope changes, because what's sensitive on a project rarely stays still.

Deep diveThe triage team, the controls matrix, regulatory precedence, and the review schedule

Who runs the triage

ISO 19650-5 puts the triage on the appointing party, supported by a defined team. It is not delegated to the delivery team to figure out.

RoleWhy they're in the room
Client Security OfficerOwns the client's security posture; chairs the triage
Information Security AdvisorBrings the threat and controls expertise
BIM Advisor / BIM ManagerMaps sensitivity onto information categories and the CDE
PM Consultant RepresentativeCarries the triage into programme and procurement
Lead Design Consultant Rep.Knows what the design will actually produce
Sector Regulator Rep.Only where a sector regulator applies

The proportionate-controls matrix

Each classification level pulls a defined set of minimum controls across eight areas. This table is the security-minded approach made concrete, read down a column to see everything a level requires.

Control areaStandardSensitiveHighly SensitiveCritical
CDE accessAll teams via RBACNamed individuals, need-to-knowRestricted CDE zone, manager approvalIsolated / air-gapped, vetted personnel
AuthenticationPassword (MFA recommended)MFA requiredMFA + device certificateMFA + biometric / clearance
EncryptionStandard TLSEncrypted in transitAt rest + in transitEnd-to-end, no remote access
Download controlStandardLog all downloadsRestricted, watermarkedNo downloads, no USB, no print
AuditStandard trailEnhanced, periodic reviewQuarterly audit + access reviewContinuous monitoring
PersonnelStandard onboardingNDA signedEnhanced vetting + NDASecurity clearance required
PhysicalStandard officeRestricted screen visibilitySecure room for accessAir-gapped facility, CCTV
DisposalStandard deletionSecure deletion loggedCertified destructionWitnessed destruction + certificate

A project may add its own controls on top, required by the client, a sector regulator, or local law.

Where local law beats the standard

The triage maps requirements against applicable regulation, data-protection law, national cybersecurity standards, regional data-management policy, financial-zone and free-zone rules, sector regulators. The rule when they conflict is simple: where a local requirement exceeds ISO 19650-5, the local requirement wins. The standard is a floor, not a ceiling.

The review schedule

The triage is a living document, not a one-time form. It is re-run at: initial inception, the Concept / Developed Design / Technical Design stage gates, construction commencement, any scope change, any new party appointment, and handover to operations. New information categories and changed scope both re-open the question.

The triage decides what to protect. Three layers decide how: the CDE itself, the people who use it, and the plan for when it fails.

Turning a classification into real protection

A classification on a register protects nothing on its own. It has to become settings, signatures, and a tested plan. The proportionate controls land in three places, the technical layer inside the CDE, the personnel layer around the people, and the response layer waiting for the day something goes wrong. Each one inherits its strictness from the triage.

Three layers of protection EACH INHERITS ITS STRICTNESS FROM THE TRIAGE Layer 1 · Technical CDE security zones: Standard, Sensitive, Restricted, Isolated. Controls sharpen as you go in. Layer 2 · Personnel Vetting and NDAs, granted on a legitimate need-to-know, never on a job title. Layer 3 · Response The breach plan, written and tested before production begins. It assumes the first two will be beaten.

Layer 1, CDE security zones (technical)

The CDE doesn't just hold information in four states (Part 1), for sensitive projects it holds it in nested security zones. Each inner zone inherits every control of the zones around it and adds its own.

Standard → Sensitive → Restricted → Isolated. A user in the Restricted zone also carries Standard and Sensitive controls. The zones map straight onto the classification levels: Standard information lives in the ordinary 01–04 folders; Sensitive in a 05_SENSITIVE area with named access and MFA; Highly Sensitive in a 06_RESTRICTED area with encryption and watermarking; Critical in an isolated, often air-gapped space.

The settings sharpen as you go in: MFA moves from recommended to mandatory to hardware-token to biometric; session timeout tightens from 60 minutes to 10; downloads go from allowed, to logged, to approval-only, to blocked; audit review goes from quarterly to real-time. Same CDE, graduated controls.

Layer 2, vetting and NDAs (personnel)

People are vetted in proportion to what they'll see, and only people who touch Sensitive information or above. Anyone on Standard information alone follows ordinary onboarding.

Access is never granted on a job title; it's granted on a legitimate need-to-know, and the vetting depth climbs in three tiers. Sensitive access needs identity verification, a signed NDA, and security-awareness training. Highly Sensitive adds a background check, references, a criminal-record check, an enhanced NDA, and verified device security. Critical adds government clearance, a full ten-year investigation, a dedicated managed device, and biometric facility access. Every individual is reviewed, and access is revoked cleanly on departure, accounts disabled, cached data deleted, NDA obligations carried out the door.

Layer 3, the breach response plan (response)

The last layer assumes the first two will one day be beaten. The breach response plan is written, approved, and distributed before information production begins, not drafted in the panic of an actual incident, and tested with a tabletop exercise inside the first month.

It defines what a breach is, who the incident commander is, how fast to respond by severity, and the five stages of getting through one: detect and contain, assess, notify, remediate, and learn. The plan that matters is the one already on the wall when the call comes in.

Deep diveThe vetting tiers, the breach protocol, and the NDA that follows people home

Vetting requirements by level

Read across a row to see how a single requirement escalates with sensitivity.

RequirementSensitiveHighly SensitiveCritical
Identity1 form of ID2 forms of ID2 forms + govt clearance
Background checkNot required5-year employment history10-year full investigation
Criminal checkNot requiredRequiredRequired + financial
ReferencesNot required2 professionalEnhanced
NDAStandardEnhancedEnhanced + monitoring consent
BriefingGeneral awarenessSpecific handlingCounter-intelligence
DeviceStandardEncrypted, managed, remote wipeDedicated managed device
Physical accessStandard officeStandard officeSecure facility, biometric
Access approvalDiscipline Lead + BIM ManagerClient Security OfficerSenior Client Rep.
Review frequencyAt project endEvery 6 monthsEvery 3 months

What the NDA actually binds

The confidentiality agreement is signed before CDE access is granted, by everyone touching Sensitive information or above. It binds eight obligations worth knowing by heart: access only through the authorised CDE; never download or cache on personal devices, USB, or personal cloud; use only for the role; disclose to no one outside the access matrix; never discuss in public or on personal messaging, WhatsApp, Telegram, personal email; report any breach or lost device immediately to the incident commander; on departure, return or certify destruction of everything held; and, the clause people forget, obligations survive the appointment, staying in force for years (indefinitely for national-security work) after the last access. Breach exposes the individual to revoked access, dismissal, civil and criminal liability, and regulator reporting.

The five-stage breach protocol

StageObjectiveThe moves that matter
1 · Detect & containStop the spread, preserve evidence, first 60 minutesNotify the incident commander; suspend affected access; isolate systems; do not delete logs, emails or files; start the incident log
2 · AssessEstablish scope and severityWhat was compromised, at what classification, how, who had access, who received it; reconstruct the timeline from audit logs; assign severity
3 · NotifyTell the right parties in the right orderInternal first, then regulators in their required timeframes, personal data "without undue delay," defence "immediate", then affected individuals
4 · RemediateClose the holeConfirm root cause; patch it; re-issue all credentials; correct the access matrix; re-classify if needed; verify third-party access
5 · Document & learnMake the next breach less likelyFull incident report; lessons-learned workshop; update the triage and the breach plan; re-brief teams; close and archive

Severity sets the clock and the escalation: Low, within 24 hours, CDE admin and BIM manager. Medium, 4 hours, adding the PM and security officer. High, 1 hour, incident commander, legal, and regulator notification. Critical, immediate, pulling in the defence or intelligence authority and law enforcement.

The one control the stolen-laptop tabletop always exposes: cached, unencrypted project data on a personal device.

The plan's value isn't the response. It's discovering the missing control before the laptop is gone.

Classify in proportion. Most information is standard; a minority is sensitive.

Get that balance wrong in either direction, lock down everything, or lock down nothing, and the security-minded approach has failed.

Continuous and proportionate

Two words carry the whole of 19650-5. Proportionate: controls match harm, no more and no less, so the project stays workable while the genuinely sensitive minority stays protected. Continuous: the triage is re-run at every stage gate, because a project that was low-sensitivity at concept can become high-sensitivity once the security systems and data-centre details arrive.

Get this right and security disappears into the process, a few zones in the CDE, a few NDAs, a plan in a drawer. Get it wrong and it shows up as either a project nobody can work on, or an incident nobody was ready for.

Deep diveThree ways the security-minded approach fails

Skipping the triage. The most common failure, and the most expensive. ISO 19650-5 applies to every project; the triage is what decides which controls activate. Skip it and you have no documented, defensible position the day an incident happens, and no basis for the access decisions you've been making all along.

Blanket lock-down. The over-correction. Treating everything as sensitive buries the team in MFA prompts, download blocks, and vetting for files that are public anyway. Controls that don't match harm get worked around, and the workarounds are the real breach.

A plan that was never tested. A breach response plan written, filed, and never exercised is a plan nobody can execute under pressure. The tabletop in the first month isn't a formality; it's where you find the contact who left, the control that was never configured, the laptop that was never encrypted, while it's still cheap to fix.

Further reading

If you remember a handful of things, remember these.

It applies to everything. ISO 19650-5 is not a defence-only standard. Every project runs the triage; what differs is how much of it activates.

The triage is the first move. Before the EIR, test every information category against three harms. No harm → standard flow. Harm → classify and control. Most stays standard; a minority is sensitive.

Controls come in proportion. Four levels, Standard, Sensitive, Highly Sensitive, Critical, each pulling a defined set of access, encryption, vetting, audit, physical and disposal controls. Never blanket.

Three layers turn classification into protection. CDE security zones (technical), vetting and NDAs (personnel), and a pre-written, tested breach response plan (response).

Continuous and proportionate. Re-triage at every stage gate. Match controls to harm. Security built into the process, not bolted on the end.

Next

That's the five parts. Here's the whole picture.

Part 1 set the foundation, Part 2 ran the delivery phase, Part 3 carried it into operation, Part 4 governed the exchanges, and Part 5 protected all of it. ISO 19650 holds together because the parts depend on each other, requirements cascade into delivery, delivery into operation, all of it exchanged through the CDE and protected by the triage.

The hub page pulls the five into a single executive summary, with the diagrams in one place. Start there if you want the map, or take the next step.

  • Read the executive summary, the five parts on one page: the ISO 19650 guide hub.
  • Download the Developer Pack, the 24 templates this guide is built from, including the Security Triage Report, Breach Response Plan and Personnel Security NDA. Sequenced for the appointing party: get the pack.
  • Talk to JES, 260+ ISO 19650-aligned BIM professionals across the UAE, Saudi, UK, Germany and the Netherlands: book a discovery call.

Common questions about Part 5

It is the discipline of protecting sensitive information across an asset's life: deciding what is sensitive, who may see it, and what happens when something goes wrong. ISO 19650-5 is not a bolt-on for defence projects; it applies to every project. What changes per project is how much of it activates, and that is decided by a single first move, the security triage, run before the EIR is issued. Two words carry the whole standard: continuous and proportionate.

The triage is the first move in ISO 19650-5. The appointing party runs every category of information the project will produce through one test: could compromise cause harm to individuals, to the organisation, or to national security? Most categories come back no and flow through the standard CDE unchanged; a minority come back yes and get classified. The triage is documented, folded into the EIR and BEP, and re-run at every stage gate, because what is sensitive on a project rarely stays still.

Sensitive information is graded into four levels, each with its own ceiling of harm: Standard (negligible harm, public floor plans and marketing renders), Sensitive (limited harm, MEP layouts and cost data), Highly Sensitive (serious harm, security systems, CCTV and access control), and Critical (could endanger life or national security, military layouts and nuclear controls). The level sets the controls in proportion, so genuinely sensitive information is protected while Standard information is not burdened with controls it does not need.

A classification on a register protects nothing on its own; it becomes settings, signatures and a tested plan across three layers. The technical layer is nested CDE security zones, Standard to Sensitive to Restricted to Isolated, that sharpen as you go in. The personnel layer is vetting and NDAs granted on a legitimate need-to-know, never on a job title. The response layer is the breach response plan, written, approved and tabletop-tested before information production begins, because it assumes the first two layers will one day be beaten.