How to Implement BS7858: Step-by-Step Training Guide

In yesterday's training session, we gave 14 security employers this scenario:

"Your client contract requires BS7858-compliant screening. Your screening provider says they'll 'handle everything.' Do you need to do anything else?"

12 out of 14 said: "No, the provider handles compliance."

The correct answer: You remain legally responsible for compliance, even when outsourcing.

This single misunderstanding is why BS7858 audits fail. The screening provider collects data. You own the compliance responsibility.

After training over 800 employers since 2006, we can tell you that implementing BS7858 isn't complicated. But it does require you to understand what you're actually responsible for.

Here's exactly how to implement BS7858 screening step-by-step.

What BS7858 Actually Requires (Before You Start)

The BS7858:2019 standard isn't a checklist you tick off and forget.

It's a framework requiring:

• Documented screening procedures

• Risk assessment for each role

• Secure record-keeping (7 years minimum)

• Regular policy reviews

• Audit trails for every decision

Most employers skip straight to "order the screening" without establishing these foundations first.

That's why audits fail.

As we explained in our complete guide to bringing BS7858 screening in-house, the standard doesn't mandate outsourcing. You can implement this internally if you have the right processes.

But whether you outsource or not, you need these seven implementation steps.

Step 1: Conduct Role-Based Risk Assessment

Every BS7858 implementation starts here.

You cannot apply "standard screening" to all roles. The standard requires you to assess each position individually and determine the appropriate screening level.

Your risk assessment must consider:

Does the role involve unsupervised access to client premises? (Yes = higher risk)

Does the person handle confidential data or sensitive information? (Yes = additional checks needed)

Does the role involve cash handling or financial transactions? (Yes = financial probity checks required)

Could the person compromise security through their position? (Yes = enhanced screening appropriate)

In our BS7858 Screening Standard Course (£85), we provide a complete risk assessment matrix that categorises roles into three levels: standard security, enhanced security, and critical security positions.

Here's what this looks like in practice:

Standard Security Role: Security guard at retail premises during opening hours (supervised environment)

• Identity verification

• 5-year employment history

• Basic DBS check

• Right to work verification

• Sanctions screening

Enhanced Security Role: Security officer with key-holder responsibilities (unsupervised access)

• Everything in standard, plus:

• 5-year address history verification

• Financial probity checks

• Enhanced employment referencing

• Gap analysis (31+ days explained)

Critical Security Role: Security manager with master key access and alarm codes

• Everything in enhanced, plus:

• 10-year employment history (not 5-year)

• Enhanced DBS if role qualifies

• Director checks (if applicable)

• Additional character references

The risk assessment must be documented. "We always do Enhanced for everyone" isn't a risk assessment—it's a blanket policy that doesn't comply with BS7858's requirement for role-specific evaluation.

Training Tip from Graham and Vivianne Johnson:

After reviewing hundreds of BS7858 implementations in our training sessions since 2006, we can tell you the single biggest implementation mistake: employers assume "comprehensive screening" from a provider equals "BS7858 compliance." It doesn't. The provider collects data based on your instructions. Determining what level of screening each role requires—that's your responsibility. Get this wrong at Step 1, and everything that follows will be non-compliant.

Step 2: Document Your Screening Policy

BS7858 requires a written screening policy that explains:

• Which roles require screening

• What level of checks apply to each role category

• How screening decisions are made

• Record retention periods (minimum 7 years)

• Who has access to screening records

• How findings are assessed and acted upon

This policy must be accessible to candidates during the recruitment process.

In our Creating a Screening Policy & Framework Course (£89), we provide policy templates that meet BS7858 requirements and can be customised for your organisation.

Your policy should include decision-making criteria for common findings:

Unspent criminal convictions → automatic rejection or case-by-case assessment?

Employment gaps over 31 days → acceptable with explanation or requires additional verification?

Financial issues (CCJs, IVAs) → disqualifying for cash-handling roles but acceptable for others?

Document these criteria before you start screening. Consistency is essential for both compliance and fairness.

Step 3: Establish Secure Record-Keeping Systems

BS7858 requires screening records to be retained for a minimum of 7 years after employment ends.

These records must be:

• Stored securely (password-protected digital systems or locked physical storage)

• Accessible only to authorised personnel

• Protected in compliance with UK GDPR and Data Protection Act 2018

• Backed up regularly

• Auditable (who accessed what, when)

This is where most employers underestimate the GDPR implications.

Screening records contain sensitive personal data: criminal history, financial information, address history, employment references. Under GDPR, you must have a lawful basis for processing this data and appropriate security measures in place.

Our GDPR Training Course (£45) and Data Protection Policies & Procedures UK Course (£55) cover the intersection of BS7858 screening and data protection obligations.

If you're outsourcing screening, your provider should offer secure digital storage. But you still need internal systems for:

• Recording why screening was requested (role-specific justification)

• Documenting assessment decisions on findings

• Tracking when screenings were completed

• Managing ongoing compliance (re-screening timelines)

Step 4: Implement Identity Verification Process

Every BS7858 screening starts with identity verification.

The standard requires you to verify identity using original documents from UK government-approved lists. Common combinations include:

Route 1: Current valid passport + proof of address (utility bill, bank statement)

Route 2: Full birth certificate + proof of address + official photo ID

Route 3: Biometric Residence Permit + proof of address

You cannot accept photocopies. You must see original documents.

If you're outsourcing screening, your provider needs to verify identity in person or through digital identity verification services approved under GPG45 (Good Practice Guide 45).

Our Digital ID & GPG45 Compliance Course (£59) explains how digital identity verification works within BS7858 frameworks and what you need to verify from your provider.

Common identity verification mistakes we see in training:

Accepting expired passports (not valid for BS7858)

Not checking the address on proof of address documents matches the candidate's declared address

Failing to record who verified the documents and when

Mixing up Right to Work verification with identity verification (they're separate processes)

Step 5: Verify Employment History and Activity Gaps

BS7858 requires verification of 5-year employment history for standard roles, 10-year for higher-risk positions.

This isn't just asking for employment dates. It requires:

Contacting previous employers directly (not candidate-provided references)

Verifying exact dates of employment, job title, responsibilities, reason for leaving

Identifying and explaining all gaps over 31 days

Documenting periods of unemployment, education, travel, or other activities

Here's where most BS7858 screenings fall apart: gap analysis.

The standard requires that every gap over 31 consecutive days must be explained and evidenced. This means if someone has a 2-month gap between jobs, you need to know what they were doing during that period and verify it.

Common gap explanations:

• Holiday/travel (may require travel documentation)

• Unemployment (may require benefits documentation or personal references)

• Education/training (requires course confirmation)

• Caring responsibilities (requires personal reference)

• Health issues (requires appropriate verification without asking for medical details)

In our BS7858 Screening Standard Course (£85), we demonstrate exactly how to handle employment gaps compliantly, including what evidence is acceptable and how to document it.

If your screening provider returns a file showing zero employment gaps, be suspicious. Everyone has gaps—job changes alone create gaps. If none are flagged, the screening wasn't done properly.

Step 6: Criminal Record and Financial Probity Checks

Criminal Record Checks:

BS7858 requires a Basic DBS check showing unspent convictions for roles that don't require SIA licensing (SIA licensing includes criminal record checks, so additional DBS isn't needed for SIA-licensed officers).

For roles meeting eligibility criteria, you may conduct Standard or Enhanced DBS checks. See our Understanding DBS Checks (UK) Course (£49) for determining DBS eligibility.

Financial Probity Checks:

Required for roles with financial responsibilities or access to valuable assets. This includes:

• County Court Judgements (CCJs) up to £10,000

• Bankruptcy, Individual Voluntary Arrangements (IVAs), insolvency

• Credit history indicators

These checks cannot be conducted by employers directly. You'll need to use a credit reference agency or screening provider who can access this data legally under the Credit Reference Agency model.

Sanctions and Watchlist Screening:

BS7858:2019 added mandatory sanctions screening. This cross-references candidates against:

• HM Treasury's consolidated list of financial sanctions targets

• Politically Exposed Persons (PEP) databases

• International sanctions lists

• Fraud databases

Our Sanctions, PEP and Adverse Media Screening Course (£65) explains what these checks involve and how to interpret findings.

Step 7: Make Informed Decisions and Maintain Records

The final step is decision-making based on screening findings.

BS7858 doesn't mandate automatic rejection for any findings. It requires you to assess findings in the context of the role and make risk-based decisions.

Your decision-making process should consider:

How recent are the findings? (A 10-year-old CCJ is different from one last month)

Are the findings relevant to the role? (Financial issues matter more for cash-handling positions)

Has the candidate been transparent? (Honesty about past issues is significant)

Are there mitigating circumstances? (People can rehabilitate after mistakes)

Every decision must be documented with clear reasoning.

If you reject a candidate based on screening findings, you must inform them and provide the opportunity to challenge inaccurate information. This is both a BS7858 requirement and a legal requirement under the Rehabilitation of Offenders Act 1974.

What Happens After Implementation?

BS7858 isn't "one and done."

You need ongoing:

• Annual policy reviews

• Regular audits of screening files

• Re-screening protocols for long-term employees (typically every 3-5 years)

• Training for anyone involved in screening decisions

• Updates when the standard changes

The BS7858:2019 standard introduced new requirements (director checks, sanctions screening). The 2012 version was withdrawn in March 2020. If your policy references the old standard, you're no longer compliant.

In-House vs Outsourced: What's Your Implementation Cost?

As we covered in our guide to bringing BS7858 screening in-house, outsourcing typically costs £75-95 per screening.

For a security company screening 50 people per year, that's £3,750-4,750 annually.

Bringing BS7858 in-house requires:

• Staff training (our BS7858 Screening Standard Course (£85) covers full implementation)

• Screening software or systems (£500-2,000 depending on volume)

• DBS registration costs (£13 registration, £25-44 per check)

• Time commitment (2-4 hours per screening initially, faster with experience)

For higher volumes, in-house implementation typically breaks even within 6-12 months and saves thousands annually thereafter.

Common Implementation Mistakes (From 18 Years of Training)

After training employers on BS7858 since 2006, we consistently see these implementation errors:

Mistake 1: Assuming the screening provider handles compliance Reality: You remain responsible for policy, risk assessment, and decision-making

Mistake 2: Using a "standard package" for all roles Reality: BS7858 requires role-specific risk assessment

Mistake 3: Not documenting decisions Reality: If it's not documented, you can't prove compliance during audits

Mistake 4: Accepting screening reports without verifying the methodology Reality: Not all providers follow BS7858:2019 standards (some still use 2012 requirements)

Mistake 5: Forgetting about ongoing compliance Reality: Records must be retained 7 years, policies reviewed annually, long-term staff re-screened

Mistake 6: Mixing up BS7858 with BPSS Reality: These are different standards with different requirements (see our BPSS Security Screening Standard Course (£69) for BPSS-specific guidance)

Implementation Timeline: How Long Does It Take?

For a typical security employer implementing BS7858:

Initial setup: 2-4 weeks

• Conduct risk assessment for all roles

• Document screening policy

• Establish record-keeping systems

• Train relevant staff

First screening: 2-8 weeks per candidate

• Depends on employment history complexity

• Overseas history adds 4-8 weeks

• Reference response times affect timeline

Steady state: 5-15 working days per screening once systems are established

The upfront investment is significant, but it creates a sustainable, compliant screening process that protects your business and meets client requirements.

Your Next Steps

Implementing BS7858 screening requires understanding both the standard's requirements and your specific organisational needs.

Our BS7858 Screening Compliance Bundle includes comprehensive training on risk assessment, policy development, and ongoing compliance management.

For employers in the security industry specifically, our Security Industry Essentials Compliance Bundle covers BS7858 alongside SIA licensing requirements and event steward standards.

If you're determining whether to bring screening in-house or continue outsourcing, start with understanding your true costs and compliance obligations. The right decision depends on your screening volume, internal capabilities, and long-term business strategy.

Tomorrow, we'll cover the most common BS7858 mistakes we see in training sessions—and how to avoid them.

But implementation starts with these seven steps. Get these right, and you'll have a compliant, efficient screening process that protects your business and satisfies client requirements.

After 18 years training employers on BS7858, we can tell you: this isn't about ticking boxes. It's about building a system that actually works—for your business, your employees, and the clients who depend on your security standards.