BS7858 Training Guide for UK Employers: Everything You Need to Know

Last month, a security firm lost a £2 million contract. The client ran an audit of their screening processes and found gaps everywhere. No documented risk assessments. Incomplete employment verification. Criminal record checks without proper justification. The security firm thought they were compliant with BS7858. They weren't even close.

The contract termination letter arrived on a Tuesday. The managing director called us on Wednesday. "We thought we were doing everything right," he said. "We've been screening staff for ten years."

That's the problem with BS7858. Everyone thinks they understand it until an audit proves otherwise.

We're Graham and Vivianne Johnson, and we've been training employers on BS7858 screening since 2006. In nearly two decades, we've seen the same mistakes repeated across hundreds of organisations. Small gaps in understanding that lead to failed audits, lost contracts and regulatory issues.

This guide contains everything we teach in our CPD certified BS7858 course. Whether you're implementing BS7858 for the first time or reviewing your existing processes, you'll understand exactly what's required, how to implement it properly and how to stay audit ready.

What is BS7858 and Why Does It Matter?

BS7858 is the British Standard for security screening of individuals working in environments where trust is paramount. Published by the British Standards Institution, it sets the benchmark for pre-employment vetting in security, aviation, government contracts and any role involving access to sensitive information or valuable assets.

Here's what surprises most people. BS7858 isn't a legal requirement. You won't find it in employment law. But try winning a security contract without it. Try getting insurance for a cash handling operation without demonstrating BS7858 compliance. Try explaining to a client why you don't follow industry standard screening practices.

BS7858 has become the de facto standard because clients demand it, insurers require it and auditors measure against it. If you employ security personnel, handle sensitive information or operate in high risk environments, BS7858 is your baseline.

Who needs BS7858 screening:

Security guards and officers, cash and valuables in transit staff, aviation security personnel, employees with access to secure areas, staff handling sensitive information, cleaning and facilities staff in secure environments, IT personnel with system access, and anyone in a position of trust where a security breach could cause significant harm.

In our complete guide to employee screening and vetting training, we explain how BS7858 fits into the wider screening landscape. But for most organisations in security and high risk sectors, BS7858 is where you start.

Training resources:

• BS7858 Screening Standard Course (£85, CPD certified)

• BS7858 Employer & Applicant Guidance Pack (£69)

The Five Core Components of BS7858 Screening

BS7858 requires five specific verification checks. Each serves a distinct purpose. Each must be completed properly. Miss one, document it inadequately, or fail to conduct appropriate risk assessment, and you're not BS7858 compliant.

1. Identity Verification

You need to confirm the person is who they claim to be. This isn't just checking a passport. It's verifying identity documents against Home Office guidelines, confirming residential history and ensuring no identity fraud.

What's required:

Check photographic identity documents (passport, driving licence) against original documents, not copies. Verify current address with utility bills or bank statements dated within three months. Confirm five year address history with gaps explained and verified.

Where employers go wrong:

Accepting photocopies or scanned documents. Not verifying previous addresses. Missing gaps in address history. Failing to spot inconsistencies between documents.

A facilities management company once hired 15 cleaning staff for a secure government building. They checked passports and considered identity verified. The audit found no address verification whatsoever. No utility bills checked. No previous address history. They lost the contract within a week.

Training tip from Graham:

Create an identity verification checklist. Document type, document number, issue and expiry dates, verification date, who verified it. If you can't produce this documentation during an audit, you haven't verified identity properly regardless of what you actually did.

2. Employment History Verification

You need a complete and verified employment history covering the past five years. Not just job titles and dates. Verified confirmation from previous employers that the person worked there, in that role, during that period.

What's required:

Contact previous employers directly (not via candidate provided references). Confirm employment dates, job title, reason for leaving. Account for all gaps longer than one month. Obtain written confirmation, not just verbal.

Where employers go wrong:

Accepting references provided by the candidate. Not verifying gaps. Assuming LinkedIn or a CV is verification. Failing to get written confirmation from previous employers.

We coached a security company last year that had been "verifying" employment by looking at LinkedIn profiles. Five years of this. Hundreds of employees. An audit discovered it. The remediation cost was enormous. They had to re-verify every single employee's work history properly.

The reality of employment verification:

Some previous employers won't respond. Some companies no longer exist. International employment history is difficult to verify. That's fine. BS7858 doesn't require perfect verification. It requires reasonable efforts, documented gaps and risk assessment of what you couldn't verify.

Training tip from Vivianne:

If a previous employer won't verify employment, document your attempts. Emails sent. Phone calls made. Dates contacted. Then make a risk assessment. Is this gap acceptable for this role? Document your decision. That's compliant. Giving up and moving on without documentation isn't.

3. Criminal Record Checks

BS7858 requires appropriate criminal record checks. For most roles, that means a Basic DBS check as minimum. For some roles, Standard or Enhanced DBS. The key word is "appropriate."

What's required:

Conduct criminal record checks proportionate to the role and risk. For standard security roles, Basic DBS showing unspent convictions. For roles involving vulnerable people or greater trust, Standard or Enhanced DBS. Obtain checks within three months of employment starting. Keep compliant records under GDPR.

Where employers go wrong:

Not understanding which DBS level is legally available. Automatically rejecting anyone with any criminal record. Keeping DBS certificates longer than necessary under GDPR. Failing to conduct risk assessments when convictions appear.

Here's what people misunderstand about criminal records in BS7858 screening. The standard doesn't say "reject anyone with a conviction." It says conduct appropriate checks and make risk based decisions. A spent conviction from 15 years ago might be completely irrelevant to a security role. Or it might not. That's where risk assessment and training matter.

The DBS levels explained:

Basic DBS shows unspent convictions only. Available for any role. Standard DBS shows spent and unspent convictions, plus cautions, warnings and reprimands. Only available for specific roles defined in law. Enhanced DBS shows everything on Standard plus additional police information. Only available for regulated activity with children or vulnerable adults.

Most BS7858 roles qualify for Basic DBS only. Some security roles qualify for Standard. Very few qualify for Enhanced unless involving vulnerable people.

In our Understanding DBS Checks course, we cover exactly which DBS level is appropriate for different roles and how to make compliant hiring decisions when criminal records appear.

Training tip from Graham:

Create a DBS decision framework before you start screening. What convictions are automatically relevant? What convictions require individual assessment? What factors do you consider? Document this. Then when a conviction appears, you have a framework. You're not making it up as you go.

4. Right to Work Verification

You must verify every employee has the legal right to work in the UK. This isn't just good practice. It's a legal requirement with civil penalties up to £20,000 per illegal worker.

What's required:

Check original documents in person (or via video for remote). Use Home Office list of acceptable documents. Keep copies for employment duration plus two years. Conduct follow up checks for time limited permission. Use share codes for EU and EEA nationals.

Where employers go wrong:

Accepting emailed copies. Not checking documents face to face. Missing expiry dates on time limited permission. Keeping copies longer than allowed under GDPR. Checking some employees but not others (discrimination risk).

Right to work verification integrates with BS7858, but it's actually a separate legal requirement. The difference matters. Right to work is law. BS7858 is a standard. You must do right to work checks. You choose to follow BS7858. But if you're following BS7858, proper right to work checks are part of it.

We cover right to work compliance in detail in our Right to Work Checks & Legal Requirements Course.

5. References and Additional Checks

BS7858 requires employment references covering the past five years. Not character references. Employment references from supervisors or managers who can confirm work performance, reliability and trustworthiness.

What's required:

Obtain at least two references covering the five year period. Contact referees directly. Ask specific questions about reliability, honesty and suitability for security roles. Document responses. Conduct additional checks relevant to the role (professional qualifications, security licences, etc.).

Where employers go wrong:

Accepting references to generic email addresses. Not verifying the referee is genuine. Asking only "would you rehire this person?" Missing gaps between references. Failing to follow up on concerning responses.

Reference fraud is increasing. Candidates provide fake referees. Email addresses that look legitimate but aren't. Phone numbers that go to friends. In our training, we teach you to spot these red flags and verify referees properly.

Risk Assessment: The Part Everyone Gets Wrong

Here's what makes BS7858 different from a simple checklist. It requires risk assessment at every stage. You're not just collecting information. You're assessing what it means.

Criminal conviction disclosed? Risk assess it. Can't verify previous employment? Risk assess the gap. Concerning reference? Risk assess the concern. This is where employers struggle most. They want clear rules. "Reject for X, accept for Y." BS7858 doesn't work that way.

What risk assessment actually means in BS7858:

Evaluate the nature of the issue. Consider how long ago it occurred. Assess whether it's a pattern or isolated incident. Determine relevance to the specific role. Make a documented decision about acceptable risk. Implement any necessary monitoring or restrictions.

A security firm once automatically rejected a candidate because of a conviction for shoplifting. The conviction was 20 years old. The candidate had worked in security for 15 years since with no issues. The rejection was almost certainly unlawful discrimination under the Equality Act.

Proper risk assessment would have considered the nature of the offence (theft), time elapsed (20 years), pattern (single isolated incident), subsequent behaviour (15 years clean record in security work) and relevance to role (screening for honesty and trustworthiness). The risk assessment might well have concluded this posed minimal risk.

Training tip from Vivianne:

We teach a four factor risk assessment framework. Nature of the concern, time elapsed, pattern versus isolated incident, relevance to role. Apply these four factors to any issue that arises during screening. Document your assessment. That's how you make defensible decisions.

In our Risk Assessment in Background Screening course, we work through dozens of real scenarios teaching you to apply this framework confidently.

GDPR Compliance in BS7858 Screening

BS7858 screening processes personal data. Criminal records, employment history, references. GDPR applies strictly. Most employers know this. Few comply properly.

Key GDPR requirements for BS7858:

Have a lawful basis for processing (usually legitimate interests for employment screening). Tell candidates what you're checking and why (privacy notice). Only collect information necessary for the screening. Keep screening records only as long as needed (employment duration plus two years for successful candidates, six to twelve months for unsuccessful). Protect screening information from unauthorised access. Respond to subject access requests properly.

Common GDPR violations in BS7858 screening:

Keeping all screening records indefinitely. Not providing privacy notices to candidates. Sharing screening information with people who don't need it. Inadequate security on screening files. Failing to respond to subject access requests within one month.

The Information Commissioner's Office has fined employers for screening data breaches. A recruitment agency left a box of DBS certificates and passport copies in their car. The car was stolen. They had to report a data breach. The ICO investigated their wider screening practices. The fine was significant.

How long to keep BS7858 screening records:

Successful candidates: Keep for employment duration plus two years. This allows you to defend employment tribunal claims if needed. After employment ends plus two years, securely destroy screening records.

Unsuccessful candidates: Keep for six to twelve months maximum. No legitimate reason to keep unsuccessful candidate screening information longer unless there are active legal proceedings.

We cover GDPR compliance for screening extensively in our GDPR Training Course and Data Protection Policies & Procedures course.

Creating Your BS7858 Screening Policy

A screening policy documents what you check, when you check it, how you make decisions and how you handle information. Without a policy, you're inconsistent. Auditors will find gaps. You can't demonstrate compliance.

What your BS7858 policy must include:

Which roles require BS7858 screening. The five verification components you'll conduct. How you'll verify each component. Risk assessment criteria and process. Decision making authority (who decides to hire after screening). Record keeping and retention periods. GDPR compliance measures. Review and update schedule.

Policy mistakes we see regularly:

Generic policies copied from templates that don't reflect actual practice. Policies that say one thing, practice that does another. Outdated policies referencing old DBS procedures or pre-GDPR rules. Policies nobody has trained staff to follow. Policies that haven't been reviewed in years.

A transport company had a beautiful BS7858 policy. Twenty pages. Comprehensive. The problem? Nobody in HR had read it. Nobody followed it. The actual screening process bore no resemblance to the policy. When auditors compared policy to practice, the gaps were massive.

Training tip from Graham:

Your policy should reflect what you actually do, not what you wish you did. Write the policy based on your real process. Then train staff to follow it. Review annually and update when practice changes. A simple accurate policy is better than a comprehensive policy nobody follows.

In our Creating a Screening Policy & Framework Course, we provide policy templates and guide you through creating a policy that works for your organisation.

Common BS7858 Mistakes That Cost Money

After 18 years training employers on BS7858, we've seen certain mistakes repeatedly. Each costs money. Each is completely preventable with proper training.

Mistake 1: Treating BS7858 as a Checklist

Employers think BS7858 is five boxes to tick. Identity verified, tick. Employment checked, tick. DBS done, tick. References obtained, tick. Right to work confirmed, tick. Done.

BS7858 isn't a checklist. It's a standard requiring judgment, risk assessment and documented decision making at every stage. The ticks matter less than what you did, why you did it and how you assessed the results.

Mistake 2: No Documentation of Risk Assessments

You verified everything. Made sensible decisions. Hired good people. Then an audit asks "show me your risk assessments." You have none. You made the assessments mentally but documented nothing.

If it's not documented, it didn't happen. That's the audit reality. You might have conducted perfect risk assessments. Without documentation, you can't prove it.

Mistake 3: Inconsistent Application

You screen security guards thoroughly. You barely screen cleaners. Both have access to secure areas. Both require BS7858. Inconsistent screening creates discrimination risk and audit failures.

Whatever screening you decide is appropriate, apply it consistently to everyone in similar roles. Document why different roles have different screening requirements.

Mistake 4: Keeping Records Forever

Every DBS certificate. Every passport copy. Every reference. Kept forever in filing cabinets. This isn't compliance. It's a GDPR violation waiting to be discovered.

Keep what you need for as long as you need it. Then securely destroy it. Hoarding screening information isn't thoroughness. It's non-compliance.

Mistake 5: No Training for Staff Conducting Screening

HR administers screening. Managers make hiring decisions. Nobody has been trained on what BS7858 actually requires. They're doing their best based on common sense. Common sense isn't compliance.

Everyone involved in screening needs training. What to check. How to check it. How to assess results. How to document decisions. How to stay GDPR compliant.

Implementing BS7858: Your Timeline

You've decided to implement BS7858 properly. How long does it take? What's the realistic timeline from decision to compliant screening?

Week 1: Foundation

Understand BS7858 requirements through training. Our BS7858 Screening Standard Course takes 3-4 hours. Decide which roles require BS7858 screening. Review current screening processes against BS7858 requirements. Identify gaps.

Week 2: Policy Development

Create or update screening policy. Define verification procedures for each component. Establish risk assessment criteria. Set record retention schedules. Draft privacy notices for candidates.

Week 3: Process Setup

Create screening checklists and forms. Establish DBS checking process. Set up employment verification procedures. Develop reference request templates. Implement secure record keeping systems.

Week 4: Staff Training

Train HR staff on new procedures. Train managers on risk assessment. Train everyone on GDPR requirements. Ensure everyone understands documentation requirements.

Week 5-6: Pilot and Refine

Screen first candidates under new process. Identify practical issues. Refine procedures based on experience. Update documentation and training.

Week 7 onwards: Full Implementation

Roll out to all new hires. Consider re-screening existing staff (phased over time). Conduct regular audits of compliance. Review and update annually.

This six to eight week timeline is realistic for most organisations. Rushing implementation leads to gaps. Taking longer risks the interim screening being non-compliant.

Preparing for BS7858 Audits

Your client wants to audit your BS7858 compliance. Your insurer requires proof. Your industry body is reviewing practices. Are you ready?

What auditors look for:

Written screening policy. Documentation of screening for sample employees. Evidence of five core verification checks. Risk assessment documentation. GDPR compliance measures. Training records for staff conducting screening. Consistency across similar roles.

How to prepare:

Conduct self audit using auditor's perspective. Pull screening files for random sample of employees. Check all five components are documented. Verify risk assessments are recorded. Confirm GDPR compliance. Fix any gaps before the official audit.

Common audit failures:

Missing documentation (did the work but can't prove it). Inconsistent screening across roles. No risk assessment records. GDPR violations (keeping records too long, inadequate security). Staff unable to explain screening decisions.

A facilities management firm was supremely confident before their client audit. They'd been screening staff for years. The audit found systematic gaps. Employment verification incomplete. No documented risk assessments. DBS certificates kept in unlocked filing cabinets. They failed. Lost the contract. Spent six months remediating before they could pitch for similar work again.

Training tip from Vivianne:

Run an internal audit every six months. Pull files for five random employees. Check documentation. Interview staff about procedures. Identify gaps. Fix them. Regular self audits mean external audits hold no surprises.

BS7858 and Other Screening Standards

BS7858 doesn't exist in isolation. Depending on your sector, you might need to comply with multiple standards. Understanding how they relate matters.

BS7858 vs BPSS:

BPSS (Baseline Personnel Security Standard) is mandatory for anyone with access to UK government assets. BS7858 is broader, applying to positions of trust generally. BPSS is government focused. BS7858 is industry standard.

Some roles require both. Government security contracts often specify BPSS plus BS7858. Understanding the overlap and differences matters.

We'll cover this comparison in detail in Friday's post about BS7858 versus BPSS.

BS7858 vs sector specific standards:

FCA requires specific screening for financial services. CQC requires specific screening for care. Aviation has airside screening requirements. BS7858 often forms the foundation, with sector requirements added on top.

In our complete guide to employee screening and vetting training, we explain how all these standards interact.

Your Next Steps with BS7858 Training

BS7858 compliance isn't complicated. But it does require understanding what's actually required, implementing proper processes and training staff appropriately.

If you're implementing BS7858 for the first time:

Start with our BS7858 Screening Standard Course. It covers everything in this guide plus practical implementation guidance, case studies and decision making frameworks. You'll leave with clear understanding of requirements and confidence to implement properly.

If you're reviewing existing BS7858 processes:

Consider our BS7858 Employer & Applicant Guidance Pack for policy templates, checklists and forms. Or book a half day coaching session where we review your actual processes and documentation.

If you need comprehensive screening knowledge:

Our Pre-Employment Screening & Vetting Essentials Course covers BS7858 plus all other major UK screening standards. Perfect if you need broader screening knowledge beyond just BS7858.

This week's BS7858 training series:

This is the first of five posts this week focusing on BS7858. Tomorrow, we'll cover employer responsibilities with a practical checklist. Wednesday, we'll walk through implementation step by step. Thursday, we'll share common mistakes from our training experience. Friday, we'll compare BS7858 with BPSS.

Every course we offer is CPD certified by an independent accreditation body. Your learning hours count toward professional development. Certificates are accepted by employers and regulators. You can evidence your compliance knowledge during audits.

Questions about BS7858 screening for your specific situation? Contact us at sales@vhcourses.com or book a coaching session. We've implemented BS7858 across hundreds of organisations. We can help you get it right.

About the Authors

Graham and Vivianne Johnson have worked in screening, vetting and compliance since 2006. They ran their own screening businesses before creating VH Courses to train others. VH Courses is registered on the UK Register of Learning Providers (UKRLP Registration No. 0006126). All courses are independently CPD certified.

Their approach combines regulatory knowledge with practical experience. They've implemented BS7858 programmes, navigated client audits, solved complex screening problems and trained hundreds of UK organisations on compliant screening practices.