How to Implement BS7858: Step-by-Step Training Guide

"We know we need BS7858 screening, but where do we actually start?" This question comes up in almost every training session we run on our BS7858 Screening Standard Course. Understanding the theory is one thing, but implementing a compliant screening programme from scratch can feel overwhelming.

Last week, we worked with a security company that had been putting off BS7858 implementation for six months. They kept saying they'd "get round to it," but every time they looked at what needed doing, they didn't know where to begin. By the time they finally contacted us for coaching, they'd lost two major contracts because they couldn't demonstrate compliant screening processes.

In Monday's comprehensive BS7858 training guide, we covered what the standard requires. In yesterday's employer responsibilities checklist, we clarified what you're accountable for. Today, we're giving you the practical roadmap: exactly how to implement BS7858 screening step by step.

Before You Begin: The Foundation Phase

You can't just start screening people tomorrow. Effective BS7858 implementation requires groundwork, and skipping this phase is where most organisations go wrong.

Step 1: Conduct a Role Analysis

Your first task is identifying which roles actually require BS7858 screening. Don't make the mistake we see constantly in our training sessions: assuming every role needs it because you work in a "secure" sector.

A facilities management company we coached last year was screening their entire workforce to BS7858, including office administrators who never visited client sites. They were spending thousands of pounds unnecessarily and creating administrative burden for no security benefit.

Sit down with your management team and systematically review each role. Ask these questions for every position: Does this person access secure areas? Do they work unsupervised on client premises? Could they access sensitive information or assets? Would misconduct in this role cause significant harm to your organisation or clients?

If you can't answer "yes" to at least one of these questions, standard employment screening might be sufficient. Our Pre-Employment Screening & Vetting Essentials course helps you differentiate between standard screening and enhanced screening like BS7858.

Step 2: Document Your Screening Policy

Before you screen a single person, you need a written screening policy. This isn't bureaucracy for its own sake. Your policy is your defence if anyone challenges your screening decisions, and it's what your clients will ask to see when they audit your compliance.

Your policy must cover why you conduct BS7858 screening, which roles require it, what checks you'll perform, how you'll make decisions about adverse findings, how you'll protect screening data, and how long you'll keep records. As we explained in our complete guide to employee screening and vetting training, documentation demonstrates your professionalism and protects your organisation.

During a coaching session last month, an organisation showed us their "policy" - three bullet points on a Word document that said they do "background checks on everyone." That's not a policy, that's a note. A proper policy runs to several pages and covers every aspect of your screening programme. Our Creating a Screening Policy & Framework course includes templates you can adapt for your organisation.

Training Tip from Graham and Vivianne Johnson:

Get your screening policy reviewed by an employment law solicitor before you implement it. We've seen too many organisations create policies that accidentally breach discrimination law or GDPR. Spending £500 on legal review now could save you £50,000 in tribunal claims later.

Step 3: Set Up Your Data Protection Framework

BS7858 screening creates special category data under GDPR. Before you collect a single document, you need proper data protection measures in place.

This means secure storage for physical documents (locked cabinets in restricted areas), secure systems for digital records with access controls and audit trails, clear retention schedules that comply with GDPR, and processes for subject access requests. A property management firm we trained had been storing screening files in a general HR filing system that any manager could access. That's a GDPR breach waiting to be reported. Screening data needs ring-fenced protection.

Our GDPR Training Course covers exactly what you need, but here's the minimum: only people directly involved in screening should access this data, it should be stored separately from general HR files, and you should log every access to screening records.

Step 4: Choose Your Screening Provider (If Using One)

Many organisations use third-party providers to conduct the actual checks required by BS7858. That's fine, but choosing the right provider is critical.

We often see organisations pick the cheapest provider without asking basic questions about their processes. Then they discover their "BS7858 screening" doesn't actually meet the standard because the provider cut corners to offer bargain prices.

When evaluating providers, ask how they verify identity documents, how they obtain references (phone call, email, letter?), how they verify employment history, what their turnaround times are, and how they handle complex cases like overseas employment. Get these answers in writing before you commit.

If you choose to conduct screening in-house, you'll need to develop these capabilities yourself. Our BS7858 Screening Standard Course teaches you exactly how to conduct each check to standard, but be realistic about the time and resources required.

Implementation Phase: Screening Your First Candidate

You've done the groundwork. Now let's walk through screening an actual candidate, step by step.

Step 5: Update Your Recruitment Materials

Before you advertise your next role, update your job descriptions and application forms to include BS7858 requirements. This transparency is essential and saves time later.

Your job advert should include a simple statement: "This role requires BS7858 security screening, which includes five years of verifiable employment and residential history, identity verification, criminal record checks, and employment references."

Your application form needs to collect the information required for BS7858 screening: full five-year employment history with exact dates, full five-year residential history with exact addresses, details of any gaps in employment or residence, and consent for screening checks. A logistics company we coached was using a standard application form that only asked for "current address" and "last three employers." They had to contact every candidate separately to get the additional information BS7858 requires. That's inefficient and looks unprofessional.

Step 6: Conduct the Initial Candidate Meeting

When your preferred candidate comes in, before you make any job offer, you need to verify their identity and collect the detailed information required for BS7858 screening.

This meeting isn't just about seeing documents. You're starting the verification process and explaining what happens next. Bring your candidate in for a face-to-face meeting (or video call with document verification if remote). Ask them to bring original identity documents as specified by BS7858. Walk through their employment and residential history to clarify any questions from their application.

Explain the screening process: what checks you'll conduct, how long it typically takes, what happens if adverse information is found, and when they can expect a decision. During this meeting, you should physically see and verify original identity documents (passport, driving licence, birth certificate as appropriate), take copies with the candidate present, and have the candidate sign a detailed consent form for all screening checks.

A recruitment agency we trained had been accepting emailed scans of identity documents. Then they discovered one candidate had used Photoshop to alter their passport. Always, always see original documents in person or via verified video technology covered in our Digital ID & GPG45 Compliance Course.

Training Tip from Graham and Vivianne Johnson:

Keep a UV light and a magnifying glass in your HR office. Modern UK identity documents have security features you can verify immediately. We teach document verification techniques in our training, but anyone can learn to spot basic forgeries with the right tools and a few minutes of practice.

Step 7: Verify the Five-Year History

This is where BS7858 implementation gets detailed. You need a complete, verified five-year history with no unexplained gaps longer than 28 consecutive days.

Start with employment history. For each employer in the past five years, you need company name and address, exact employment dates, job title and duties, and reason for leaving. Contact each employer directly (not through the candidate) to verify this information. A simple email or phone call usually suffices, but you must keep records of the verification.

Then verify residential history. For each address in the past five years, you need full address including postcode and exact dates of residence. You can verify this through electoral roll checks, council tax records, or utility bills, but you must verify it somehow. Don't just take the candidate's word.

For any gaps in employment or residence, you need an explanation and, where possible, verification. Common gaps include education (verify with the institution), travel (verify with travel documents or itineraries), unemployment (verify with benefit records if the candidate consents), or caring responsibilities (harder to verify, but get a written explanation).

In tomorrow's post about common BS7858 mistakes, we'll cover what happens when you can't verify something. For now, remember: if you can't verify a period, you can't claim the screening is BS7858 compliant.

Step 8: Conduct Criminal Record Checks

BS7858 requires criminal record checks appropriate to the role. In the UK, this usually means a DBS check, though the level depends on your specific role requirements.

You need to determine what level of DBS check is appropriate (Basic, Standard, or Enhanced). Our Understanding DBS Checks (UK) Course explains the differences, but most BS7858 roles require at least a Standard DBS check.

Apply for the DBS check through your registered body, wait for the results (typically 2-4 weeks, though timing varies), and then here's the crucial bit: assess what the results mean for your specific role.

A security firm we coached had a blanket rule that any criminal record meant automatic rejection. That's discrimination. You must assess each case individually: what was the offence, when did it occur, is it relevant to the role, what has the person done since? This risk-based approach is fundamental to BS7858 compliance.

Step 9: Obtain and Verify References

BS7858 requires employment references for the entire five-year period. Not character references from friends, but actual employment references from line managers or HR departments.

For each employer, contact them directly (never through the candidate), request a written reference covering employment dates, job title, performance, and reason for leaving, and verify the authenticity of the reference (call back on a number you've independently verified, not one provided in the reference).

A facilities company we trained had been accepting references submitted by candidates. Then they discovered several were fake - created by the candidates themselves using free email addresses. Always verify references independently.

Step 10: Make Your Assessment and Document Your Decision

Once you have all the information, you need to assess whether the candidate meets BS7858 requirements for your specific role.

This isn't about them "passing" or "failing" screening. It's about whether, based on all the information you've gathered, you're satisfied they present an acceptable risk for the role. Consider all the information together, assess any adverse findings in context, and document your reasoning clearly.

If you decide to offer employment, record why you're satisfied the candidate meets BS7858 requirements. If you decide not to offer employment based on screening results, record your reasoning carefully to defend against potential discrimination claims.

Our Risk Assessment in Background Screening course teaches you how to make and document these decisions consistently.

After Implementation: Maintaining Compliance

Implementing BS7858 isn't a one-time project. You need ongoing processes to maintain compliance.

Set up a system to track when re-screening is due (if you've decided periodic re-screening is necessary). Schedule regular audits of your screening records to ensure they're complete and properly maintained. Update your policy and procedures as legislation changes. Train new HR staff on BS7858 requirements before they're involved in screening.

Tomorrow, we'll look at the common mistakes organisations make with BS7858, many of which happen after initial implementation when attention drifts and shortcuts creep in.

Getting Expert Support

Implementing BS7858 screening properly requires knowledge, attention to detail, and robust processes. If you're feeling overwhelmed, you're not alone. Most organisations need training and support to get this right.

Our BS7858 Screening Standard Course gives you comprehensive training on every aspect of implementation. For organisations that need more hands-on support, our Half Day Vetting & Screening Expert Coaching sessions provide personalised guidance for your specific circumstances.

The investment in proper implementation pays for itself many times over through reduced risk, satisfied clients, and the confidence that your screening programme actually works.

Want to discuss your specific implementation challenges? Email us at sales@vhcourses.com, and we'll help you create a roadmap that works for your organisation.