ÒÁÈËÖ±²¥

The Road Transport Security Standards (RTSS) are designed to support commercial vehicle operators. The standards have been created to help operators protect personnel, assets and vehicles from being stolen, hijacked, sabotaged or otherwise targeted for terrorist purposes, including attacks on crowded places or the transport system. The standards also contribute to wider efforts to improve security and resilience in the transport sector.

The requirements and any guidance included in these standards are not prescriptive or exhaustive. Operators have the right to adopt alternative means to meet the standards. Each organisation should make its own judgement as to which measures apply to ensure the appropriate standards are met. Organisations should determine which and how far to apply those measures according to their operation.

This toolkit should be used by the designated security manager or other person(s) with ultimate responsibility for security, including management of the organisation’s risk assessment and action plan. It should be routinely reviewed by the designated security manager.

1. Road Transport Security Standards

This toolkit has been developed to enable organisations to comprehensively assess their existing counter terrorism and security practice before completing an RTSS self-assessment. While not exhaustive, the standards provide a robust benchmark of effective counter terrorism and security practice and preparedness.

The standards follow the principles of the specification requirements in .

2. Governance and security management

Outcome: the organisation demonstrates appropriate governance and security management.

2.1 Designated security manager

The organisation should identify a designated security manager or other person(s) with ultimate responsibility for security, including the management of the organisation’s risk assessment and action plan.

All employees should know who the security manager is and how to contact them.

2.2 Incident response

The security manager has established security incident and breach response protocols, which are annually tested and reviewed.

The security manager has a designated email address for contact by DfT in case of a major incident.

Any incident that presents an actual or perceived risk to life or a significant risk to operations should be recorded.

2.3 Staff vetting

Rigorous staff vetting should be employed to ensure employee suitability and to mitigate the insider threat. These checks should happen before employment.

Consideration should be given to using British Standard 7858 (or equivalent) for the security screening of employees.

This standard involves conducting basic identity, financial, employment and criminal records checks. The following additional steps should be taken when employing drivers.

1. Check a driver’s references and previous employment history (minimum of 5 years).

2. Speak to previous employers.

3. Inform applicants that using false details on application forms may lead to dismissal.

4. Check driving licences are valid and look for endorsements before you employ someone and then at 6 monthly intervals after employment. Drivers should tell you of any changes to their licence.

5. For agency drivers, ensure that the agency has carried out all of these checks, including criminal records checks.

6. Use only reputable recruitment agencies that are affiliated with a recognised UK trade organisation.

2.4 Staff training and awareness

Security training is essential and is required for all workers. Without effective training, individuals cannot be expected to know what policies, standards, guidelines and procedures are in place to maintain security.  

The role of line managers in educating staff, setting an example and reinforcing good practice should also not be underestimated. Individuals need to be informed of the threats, their security responsibilities and how to report security concerns. Appropriate Security education and training should be provided at, but not limited to, workers’ induction.

Training should be tailored according to role. A record of all staff training should be maintained.

As a minimum, all staff should complete the .

Employees with line management responsibilities should complete the .

It is recommended that training should be renewed every 2 years.

Senior operators should undertake basic cybersecurity training to mitigate suspicious cyber activity. This includes and .

The National Cyber Security Centre’s (NCSC’s) offers guidance to help organisations manage their cyber security risks. NCSC’s can also be used to inform organisations of threats against their networks.

Staff can find that is tailored to small, medium and large sized organisations.

3. Risk assessment

Outcome: the organisation has a risk assessment reviewed against known risks, which informs planning and delivery.

For further information on risk assessments, the National Counter Terrorism Security Office have published a .

3.1 Threat and risk      

There is a local risk assessment which feeds into an action plan, including:

• an assessment of relevant threat and risk types (for example, theft of vehicle, hijack or VBIED)
• identification and evaluation of important assets and infrastructure
• an assessment of the likelihood of threats to prioritise security measures
• the human welfare, physical, logistical, reputation and financial (and other) impact each risk may cause

3.2 Mitigation

Mitigation(s) for each risk should be clearly identified.

Identification, selection and prioritisation of counter measures and procedural changes and their level of effectiveness in reducing vulnerability.

Identification of weaknesses, including human factors in the infrastructure, policies and procedures.

3.3 °ä´Ç³¾³¾³Ü²Ô¾±³¦²¹³Ù¾±´Ç²ÔÌýÌýÌýÌýÌýÌý

The risk assessment is shared with all relevant members of staff and partners where appropriate.

3.4 Review

The risk assessment should be routinely reviewed and adapted in-line with the changing threat and risk landscape.

4. Security delivery plan

A delivery plan is a strategic document that outlines how a company will implement and manage its security measures to protect assets, systems and data. It details the specific actions, timelines, responsibilities, resources and technologies needed to achieve defined security goals.

Outcome: the organisation has a current delivery plan informed by risk and including mitigating measures.

4.1 Responsibility for the delivery plan         

The security manager or other appropriate person(s) should be designated as holding overall responsibility for the management of the delivery plan.

4.2 Objectives

Each objective should be clearly identified, including action owners and timescales for completion.

4.3 Mitigating threat and risk

The delivery plan details the work conducted to mitigate each risk identified in the risk assessment.

4.4 Integrating the delivery plan

The delivery plan should be integrated within the organisation and referenced in corporate or service documents, for example, strategies, plans and policies.

4.5 Review

Delivery plans should be reviewed annually and adapted in coordination with the risk assessment and in response to a changing threat or risk landscape

The record of contact details kept for response agencies and control authorities should be kept up to date.

5. Security at base location

Outcome: staff, vehicles, and other assets are safeguarded while at base location(s).

5.1 Access control and intruder prevention

Sites should have adequate access control and intruder prevention measures in place. These access control measures should include .

A temporary pass or visitor pass and sign-in system should be employed for authorised visitors, who should always be escorted. ‘Tailgating’ should be routinely challenged.

Any lost staff ID or security passes should be reported immediately.

There should be an appropriate procedure in place for dealing with suspicious behaviour, unauthorised access and possible interference. If staff see or hear something that could potentially be related to terrorism, they should .

Appropriate exit procedures should be in place for those leaving the organisation. This includes access control permissions, security passes returned, pin codes reset and IT systems revoked.

Sites should be well maintained and cleaned regularly.

5.2 Vehicle security

Vehicle keys should be stored in a locked cabinet in a secure room. They should never be left or hidden on or in vehicles.

Lost or stolen keys should be reported immediately.

5.3 Personnel and vehicle search/screening protocols

There should be adequate personnel and vehicle search protocols employed and reviewed regularly. These measures should be clearly identified in employee contracts and handbooks.

See for more information.

5.4 IT (mis)use

Personal data should always be handled in a secure way that reduces the risk of unauthorised or unlawful access, and accidental loss or damage, etc.

There should be clear written guidance on employees’ use of IT equipment and the internet at work, referenced in employee contracts and handbooks. This should cover accessing inappropriate or harmful material.

Breaches of IT policy should result in appropriate disciplinary procedures and reporting to relevant authorities where necessary.

IT systems should be fully revoked for staff who have left the company or have been suspended from roles in ongoing disciplinary procedures.

6. Security on the road

Outcome: staff, vehicles and other assets are safeguarded while on the road.

6.1 Vehicle security

All vehicle doors should be locked while in transit and when a vehicle is stationary, whether occupied or not.

Vehicle alarms and/or immobilisers should be activated whenever a vehicle is unattended, including when refuelling and delivering.

Vehicles should always, where possible, be parked in secure areas with lighting, patrols and CCTV coverage, especially at night.

Companies should consider installing devices on vehicles that can alert when doors or cargo are opened.

Drivers should routinely conduct ‘walk around’ checks to identify any signs of tampering, theft, or unauthorised occupants, cargo, locks, seals or documents.

Develop response protocols for drivers to report any suspicious or criminal activity to the organisation and police. If drivers see or hear something that could potentially be related to terrorism, they should .

Theft of or from a vehicle should be reported to the police and the organisation immediately.

No unauthorised passengers or cargo should be permitted in vehicles at any time.

7. Completing the RTSS self-assessment

Once you have read the toolkit, you can complete the RTSS self-assessment to find out if your organisation’s security practices meet the standards. Your responses will also allow the Department for Transport to learn more about current security practices in the commercial vehicle sector.

After you submit the self-assessment, you will receive feedback on areas for improvement to match the security standards. Advice will be provided on changes you could make to improve your organisation’s performance.

Completing a self-assessment will provide clarity on the effectiveness and robustness of an organisation’s counter terrorism and security preparedness. The self-assessment will form the foundations of a comprehensive security action plan.

To complete the self-assessment:

• you must be a security manager or equivalent
• your organisation must be a commercial operator of buses, coaches, vans, cars or freight vehicles.

8. Further security and counter terrorism resources

Should you wish to invest in or replace a piece of security equipment, opting for a product which has been independently tested and meets a recognised security standard is highly recommended. You can on the Secured by Design website.

For advice on low effort and low cost measures that can deter both criminals and terrorists, the National Counter Terrorism Security Office has created a for small and micro businesses.

has been published by ProtectUK, encouraging organisations to understand the risks, event plan and remember to ‘RUN TELL HIDE’.

For information on dealing with people who could be victims of radicalisation, ACT’s website provides guidance and support.

The National Protective Security Authority has . These include full-length videos, video clips, e-learning packages, campaign materials, assessment tools and interactive products.

If you are involved with hiring plant or vehicles, also refer to the Department for Transport’s Rental vehicle security scheme guidance and code of practice.

9. Contact the Road Transport Security Team

Email: roadtransportsecurity@dft.gov.uk if you require further support or have any enquiries.