CleanTender

GUIDE

SIA ACS Accreditation: Do You Need It to Win UK Security Tenders? (2026)

What ACS audits, why councils require it, the application timeline, and what Martyn's Law means for security contractors bidding from 2026.

security · 30 April 2026 · 11 min read · by CleanTender Editorial

ACS (Approved Contractor Scheme) is voluntary under the Private Security Industry Act 2001. In practice, it is the de facto standard on UK public-sector security tenders. Council civic-centre guarding, NHS Trust manned-guarding lots, MoD facilities, and Crown Commercial Service workplace services frameworks specify ACS by name in the SQ. Without it, you are auto-failed at the qualification gate before the quality team reads your bid. With it, you clear the gate and compete on price, method statement, and social value.

From April 2027, Martyn's Law (Terrorism Protection of Premises Act 2025) adds a second layer for any contractor securing venues with capacity above 200 (a "standard tier" duty) or 800+ (an "enhanced tier" duty). ACS membership demonstrates the operational maturity buyers expect to handle Martyn's Law obligations on their behalf.

  • ACS is voluntary in law (Private Security Industry Act 2001) but mandatory in practice on most UK public-sector security tenders.
  • Council, NHS, MoD, and Crown Commercial Service frameworks typically specify ACS by name. Without it, auto-failed at SQ.
  • Application is to one of the SIA-approved Assessing Bodies. Costs roughly £1,500-£3,500 first year (varies by company size). Annual surveillance audits required.
  • Audit covers: financial standing, structures and resources, service delivery, commitment to people, leadership.
  • Martyn's Law (Terrorism Protection of Premises Act 2025) takes effect April 2027. Standard tier: venues 200-799. Enhanced tier: venues 800+.
  • Operatives separately need SIA licences (Door Supervisor, Security Guard, CCTV, Close Protection, etc.) under the same Act.
  • BS 7858 (security screening of personnel) is the additional standard most council and NHS tenders ask for alongside ACS.

The Approved Contractor Scheme is voluntary, however, the Government is committed to encouraging the use of approved contractors throughout the public sector.

Security Industry Authority (SIA)

What's in this guide

  • What ACS actually audits (the 5 assessment areas)
  • Where ACS is required by name on UK public-sector tenders
  • ACS vs SIA Operative Licences (different things)
  • Application timeline and cost
  • BS 7858 personnel vetting (the parallel requirement)
  • Martyn's Law and what changes from April 2027
  • When NOT to apply

What ACS actually audits

ACS is a full compliance audit run by SIA-approved Assessing Bodies (NSI, SSAIB, SafeContractor for Security, BAFE, and others). The audit assesses a security contractor against five areas:

AreaWhat it covers
Financial standing and resourcesTwo years of accounts, cash flow, insurance levels (£10m public liability minimum on most contracts), creditworthiness, business continuity
Structures and resourcesOrganisational chart, role definitions, clear management responsibility, sub-contractor controls, premises and equipment
Service deliveryDocumented service standards, KPI reporting, customer feedback, incident reporting, call-out response times
Commitment to peopleTraining records (Conflict Management, First Aid, Mental Health First Aid), career progression, HR policies, staff retention data
LeadershipBoard-level commitment to ACS, regular management review, continuous improvement programme, performance benchmarking

The five ACS assessment areas under the SIA framework.

The audit produces a score across all five areas. ACS approval requires a minimum total score and minimums in each area. The audit is annual on first achievement, with surveillance audits in subsequent years.

Where ACS is required by name on UK public-sector tenders

Buyer categoryACS required?Notes
Crown Commercial Service (RM6232 Workplace Services and successor frameworks)Yes, by nameMandatory at SQ stage. Without it, no place on the framework.
NHS Shared Business Services (NHS SBS)Yes, on most security lotsCombined with NHS-tailored clinical-environment training for ED and mental health units
Local council civic-centre guardingYes, on most contracts above £100kBelow-threshold contracts may accept SIA licensing alone for individual operatives
MoD and Defence EstatesYes, plus SC or DV clearance for personnelACS is the floor; security clearance for operatives is the gate
Schools and academies (single-site)Sometimes; varies by trust policyMulti-Academy Trust frameworks usually require it; single-site contracts may not
Private-sector RFPs (corporate guarding, retail)Often, especially for FTSE 100 buyersCommon conditional clause: "ACS or equivalent BS-recognised quality scheme"
Below-threshold council security work (under £30k)VariableBuyer's discretion. SIA operative licences usually mandatory; ACS sometimes optional.

Common UK public-sector security tender categories and their ACS requirement pattern.

ACS vs SIA Operative Licences (different things)

Suppliers and buyers sometimes confuse them. They are different requirements addressing different risks.

AspectACS (company)SIA Operative Licence (individual)
Who holds itThe contracting companyEach individual operative
Statutory basisVoluntary scheme under the Private Security Industry Act 2001Mandatory under the Private Security Industry Act 2001 for licensable activities
What it provesOperational maturity, financial standing, training systems, leadershipThe individual operative is fit and proper, has passed background checks, and holds the relevant qualification (Door Supervisor, Security Guard, CCTV, Close Protection, etc.)
Cost£1,500-£3,500 first year + annual surveillance£190 per licence (3-year validity for most categories)
Visibility on tendersListed in the SIA ACS register, asked for by name in most public-sector SQsOperative licence numbers asked for in method statements (named supervisor section), with right-to-work checks

ACS (company-level) vs SIA Operative Licences (individual-level).

On a typical UK council security tender, you need both. The company holds ACS. Each operative on the rota holds the right SIA licence for the activity (Security Guard, Door Supervisor, or CCTV operator). The SQ asks for the company's ACS approval reference. The method statement names the supervisors and confirms 100% of deployed operatives hold current SIA licences.

Application timeline and cost

StageTimelineCost (approx)
Pre-application: gap analysis1-3 months£0-£800 (free if self-led; consultant-led at £600-£1,500)
Application to a SIA-approved Assessing Body (NSI, SSAIB, SafeContractor for Security, BAFE)Day 0£300-£500 application fee
On-site auditBooked 4-8 weeks after application£1,200-£2,500 audit fee
Corrective actions (if any non-conformities)0-3 monthsVariable; depends on findings
Approval and listing on SIA ACS registerTypically 4-6 months after applicationn/a
Annual surveillance auditYear 2 onwards£800-£1,800 per year

Typical UK ACS application timeline and approximate cost in 2026.

Total first-year cost for a typical small or mid-sized security firm: £1,500-£3,500. Annual cost in years 2+: £800-£1,800. Pricier than CHAS, much cheaper than the contracts you can credibly bid once ACS is in place.

BS 7858 (the parallel requirement)

BS 7858 is the British Standard for screening personnel working in environments where the security and safety of people, goods and property is a requirement. Most council and NHS security tenders ask for BS 7858 vetting on every operative deployed to the contract, in addition to the SIA licence and ACS company approval.

What BS 7858 covers: 5-year employment history verification, two character references, identity check, right-to-work confirmation, criminal record check (DBS Standard or Enhanced depending on contract), and confirmation of qualifications. It is more thorough than a standard pre-employment check and produces a documented vetting file that the buyer can audit on demand.

Most ACS contractors run BS 7858 in-house through their HR function. Larger contractors outsource to specialist vetting bureaux. Either is acceptable; what matters to the buyer is the documented audit trail per operative.

Martyn's Law: what changes from April 2027

The Terrorism (Protection of Premises) Act 2025 received Royal Assent in April 2025 and enforcement begins from April 2027. The Act, known as Martyn's Law after Martyn Hett (one of the victims of the 2017 Manchester Arena attack), imposes terrorism-protection duties on premises and events at certain capacities.

TierCapacityWhat it requires
Standard tier200-799 expected attendeesPublic protection procedures: evacuation, invacuation, lockdown, communication. Notification of premises to the regulator.
Enhanced tier800+ expected attendeesStandard tier requirements PLUS: documented public protection plan, proportionate measures (search procedures, monitoring, physical safety), nominated person training.

Martyn's Law tiers and security contractor implications.

What this means for security contractors bidding from 2026: buyers operating Martyn's Law venues will increasingly look for contractors with documented terrorism-protection training, ACT (Action Counters Terrorism) awareness sessions, and evidence of supporting buyers in producing the required public protection plans. Mention Martyn's Law readiness in your method statement on relevant bids. Generic "we follow industry best practice" loses points; named ACT training, named regulator notification support, and named exercise programmes score.

When NOT to apply

  1. Pure event-stewarding work below 200 capacity. ACS is not required and the cost is wasted. Hold individual SIA licences for operatives instead.
  2. Sole-trader operations doing private close protection. ACS audit is built around organisational structure and team size; small one-person operations score poorly on the structures/resources area.
  3. If you're under 12 months trading. Two years of accounts is part of the financial standing area. Substitute evidence (banker's reference, parent guarantee) sometimes accepted, but you are starting from behind.
  4. If your real target market is private-sector property management at owner-occupier scale. ACS is over-engineering for that market and the buyer often does not check.
  5. If you're considering Martyn's Law standard-tier consultancy work only (no manned guarding). The ACS audit is geared to operational guarding; standalone security consultancy may be better served by an ISO 22301 or similar standard.

If you are an established UK security SME considering whether the wider tender platform / paid alerts question is worth the investment, the free vs paid tender platforms guide covers when to upgrade beyond Find a Tender Service alerts. The same volume thresholds apply: above 8 bids a year is when sector-targeted platforms earn back the subscription.

What to do this week

  1. Decide whether you are bidding ACS-required public-sector work in the next 12 months. If yes, start the application now (4-6 month lead time).
  2. Pick a SIA-approved Assessing Body. NSI, SSAIB, SafeContractor for Security, and BAFE are the main four. Get quotes from two and compare audit fees and turnaround.
  3. Build a master ACS evidence pack: 2 years of accounts, insurance schedules, organisational chart, training records by operative, KPI reports from existing contracts. Reuse on the SQ for every bid.
  4. Confirm BS 7858 capacity. If you do not run vetting in-house, identify a bureau partner now. Most UK public-sector tenders require a documented vetting file per deployed operative.
  5. Add Martyn's Law readiness to your method statement template. Even on contracts that don't trigger the duty yet, naming ACT (Action Counters Terrorism) training and exercise programmes scores against the broader social value and quality criteria.

Sources

  1. Security Industry Authority (SIA) · UK regulator for the private security industry; runs ACS and Operative Licensing
  2. Approved Contractor Scheme (ACS), SIA guidance · Voluntary scheme; assessment areas, approved Assessing Bodies, register of approved contractors
  3. Private Security Industry Act 2001 (legislation.gov.uk) · Statutory basis for SIA, ACS, and individual operative licensing
  4. Terrorism (Protection of Premises) Act 2025 (legislation.gov.uk) · Martyn's Law; standard tier (200-799) and enhanced tier (800+) duties; enforcement from April 2027
  5. BS 7858 (BSI) · British Standard for screening personnel in security environments; required by most UK public-sector security tenders
  6. ProtectUK / Action Counters Terrorism (ACT) · UK Counter Terrorism Policing resource; ACT training and Martyn's Law readiness materials
  7. Procurement Act 2023 (legislation.gov.uk) · Live for new procurements from 24 February 2025; underlying framework for security tender procedures

FAQs

Frequently asked questions

Is SIA ACS legally required to win UK public-sector security tenders?
No, ACS is voluntary under the Private Security Industry Act 2001. In practice, however, ACS is the de facto standard on most UK public-sector security tenders. Crown Commercial Service workplace services frameworks specify ACS by name in the SQ. NHS Shared Business Services security lots typically require it. Council civic-centre and large NHS Trust contracts above £100,000 almost always require it. MoD contracts add personnel security clearance on top. Below-threshold council security work (under £30,000) may accept SIA operative licences alone. The honest answer: if you bid public-sector security work above £100k, ACS is mandatory in practice. If you bid only smaller contracts, it is optional but accelerates qualification.
What is the difference between SIA ACS approval and an individual SIA licence?
ACS (Approved Contractor Scheme) is a company-level audit covering financial standing, structures, service delivery, commitment to people, and leadership. The contracting company holds the ACS approval. SIA Operative Licences are individual licences each operative holds for the licensable activity they perform: Door Supervisor, Security Guard, CCTV (Public Space Surveillance), Close Protection, Cash and Valuables in Transit, Vehicle Immobiliser, Key Holding. Both are mandatory in practice on most UK public-sector security tenders. ACS costs the company £1,500-£3,500 first year. SIA Operative Licences cost individuals £190 per licence with 3-year validity for most categories. The SQ asks for the company's ACS reference; the method statement names supervisors and confirms 100% of deployed operatives hold current SIA licences for their role.
How long does ACS application take and how much does it cost?
Total elapsed time is typically 4-6 months from application to approval. Cost in 2026: £300-£500 application fee, £1,200-£2,500 audit fee, plus internal cost of preparing the evidence pack (2 years of accounts, organisational chart, training records, KPI reports). Total first-year cost for a typical small or mid-sized security firm: £1,500-£3,500. Annual surveillance audits in years 2+ run £800-£1,800. The four main SIA-approved Assessing Bodies are NSI (National Security Inspectorate), SSAIB (Security Systems and Alarms Inspection Board), SafeContractor for Security (Alcumus), and BAFE. Get quotes from two before committing; audit fees and turnaround times vary.
What is BS 7858 and how does it relate to ACS?
BS 7858 is the British Standard for screening personnel working in environments where security and safety are a requirement. It covers 5-year employment history verification, two character references, identity check, right-to-work confirmation, criminal record check (DBS Standard or Enhanced depending on contract), and confirmation of qualifications. ACS is a company-level audit; BS 7858 is the personnel vetting standard for individuals deployed to a contract. Most council and NHS security tenders require both. ACS contractors typically run BS 7858 in-house through HR; some outsource to specialist vetting bureaux. The buyer audits the BS 7858 file per deployed operative on demand. Lapsed BS 7858 vetting on any deployed operative is a contract breach trigger on most security contracts.
How does Martyn's Law affect UK security contractors bidding from 2026?
The Terrorism (Protection of Premises) Act 2025 (Martyn's Law) received Royal Assent April 2025 and takes effect from April 2027. Standard tier covers venues with 200-799 expected attendees and requires public protection procedures (evacuation, invacuation, lockdown, communication). Enhanced tier covers venues 800+ and adds documented public protection plans, proportionate measures, nominated person training. For security contractors bidding from 2026, this means buyers operating Martyn's Law venues will increasingly want documented terrorism-protection capability: ACT (Action Counters Terrorism) training records, support for client public protection plan development, and exercise programmes. Mention Martyn's Law readiness in method statements on relevant bids; named training partners and exercise programmes score against quality and social value criteria. Generic "industry best practice" copy loses points.
Browse contractsGet started