
In a perfect world where security is unnecessary, risk would never be a concern. However, in reality, all organizations, no matter their size or sector, face some level of risk. The true challenge with this is making choices that cost-effectively manage that risk while still meeting the organization’s strategic and operational objectives. Risk is prevalent in practically all aspects of an organization, and simply through their existence, an organization’s assets can be in danger.
Assets can be exposed to many different hazardous or detrimental events, including those that might be intentional, unintentional, and/or naturally caused. For example, the window in a building owned by an organization is susceptible to shatter by accidental contact, intentional destruction, or even inclement weather, all of which can be challenging to predict. ANSI/ASIS PAP.1-2012 – Security Management Standard: Physical Asset Protection gives organizations the means to protect and manage their assets, which in turn secures their sustainability, profitability, and reputation. It is applicable for any kind of organization, public, private, or nonprofit.
According to ANSI/ASIS PAP.1-2012, an organization’s assets include the “people, property, information, and intangibles that are based in facilities.” It is important to note here that physical asset protection (PAP) includes not only tangible assets, such as people and infrastructure, but also intangible assets, such as brand, reputation, and information.

ANSI/ASIS PAP.1-2012 helps to protect assets by specifying a physical asset protection management system (PAPMS), which incorporates an organization’s security and similar functions into a proactive management system. The PAPMS bears many similarities to the recurring ISO Management System, specifically from the inclusion of top management, integration of employees, technologies, and procedures, and the continuous monitoring of the system.
The integration and interdependency of the different employees and business functions is incredibly important for the PAPMS, since they are all present in a shared risk environment. Because of this, organizations should consider a common basis for risk ownership and accountability, and give employees an accurate perception of each asset’s necessity. In addition, PAP management isn’t always based on predictable threats, so management of uncertainty within a changing environment must always be considered.
Ultimately, the framework for the PAPMS should establish, implement, operate, monitor, review, maintain, and improve physical protection systems (PPS).
ANSI/ASIS PAP.1-2012 also makes use of the “Plan-Do-Check-Act” (PDCA) model, which we have discussed in relation to different standards in the past. For asset protection, this model takes into account the requirements of interested parties, and through needed actions, produces risk management outcomes that meet those expectations. This is illustrated in Figure 1 of the standard:

While it does cover a comprehensive, widely applicable management system, the asset protection system covered in ANSI/ASIS PAP.1-2012 is designed so that it can be well integrated with quality, safety, environmental, information security, supply chain security, organizational resilience, risk, and other management systems standards within an organization.
ANSI/ASIS PAP.1-2012 was written and developed by ASIS International, a standards-developing organization dedicated to increasing the effectiveness and productivity of security professionals. Additional ASIS International standards are available on the ANSI Webstore.
1. ASIS International, ANSI/ASIS PAP.1-2012 – Security Management Standard: Physical Asset Protection (Alexandria: ASIS International, 2012), XV.