ISO 22341:2021 - Security and Resilience — the Long-Awaited CPTED Standard


The International Organisation for Standardization (ISO) has recently released a new Standard for Crime Prevention Through Environmental Design (CPTED), ISO 22341:2021 - Security and resilience - Protective security - Guidelines for crime prevention through environmental design. The document aims to "(provide) guidelines to organisations for establishing the basic elements, strategies and processes for preventing and reducing crime and the fear of crime at a new or existing built environment".

While self-described as inexhaustive, the document will serve as a useful tool for those developers, architects and project managers who are as of yet unfamiliar with effective CPTED implementation or conversely a consolidated and standardised approach for the CPTED aficionados. While we recommend that anyone involved in development review the information for themselves, we at Lote have gone through the Standard to provide an informal summary of key ideas within, as well as our thoughts on its overall effectiveness as a representative Standard for CPTED more generally.

CPTED and Capable Guardianship

The ISO 22341:2021 standard contains an outline definition for CPTED as well as for another term it employs, Capable Guardianship, which are worth exploring to begin with. The Standard's definition of CPTED has a primary focus on the analysis and assessment of security risks and their management for the reduction of crime - however encouragingly it also focuses on other benefits of proper implementation of CPTED principles such as the promotion of public health, quality of life, and ongoing sustainability. It also discerns between reducing crime and the fear of crime occurring, which shows a degree of nuance which is also good to see. For those unfamiliar with CPTED hopefully this will begin to make apparent the more holistic benefits of CPTED incorporation beyond simply a reduction in crime.

Additionally, the term Capable Guardianship is defined as 'willingness to supervise, detect and take action to prevent or discourage the occurrence of crime'. Touching on this point about Guardianship, or being a custodian of the site where it relates to security - many responsible for building or site ownership believe that the installation of security measures will ensure perfect resilience to security threats. However, the maintenance of the best possible security environment requires close attention and site Guardianship in the manner described, and again it is encouraging to see that the Standard identifies the role of site operators and owners in the security process.

Figure 1. Threats, Vulnerability and Assets/Resources - Crime Security Risk (Source: ISO 22341:2021)

The Standard explores some introductory aspects of CPTED, such as the interaction between Threats, Vulnerabilities and Assets, as is displayed above. This is a useful model that is accessible to beginners and explained such that even those completely unfamiliar with CPTED can grasp the principles without a struggle. It also looks at some basic CPTED considerations such as the 'where', 'what', 'who' and 'how' of crime that can help determine where risks will occur over the lifetime of a project if explored initially, and recommends that organisations base their crime prevention and security strategies on understanding crime opportunities. While these theories are not explored in-depth by any means, again the Standard is successful in providing its reader with a basic understanding of CPTED concepts as intended.

Next, the Standard identifies two sets of CPTED principles: six physical principles and four social principles. The list of physical principles includes three of the most widely utilised principles as they typically exist: 'natural surveillance', 'territorial reinforcement', and 'space / activity management'. It also includes the final principle that usually makes up the 'main four': 'access control'. However, the principle has a strange abnormality, labelled 'natural access control', which refers strictly to the use of spatial definition to enforce access control, rather than the typical definition which is more holistic and focuses largely on physical measures. The exclusion of physical measures and focus on spatial design is justified by the Standard's reference to the developmental history of CPTED, however the exclusion of more holistic access control does a disservice to beginner readers in this instance. It also clashes with other parts of the Standard which encourage regular physical access control measures for organisations. In this instance we would recommend following the NSW Police's Safer by Design understanding of access control as opposed to the Standard's. Finally, this section also includes two less-seen principles, 'activity support' and 'site/target hardening'. While these are important principles to make use of, typically their inclusion is very site-specific and as thus addressed on an as-needs basis rather than as a definite, standard component of reporting - still, their inclusion is beneficial.

At this point, it is also worthwhile noting that the Standard introduces and consolidates the second and third generation CPTED methodologies that go beyond the very narrow first-generation principles that underpin the current CPTED guidelines in NSW that are currently in force through Section 4.15 (formerly Section 79C) of the Environmental Planning and Assessment Act 1997 (EP&A 1979). It is a legal requirement in NSW that any security related activities, including the preparation of CPTED reports, are done under a valid NSW security license. Many planners, project managers and architects are preparing CPTED reports without the requisite license. Similarly, many electrical services providers are carrying out security design without a license. Councils and Government Planning bodies should watch out for such unlicensed activities as it only undermines the value of consideration given to security. The ISO 22341:2021 standard provides a significant incentive and indeed guidance towards a revamp of the current approach to crime risk assessments and security considerations in Development Approvals in NSW.

Continuing with the social principles; the Standard outlines four such principles: 'social cohesion', 'community connectivity', 'community culture' and 'threshold capacity'. These principles broadly refer to the bonds between members and collectives in the community, community partnerships, common visions, shared sense of place, existence of and participation in community events and clubs, and the management of land, time and activities to meet the needs of community members. While it is understandable to focus on physical CPTED principles in the design of new sites or the upgrade of existing ones, it is also necessary to consider community involvement (or community detachment and dissatisfaction) as a possible cause for the increase or reduction in risk at a site, particularly in large or socially impactful developments. It is a welcome inclusion in the Standard that will hopefully encourage management and custodians of sites to integrate more effectively with their surrounding communities.

Following this, the ISO 22341:2021 standard splits the CPTED process up into three categories: Planning, Design and Site and Social Management. It then provides a table similar Table 1:

Table 1. CPTED Strategies and Examples for different development stages

Stage Strategies Examples
Planning Socio-Demographic Character Considering Social Structures of Areas
Design Access Control Entry Barriers, Walls, Fences, Gates
Site & Social Management Maintenance Clean Streets and Alleys, Emptied Garbage

The table in ISO 22341:2021 provides more elaborate Strategies and Examples for each of the three stages and provides a practical look into the CPTED process across them. It is a good resource for understanding how considerations change across these stages.

Finally, the ISO 22341:2021 standard introduces the following diagram as a framework for the CPTED process:

Figure 2. The CPTED process (Source: ISO 22341:2021)

This framework is explored comparatively extensively, and more information is available in the Standard. It flows through five steps, 'Communication and Consultation', 'Scope, Context and Criteria', 'Risk Assessment', 'Risk Treatment', and 'Monitoring, Review, Recording and Reporting'. The incorporation of a risk management framework is critical as part of any CPTED methodology as it seeks to introduce security risks as important ongoing considerations throughout the development project life cycle, ensuring that a risk control plan is in place and is reviewed and updated throughout the operation of the development.

This approach is in stark contrast to what is currently acceptable as a CPTED report in NSW, where a cursory discussion of the four first generation CPTED principles of Surveillance, Access Control, Territorial Reinforcement and Space Management are often sufficient to satisfy the current guidelines. In the ISO 22341:2021 standard, as a component of this flow, the importance of an oversight body to consistently appraise and improve security targets and outcomes is highlighted, which is important. This section also encourages other general CPTED principles such as cost-effective utilisation of security measures, sustainability and resilience in development, ecological approaches, adapting security to each specific site and case, and evidence-based approaches to security implementation - all of which are valuable inclusions to keep in mind. The Standard also includes two Annexes after this section, A and B, which reference other parts of the Standard to provide additional information and guidance.

One further consideration is that the ISO 22341:2021 addresses crime prevention as key components of security and resilience within physical security without addressing crime categories such as terrorism that pose significant risks to infrastructure and crowded places and cybercrime, where crime in cyber space poses significant risks to new developments. While these are addressed in other standards and guidelines, there is perhaps scope within CPTED to evolve to cover a more holistic framework to consider security risks to new developments.


We believe that the new CPTED Standard ISO 22341:2021 will have a positive impact on the construction and planning industry. In NSW, this means a more standardised and comprehensive approach to security risk management and an opportunity to review the aging crime prevention guidelines under Section 4.15 EP&A 1979. The Standard provides valuable introductory information on CPTED to complete beginners and expands upon this by discussing physical and social CPTED principles, as well as providing relevant examples that are simple to follow. The culmination of this in a fairly detailed framework (Figure 2) should generate some appreciation for the complexity of interacting factors that makes ongoing security a difficult goal for any site. Additionally, the inclusion of the term Capable Guardianship' and subsequent reference to site ownership and responsibility throughout the Standard is also encouraging, and makes plain the fact that ongoing security leadership by management is a necessity for security measures to remain effective. Despite the previously mentioned issue of access control' vs natural access control', and an absence of a framework to deal with cyber and terrorism related risks, overall the Standard is a helpful guide, and we look forward to seeing responses from those in the construction and planning industry about it - like yours!