BS7858 Explained: The Complete Employer Guide to What the Standard Actually Requires
On 7 April 2026, the Fair Work Agency came into existence. Created under the Employment Rights Act 2025, it is a new single enforcement body with the statutory power to inspect employer premises, review documentation and issue civil penalties for failure to comply. Most of the coverage focused on minimum wage enforcement and statutory sick pay. But for every organisation operating under BS7858, the arrival of an enforcement body with inspection powers should prompt one very direct question. If an inspector arrived at your door tomorrow, could you open every screening file and demonstrate, clearly and without hesitation, that every check was completed correctly and every decision was properly recorded?
In nearly 18 years of running a screening and vetting company, I saw that question expose organisations again and again. Not because they had skipped the checks. But because they had no evidence they had done them. BS7858:2019 is unambiguous on this point. The standard does not just require you to carry out the checks. It requires you to document them, retain them and be able to produce them on demand. If you cannot do that, the checks might as well not have happened.
This post covers what BS7858 actually requires, where organisations consistently fall short and what you need to have in place to be confident your process would hold up under scrutiny.
What Most Organisations Get Wrong
The most common thing I saw was organisations treating BS7858 as a checklist rather than a framework. They would run the checks, get the results back and file them somewhere. What they had not done was build a process that was consistent, documented and defensible from start to finish.
The second most common failure was employment history. BS7858:2019 requires you to verify the employment history of every candidate going back five years as a minimum for standard roles, and ten years for higher risk positions. That means every role, every employer contact, every gap accounted for. What I routinely found when training clients was that their process stopped the moment a candidate could not provide contact details for a previous employer. They would make a note, move on and proceed with the hire. That is not a compliant process. The standard requires you to pursue gaps, document your attempts to resolve them and make a recorded, reasoned decision if verification cannot be obtained. An unexplained, unrecorded gap is an audit failure waiting to happen.
The third failure was around contractors and subcontractors. Many organisations applying BS7858 to their directly employed staff had never applied the same standard to the contractors working alongside them on site. The standard covers them too. If they are working in the security environment you are responsible for, they must be screened to the same standard.
And the fourth failure, which sits underneath all of the others, was documentation. I have seen organisations that ran perfectly good checks but had no consistent way of recording what they had done, what they had found or how they had reached their decision. An auditor cannot assess intention. They can only assess what is in the file. If it is not in the file, it did not happen.
What BS7858 Is and Who It Applies To
BS7858 is a British Standard published by the British Standards Institution. The current version is BS7858:2019, which came into force in March 2020 and replaced the 2012 edition. It is formally titled Security Screening of Individuals Employed in a Security Environment: Code of Practice.
The standard applies to any individual employed in a role where they could compromise the integrity of data, information, physical or intellectual assets, or pose a risk to the safety of people. It was originally developed for the security industry but the 2019 update widened its scope considerably. It now applies to any secure environment.
That means security companies, facilities management firms, cash in transit operations, healthcare providers, aviation operators, government contractors and any organisation where employees have unescorted access to sensitive areas or sensitive information. If you are a security company operating under the SIA Approved Contractor Scheme, BS7858 compliance is a contractual requirement. If you are bidding for government or critical national infrastructure contracts, clients will almost certainly require it. If your employees handle sensitive data or have unsupervised access to client premises, it is best practice that is rapidly becoming the expected standard across procurement.
The Checks BS7858 Requires
The standard sets out a specific set of checks that must be carried out for every individual in scope. Let me take you through each one.
Identity verification
This is the foundation of everything. You must confirm that the candidate is who they say they are using primary documents from the approved list. A passport, national identity card or biometric residence permit. You must see the original document, not a copy. Digital identity verification is permissible where it meets the requirements of current guidance, including GPG45 and the Data Use and Access Act 2025.
Right to work
Every BS7858 screening must include a right to work check carried out in accordance with Home Office guidance. This is not optional and it is not something you can delegate to a candidate and take their word for. You must check the correct documents or use the Home Office online checking service where applicable, and you must retain evidence that you did.
Employment history
This is where most processes break down. BS7858:2019 requires verification of employment history going back five years as a minimum for standard roles, or to the age of sixteen if that is the shorter period. For roles assessed as higher risk, the requirement extends to ten years. Every employer must be contacted. Gaps of more than one month must be explained and documented. If a previous employer cannot be contacted, you must record your attempts and provide a reasoned, documented rationale for the gap. Self employment and periods of study must also be documented and verified where possible.
Educational and professional qualifications
Any qualifications directly relevant to the role must be verified with the issuing institution. Do not accept certificates at face value. Document fraud involving qualifications has become considerably more sophisticated and AI tools are now being used to generate convincing fakes that would pass a casual inspection.
Financial probity
BS7858:2019 requires a financial background check. This typically means a credit check to establish whether the candidate has any significant financial concerns that could create a vulnerability in a security sensitive role. County court judgements, bankruptcy proceedings and significant debt are all relevant considerations. The check is not about refusing anyone who has ever had financial difficulties. It is about identifying risk and making a recorded, reasoned decision.
Criminal record check
For most roles under BS7858, a basic DBS check covering unspent convictions is the minimum requirement. Where the role involves regulated activity with children or vulnerable adults, a standard or enhanced DBS check will be required. You must record the certificate number, the issue date and the outcome. You must never retain a copy of a DBS certificate beyond the point at which you have made and recorded your decision.
References
At least two references from previous employers covering the five year period. Personal references are not sufficient on their own. Where employer references cannot be obtained, you must document why and what steps you took to resolve the gap.
The Screening File
Every individual screened under BS7858 must have a screening file. That file must contain evidence of every check carried out, every document seen, every contact made and every decision recorded. The standard requires you to retain the screening file for seven years after the individual leaves your employment. For candidates who are not hired, the file must be retained for a minimum of two years.
The file is not just an administrative exercise. It is your protection. It is the thing an auditor will ask to see. It is the thing that demonstrates your process was compliant, your decisions were defensible and your organisation took its responsibilities seriously. Build the file properly and it is an asset. Neglect it and it becomes a liability at exactly the moment you can least afford one.
The Risk Based Approach
BS7858:2019 placed greater emphasis on risk assessment than the 2012 version. You are required to carry out a role risk assessment for each position in scope, identifying why BS7858 applies to that role and what specific checks are required. You cannot apply a uniform process across every role without any documented rationale. A door supervisor on a retail contract has a different risk profile to an IT administrator with access to financial systems. The checks may overlap significantly but the documented rationale for your decisions must reflect the specific risk of the specific role and the specific individual.
Contractors and Subcontractors
If your organisation engages contractors or subcontractors who will work in the same security environment as your directly employed staff, BS7858 applies to them too. You are responsible for ensuring they have been screened to the required standard. In practice this means either running the checks yourself or obtaining written confirmation from the engaging organisation that the checks have been completed and the files are retained and accessible. A verbal assurance is not sufficient. Get it in writing and keep it in your records.
The Consequences of Getting It Wrong
Failing a BS7858 audit does not just produce a report you can put in a drawer. It can cost you a contract. For security companies working under the SIA Approved Contractor Scheme, a failed audit can result in suspension or removal from the scheme. For organisations supplying government or critical national infrastructure clients, a compliance failure can trigger contract termination and disqualification from future procurement.
Because BS7858 includes a right to work check as a core component, a failure in your BS7858 process can also expose you to civil penalties of up to £60,000 per illegal worker if the right to work element of your screening was inadequately carried out. That is a Home Office civil penalty, separate from any contract loss, and it does not require a criminal prosecution to apply.
Beyond contract loss, there is civil liability. If an employee causes harm, defrauds a client or creates a data breach and you cannot demonstrate that your screening process met the required standard, you are exposed to a negligent hiring claim. The courts will ask what steps you took before that person was hired. An incomplete file or a process you cannot explain is not a defence.
With the Fair Work Agency now operational and equipped with inspection powers, the risk of documentation failures being found has increased. Organisations that have been running checks without maintaining compliant files, or that have gaps in employment history they never resolved, are more exposed today than they were a month ago.
Charlotte Is the Solution
The question this post raises is not whether you should comply with BS7858. If the standard applies to your organisation, you do not have a choice on that. The question is whether you have anyone available to help you understand what it actually requires in practice, identify where your current process falls short and tell you exactly what to do about it, immediately, without waiting days for a response or paying consultant rates for a conversation.
That is exactly what Charlotte is built for. She is my AI knowledge twin, built on 18 years of real operational experience across 352 topics covering every aspect of UK employment screening, vetting, compliance and risk. Ask her anything about BS7858 and you will get a clear, practical, expert answer immediately. That is what a Vetting Hub subscription gives you from the moment you subscribe.
On this specific topic, Charlotte can go further than this post. She can help you work through role risk assessments, advise on what to do when a gap in employment history cannot be verified, explain the documentation requirements in detail and help you prepare for an audit. Whatever BS7858 question is in front of you right now, ask her and you will have an answer before you close the browser.
To give you a sense of what Charlotte can do on this topic, here is the question I put to her and the answer she came back with.
Question put to Charlotte: We have a member of staff who started before we fully understood BS7858. Their screening file has a right to work check and a basic DBS but no verified employment history going back five years and no references. We have an audit in three months. What should we do?
Charlotte's answer: This is a situation that comes up regularly and three months is enough time to address it properly if you start now. Contact the employee and ask them to provide details of every employer, period of study and any gap covering the five years before their start date. Contact each previous employer directly to verify dates and job titles. For any employer you cannot reach, document every attempt you made and record the reason for the gap. Obtain at least two employer references covering that period. Once you have done this, complete a formal risk assessment for the role, record your findings and your decision in the screening file, and ensure the file is reviewed and signed off by the appropriate person in your organisation. An incomplete file that shows genuine, documented effort to resolve gaps is in a considerably stronger position than a file with no evidence of any attempt at all.
Charlotte provides expert guidance based on 18 years of real operational experience in UK employment screening and vetting. She does not provide legal advice. For legal matters specific to your organisation, always consult a qualified solicitor.
Your Vetting Hub subscription also includes 18 CPD certified vetting and screening courses and 22 digital compliance toolkits, all built from real operational experience and all available from day one. They are there when you need depth, when you want your team trained and when you need a policy template or audit preparation tool ready to use without starting from scratch.
Everything described above for £79 per person per month. Named user licence. Everything included from day one. Nothing extra to buy.
Related Courses
The following courses are included in your subscription and cover this topic in depth.
- BS7858 Screening Standard: Audit Ready Compliance
- Defensible Screening Decisions: How to Assess Risk, Record Judgements and Survive an Audit
- Employment Screening Essentials: The Complete Professional Guide
Related Toolkits
The following toolkits are ready to download from day one and are included in your subscription.
- BS7858 Employer and Manager Guidance Toolkit
- BS7858 Applicant Screening Toolkit
- BS7858 Employer Quick Reference Guide
- BS7858 Screening Audit Preparation Toolkit
- Screening Audit Preparation Checklist
Further Reading
Employment history verification is one of the most frequently failed elements of a BS7858 audit, and getting it right requires more than simply emailing a previous employer. This post covers what a compliant employment history verification process looks like and what to do when the information cannot be obtained through conventional means: https://vettinghub.co.uk/post/employment-history-verification-compliant-process-2026
Understanding which DBS check applies to which role is something many organisations subject to BS7858 get wrong. A basic DBS check is not always sufficient, and knowing when a standard or enhanced check is required matters. This post covers the differences clearly: https://vettinghub.co.uk/post/basic-standard-enhanced-dbs-checks-which-one-do-you-need
Many organisations subject to BS7858 outsource their screening to a third party. If you do, this post explains why outsourcing the work does not transfer the compliance responsibility and what you need in place to remain accountable when an auditor arrives: https://vettinghub.co.uk/post/outsourcing-screening-accountability-employer-responsibility
Frequently Asked Questions
What is BS7858 and who does it apply to?
BS7858 is a British Standard published by the British Standards Institution that sets out the requirements for screening individuals employed in a security environment. It applies to any organisation where employees could compromise the integrity of data, assets or people's safety, including security companies, facilities management firms, healthcare providers, aviation operators and government contractors. The current version is BS7858:2019, which has been in force since March 2020.
Is BS7858 a legal requirement?
BS7858 is not a statutory requirement under legislation, but it is frequently written into contracts, licences and procurement frameworks. For organisations operating under the SIA Approved Contractor Scheme it is a contractual obligation. For government and critical national infrastructure contracts it is commonly a condition of winning and retaining work. Failure to comply can result in contract termination, loss of accreditation and exposure to civil liability for negligent hiring.
How far back does BS7858 employment history verification need to go?
For standard risk roles, the standard requires verification going back five years, or to the age of sixteen, whichever is the shorter period. For higher risk roles, the requirement extends to ten years. Every employer must be contacted, every gap of more than one month must be explained and documented, and the outcome of every verification attempt must be recorded in the screening file.
How long do I need to keep BS7858 screening files?
Screening files for individuals who are hired must be retained for seven years after they leave your employment. Files for candidates who are not hired must be retained for a minimum of two years. The files must contain evidence of every check carried out, every document seen and every decision made. An incomplete or missing file is a compliance failure regardless of whether the checks were actually completed.
Does BS7858 apply to contractors and subcontractors?
Yes. If contractors or subcontractors are working in the same security environment as your directly employed staff, they must be screened to the same standard. You are responsible for ensuring this has been done. In practice this means either carrying out the checks yourself or obtaining written confirmation from the engaging organisation that the checks have been completed and the files are retained.
Start Here
The best way to understand what Charlotte can do on BS7858 and across the full scope of UK employment screening compliance is to ask her a question yourself. No sign up required. The free demo is live now at https://demo.vettinghub.co.uk/charlotte-demo and Charlotte is trained on DBS topics for the demo so you can test the quality of the response directly.
The full Vetting Hub subscription gives you Charlotte across all 352 topics, the 18 CPD certified vetting and screening courses built from real operational experience and the 22 digital compliance toolkits, from day one, for £79 per person per month. Everything your organisation needs to screen and vet people correctly, in one place, available the moment you subscribe.
