What Is an ISO Audit? Scope, Evidence & Findings
What Is an ISO Audit? Types, Stages, and How to Prepare An ISO audit is…
ANSI/ASIS PSC.1-2022 is the American National Standard for private security company operations. It provides auditable requirements, built on the Plan-Do-Check-Act model, for third-party certification of private security service providers. ASIS positions the standard around operational quality, risk management, legal obligations, and respect for human rights in complex and high-risk environments.
For buyers, tenders, and compliance teams, the important question is not whether a provider mentions PSC.1. It is whether the provider can prove a current, scoped certification claim through a recognized certification route. ANSI approves American National Standards, but it is not the standards developer, product certifier, tester, or lab.
AGS supports security companies that need PSC.1 audit readiness, certification preparation, scope definition, internal system alignment, and evidence strong enough to survive procurement and due diligence review. AGS conducts independent third-party PSC.1 and ISO 18788 audits and issues certification within defined scopes.
ANSI/ASIS PSC.1-2022 is a management-system standard for private security company operations. It was developed within the ASIS standards framework and approved as an American National Standard through ANSI’s process. The standard is designed to create an auditable operating system for security providers rather than a loose statement of intent or a generic ethics pledge.
It matters because private security work often sits where operational risk, legal exposure, reputational risk, and human-rights risk overlap. PSC.1 addresses that by turning quality, governance, and oversight into something structured, reviewable, and externally assessable.
PSC.1 certification is a third-party confirmation that a private security provider’s management system conforms to ANSI/ASIS PSC.1-2022 within a defined scope. The certification body issues the certificate. ANSI does not. ASIS does not. The provider holds the certificate only for the services, sites, legal entities, and jurisdictions that sit inside the approved scope.
For a serious buyer, certification is not just a badge. It is a formal proof package. It should be tied to the standard version, the issuing body, a defined scope, and live validity dates. That is what makes the claim usable in procurement, onboarding, renewal review, and client due diligence.
Satisfied Clients
Years of Experience
ISO certifications
A credible PSC.1 certification status should be easy to verify. At minimum, a buyer should be able to confirm whether the status is current, which standard edition it applies to, who issued it, and when it expires. If those details are vague, missing, or hard to validate, the claim is weaker than it looks.
For providers preparing for certification, that means the target is not just passing an audit. The target is being able to present a clean certification position that survives external review. AGS helps companies prepare for that level of scrutiny by tightening documented controls, audit evidence, corrective-action discipline, and scope logic before the certification body gets involved.
Scope is where most misunderstandings begin. A PSC.1 certificate does not automatically apply to every service line, every contract, every entity in a group, or every country where a company happens to operate. The scope should define exactly what is covered.
That usually includes:
A wide marketing statement with a narrow certificate creates risk. A properly defined scope reduces that risk because the buyer can see what was actually audited and approved.
In practice, PSC.1 scope often turns on what the provider is actually delivering. That may include static guarding, mobile security, close protection, physical security operations, security risk management, or management oversight of field operations. Locations matter just as much. A company may be certified for named countries, named sites, or a limited operational footprint rather than for every jurisdiction where it has a presence.
That is why scope drafting has to be brutally precise. AGS works with clients to map actual service delivery, legal entities, contract structure, and operational geography into a certifiable scope that can be defended when a buyer asks for proof.
If your current PSC.1 scope would be difficult to explain in a tender room, as it is not ready.
AGS works with private security companies that need their certification to hold up under real scrutiny, including:
We help turn weak or ambiguous scope into something defensible by tightening service definitions, legal entity boundaries, location coverage, and audit evidence before those gaps become procurement objections
.
Send us your current scope, operating countries, and buyer requirements. We’ll show you where it breaks and how to fix it before the next audit or tender review.
PSC.1 matters because it ties security operations to more than delivery quality. ASIS explicitly connects the standard to the Montreux Document and the International Code of Conduct and frames it around risk management, legal obligations, and respect for human rights. That is the heart of why serious clients ask for it.
The standard is built for environments where security operations can create legal and reputational exposure quickly. Procurement teams care because weak governance in this sector is not a paperwork problem. It can become a client liability problem. A provider that can show structured controls over human-rights-sensitive operations, legal compliance, incident handling, and management review is easier to trust than one relying on broad ethical claims alone.
A statement of conformance is a public claim that the provider aligns its system and operations with PSC.1 principles or requirements. It can be useful, but it is not the same thing as a third-party certificate.
The difference is simple. A statement of conformance is issued by the company about itself. Third-party certification is issued by an external certification body after a conformity assessment process. One shows commitment and declared alignment. The other adds external audit, formal scope, validity dates, and independent issuance. PSC.1 itself explicitly includes the concept of a statement of conformance, which is one reason buyers need to separate the two forms of proof instead of treating them as interchangeable.
PSC.1 is the American National Standard in this space. ISO 18788 is its closest international peer. Both are management-system standards for private security operations, and both tie operational quality to law, human rights, and voluntary commitments. They are related, but they are not identical or interchangeable.
For some organizations, PSC.1 is the more relevant route because of client expectations, U.S.-linked procurement, or legacy market language. For others, ISO 18788 may be the stronger fit because it is the international standard. In some procurement ecosystems, both show up in the same due diligence conversation. AGS supports companies that need to understand which route fits the buyer’s requirement before time is wasted on the wrong certification path.
PSC.2 is the adjacent ASIS standard for conformity assessment and auditing of PSC.1 systems. It provides requirements and guidance for audit programs, conformity assessment, and auditor competence in the PSC.1 environment.
That matters because buyers are not only buying a name on a certificate. They are buying confidence in the audit structure behind it. PSC.2 is one of the reasons PSC.1 can operate as a serious third-party certification route rather than just a self-declared framework.
Verification should be direct and boring. That is the standard.
A buyer should ask for:
If the certification claim is linked to the ICoCA ecosystem, the buyer should also check whether the standard is recognized and whether the certification body is accepted in that framework. ICoCA currently recognizes PSC.1, ISO 18788, and ISO 28007 for certification, and it does not accept certification from everybody in the market.
AGS works with private security providers that need more than a policy refresh. The right fit includes companies preparing for PSC.1 certification, tightening a weak scope, responding to client due diligence, aligning operations with legal and human-rights commitments, or preparing for renewal and surveillance activity.
The first conversation usually covers:
Send AGS your service scope, operating countries, and buyer requirements.
We will help you turn that into a cleaner certification path, stronger due diligence proof, and a scope you can defend under pressure.
They are used to structure and audit private security company operations through a management-system approach tied to quality delivery, risk management, legal obligations, and respect for human rights.
Private security service providers that need credible third-party proof of operational governance, especially where clients, governments, or international buyers require due diligence evidence.
No. ASIS professional credentials apply to individuals. PSC.1 is an organizational management system standard for private security operations.
Check the issuing body, current certificate dates, valid-until date, and exact scope, then use the validation route provided by the issuer or accepted framework.
That depends on the buyer’s risk threshold. A conformance statement can show commitment and alignment. Third-party certification gives stronger formal proof because it adds external issuance, scope, and validity controls.
