How to manage Building Information Modelling implementation – Part 2 of 2

In our first article on Building Information Modelling (BIM), we looked at what BIM is and the types of data at risk in building projects. We discussed the threat to digital information and why cyber security needs to be an integral part of construction and refurbishment projects.

In part two, we look at the process itself  – how to manage BIM implementation and why managing the risks to building information doesn’t stop at the end of the build.

A brief recap

BIM is not a single piece of software or model, but a new form of information processing and collaboration for construction projects with data embedded within a model. BIM puts information management and data exchange at the heart of the design process. It’s used on all government construction projects – and has also been widely adopted for most private sector projects too.

So how do you go about implementing your own BIM project?

How to manage BIM implementation

PAS 1192-5 is the standard from the Centre for the Protection of National Infrastructure (CPNI) that provides guidance on BIM security. Specifically, it provides requirements for how to manage BIM implementation and digital built environments. It outlines the cyber-security vulnerabilities to hostile attack when using BIM and provides an assessment process to determine the levels of cyber-security for BIM collaboration which should be applied during all phases of the site and building lifecycle.

It is very important to get the scope of the security assessment right at the outset. Many construction companies use cloud-based services (such as ViewPoint, Aconex, BC Collaborator and others) to establish a Common Data Environment (CDE) where project information can be stored and shared.

An implementation example

Consider an example based on a public organisation outsourcing a building project to a contracting construction company. In this case, the owner of the information is the public organisation and it retains this responsibility throughout the project. The requirement is to understand where the data will be stored, who it will be shared with, how it is transferred and how it is used subsequently.

For the public organisation the biggest concern will be the volume of data (an amount of it very sensitive) to be held in the supplier’s CDE, on the suppliers own IT systems (including mobile devices like laptops and smartphones), transferred over the Internet and held on subcontractor IT systems. Information owners will want the confidence that their information will be protected wherever it is.

PAS1192-5 goes through an asset identification and risk assessment process to develop a Built Assess Security Strategy and a set of risks. Once this has been completed, a Built Asset Security Management Plan (BASMP) is used to map security controls to risks. The output from this is a Built Asset Security Information Requirements document that tells the companies delivering the project what the security requirements are and how these can be built into contracts.

The requirements cover all aspects of security (physical, personnel, procedural and technical) and are not just IT centric. Assurance that the BASMP is in place during the course of the project is provided by the Built Asset Security Manager (BASM). CPNI is currently developing a course on the role of the BASM and its website has some very useful supporting information.

Ensuring risk management beyond the build

Managing the risks to building information doesn’t stop at the end of the build. Part of the value of BIM is using the information gathered during the construction process to make on-going building maintenance more efficient.

Consequently BIM models and metadata will become part of the facilities management structure and other information sets will be passed to building maintainers and managers. This means that the risks of information compromise, corruption or loss must continue to be managed, regardless of who holds the data.

If a secure BIM solution has been implemented this should include agreements in contracts on how long data will be retained by contractors and how it will be securely deleted or removed from information systems when no longer required.

Finally, BIM managers should be aware of the security aspects of the planning and building regulation system where detailed information must be shared with local authorities. The risks here are that sensitive information may be stored in publically available areas unless specific arrangements have been made to either sanitise it or to keep it access controlled.

In conclusion

BIM has been in use for some time and is here to stay for most construction projects. Managers who outsource construction projects must make themselves aware of what information is being exposed as part of the process of sharing essential data with an extensive number of contractors, some of whom may not be fully up to speed on cyber security requirements.

For the construction companies delivering services they should be the intelligent supplier -aware of what the customer’s requirements are likely to be and, in some cases, what they should be. This means that the supplier must ensure that their own company security procedures are in place and fit for purpose and that these are expanded to cover project delivery. Certification to security standards such as ISO27001, IASME and Cyber Essentials are a very useful way of demonstrating a company’s cyber security credentials.

It is Ascentor’s opinion that those companies that can demonstrate they understand the need for BIM security will increasingly find it a discriminator when bidding for work.

How Ascentor can help

Ascentor has experience in developing a strategy for implementing the security aspects of BIM.

We understand the information security concerns around integrating sensitive information in models that have to be shared digitally with multiple users and have developed a pragmatic approach to assessing and managing the risks of BIM in Common Data Environments and down through the supply chain companies.

We can help organisations either as intelligent customers seeking to ensure that their information is secure during such projects or as intelligent suppliers demonstrating that they can manage customer information in a challenging scenario.

For further information

For help with BIM or any element of Information Assurance for your organisation or department, system or project, please get in touch.

Contact Steve Maddison at Ascentor for a no-obligation, confidential discussion:

Telephone: 01452 881633 or 07971559980

Email: [email protected]

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch