Building a UK Industrial SOC: TUPE, SIA Licensing, and the National Living Wage Math

A UK industrial Security Operations Centre is not a control room with screens. It is a regulated payroll problem wrapped around a piece of technology, and the operators who pretend otherwise lose money on every contract they win.

The British market for industrial security sits on three legal and economic facts that most continental security buyers underestimate. The first is the Transfer of Undertakings (Protection of Employment) Regulations, which carries staff and their terms across contract boundaries. The second is the Security Industry Authority licensing regime, which restricts who may stand at a gate, monitor a camera in certain configurations, or respond to an intruder. The third is the National Living Wage, which has climbed faster than industrial security tariffs and is forecast to keep climbing. Anyone building an industrial SOC in the United Kingdom either prices these three facts into the architecture or pays for them later out of margin. The technology choices flow from the labour arithmetic, not the other way round.

The arithmetic that decides architecture

The starting point is the hourly cost of a licensed guard on site, not the unit price of a camera. As of April 2025 the National Living Wage stands at £12.21 per hour for workers aged 21 and over. That is the floor, not the rate. Once employer National Insurance, pension auto-enrolment, holiday accrual, sick pay provision, uniform, training, vetting to BS 7858, and rostering overhead are added, the fully loaded cost of a static guard sits in a band that, depending on region and shift pattern, runs from roughly £17 to £22 per hour. Twenty-four hour cover with relief therefore costs in the region of £160,000 to £190,000 per post per year, before any management margin. A site that runs three posts is spending half a million pounds on physical presence alone, and that figure compounds annually because the National Living Wage trajectory has been firmly upward since 2016 and the Low Pay Commission has been instructed to keep it on a path toward two thirds of median earnings.

Against this baseline, an industrial SOC reframes the cost question. A single licensed operator in a remote monitoring centre, supported by IEC 62443-aligned perimeter sensing, video analytics that meet the spirit of NIST CSF 2.0 detect functions, and a defined response protocol, can hold the situational picture of multiple sites at once. The unit economics shift from cost per post to cost per monitored asset. The arithmetic is not subtle. A SOC operator on £15 per hour fully loaded, watching six sites, costs each site roughly £22,000 per year for round the clock coverage. That is an order of magnitude below the static guard model, and it is the only reason the British industrial SOC exists as a commercial proposition. The technology is the consequence, not the cause. Anyone who designs a UK SOC without first writing this arithmetic on the wall ends up with a control room that loses its tender on the second renewal.

TUPE and the inherited workforce

TUPE 2006, as amended, applies whenever a service contract changes hands and an organised grouping of employees is principally assigned to the activity being transferred. In industrial security this is the default rather than the exception. When a contract for guarding, monitoring, or combined services moves from one provider to another, the staff who delivered it transfer to the incoming operator on their existing terms, with continuity of service and protection against dismissal connected to the transfer. The Employment Rights Act and the case law around service provision changes have closed most of the gaps that operators once exploited.

For a new entrant building an industrial SOC, this has three concrete consequences. First, the workforce inherited from the outgoing provider may not match the technological model the new contract is built around. Operators trained for foot patrols and gatehouse work are now expected to monitor camera estates, interpret analytics alerts, and follow escalation runbooks. Retraining is possible, but it is not free, and the protection against dismissal on transfer-related grounds means that workforce reshaping has to be planned and documented as a separate restructuring exercise, with proper consultation under the Information and Consultation of Employees Regulations where applicable. Second, the inherited terms may include legacy enhancements, shift premia, or local agreements that the incoming operator did not price into the bid. A diligent pre-bid process examines the Employee Liability Information that the outgoing provider is required to supply under Regulation 11, but in practice this information arrives late, incomplete, or both. Third, the SOC build itself, if it changes the nature of the activity sufficiently, can be argued to fall outside the scope of TUPE on the grounds that the activity has fundamentally changed, but this is a high bar in case law and operators who rely on it without legal advice tend to end up in tribunal. The conservative assumption is that TUPE applies, that staff transfer, and that the SOC must be designed around a workforce that arrives with its own history.

The SIA licensing regime in practice

The Security Industry Authority licenses individuals, not companies, although the Approved Contractor Scheme operates at organisational level and matters for procurement. Six front line licence categories cover the activities relevant to industrial security: security guarding, door supervision, close protection, public space surveillance using CCTV, cash and valuables in transit, and vehicle immobilisation. For an industrial SOC, the licences that matter in daily operation are security guarding for any deployed response personnel and public space surveillance CCTV for operators who monitor cameras with the capability to identify individuals in public spaces. The CCTV licence requirement is narrower than it first appears. Monitoring of purely private spaces, or analytic processing without a human operator actively viewing identifiable individuals, sits outside the licensable activity. Most industrial SOCs in the United Kingdom therefore run a mixed model in which a smaller licensed cadre handles the activities that fall inside the regime and a larger technical staff handles analytics tuning, system administration, and integration.

Licence cost is modest at around £190 for three years per individual, but the training and identity verification requirements behind it are not. A candidate must complete the relevant Level 2 qualification, pass identity and right to work checks, and clear a criminal record disclosure. The training takes between thirty and sixty hours depending on category. For an operator scaling a SOC quickly, the binding constraint is rarely the licence fee but the throughput of accredited training providers and the time to onboard staff who arrive without the qualification. The Approved Contractor Scheme adds a further layer for organisations that want to bid for higher tier contracts, particularly in critical national infrastructure where buyers expect ACS status alongside ISO 27001 certification and demonstrable alignment with the NPSA guidance on protective security. None of this is optional in serious procurement. A SOC that cannot show its licensing posture in the first conversation does not reach the second.

How the National Living Wage rewrites the model every April

Every April the floor moves. The National Living Wage has risen from £7.20 in 2016 to £12.21 in 2025, a compound annual increase that has consistently outpaced the broader CPI. The Low Pay Commission's remit instructs it to maintain the rate at two thirds of median hourly earnings, which means the floor will continue to rise as median earnings rise, regardless of inflation. For an industrial security operator on long contracts, this is not a forecast problem. It is a balance sheet problem. Contracts written without indexation clauses that explicitly track the National Living Wage erode in real margin every year. Contracts written with such clauses still erode if the client refuses the indexation review or if the indexation lags the actual wage increase by more than a quarter.

The SOC model absorbs this pressure better than the static guard model because the labour leverage is higher. When the wage floor rises by five percent, the static guard contract takes a near full hit on its largest cost line. The SOC contract takes a partial hit on a smaller cost line, because technology, infrastructure, and management overhead absorb a meaningful share of the cost base and those costs do not move with the wage floor in the same way. Over a five year contract the divergence is significant. An industrial security director who is choosing between in-house guarding, outsourced guarding, and a SOC-led model is, whether they articulate it or not, making a bet on the wage trajectory. The evidence of the past decade suggests that the bet on a SOC-led model has been the right one, and the structural pressure on the labour market, including post-Brexit constraints on the available workforce and the continuing decline of the under-25 share of security recruits, suggests that the bet remains right for the foreseeable horizon.

Building the SOC: governance, standards, and the operating model

A British industrial SOC that takes itself seriously aligns with three reference frameworks at minimum. ISO 27001 covers the information security management system that wraps around the technology stack and the operational processes. NIST CSF 2.0 provides the functional architecture, with the govern, identify, protect, detect, respond, and recover functions mapping cleanly to the operational divisions of a control room. IEC 62443 covers the industrial control system perimeter where the SOC interfaces with operational technology, which in industrial sites is the boundary that most often fails in practice because IT-trained staff treat OT networks as if they were IT networks. To these international standards, a UK operator adds the NPSA guidance for sites within the critical national infrastructure perimeter, the Data Protection Act 2018 and UK GDPR for the personal data that flows through video monitoring, and the Surveillance Camera Code of Practice for CCTV operation in public-facing contexts.

The operating model that holds these together is shift-based, runbook-driven, and audited. Tier one operators handle the bulk of alerts using documented runbooks, with clear escalation triggers to tier two analysts who handle pattern interpretation and incident management, and tier three engineers who handle system changes and post-incident analysis. The TUPE inheritance shapes how this model is staffed. Operators who transfer in from a guarding contract often have the situational awareness and the licensing in place but lack the technical training; they go into tier one with structured upskilling toward tier two. Technical staff recruited fresh handle the higher tiers and the engineering layer. The book BOSWAU + KNAUER. From Building to Security Technology argues that security technology is most credible when its operators come from the practical environment they are protecting, and this principle holds with particular force in the British industrial context, where the inherited workforce is not a liability to be designed around but a resource to be deployed correctly. The SOC that treats its TUPE transferees as a constraint loses them within eighteen months. The SOC that treats them as the institutional memory of the sites they protect keeps them, and keeps the contract.

The procurement reality and the bid arithmetic

UK industrial security procurement runs through frameworks, direct tenders, and increasingly through managed service procurements that bundle physical security, cyber monitoring, and incident response into a single contract. The bid arithmetic that wins these tenders has shifted. Five years ago, the lowest hourly rate for guarding usually won. Today, the bids that win demonstrate a credible reduction in total cost of risk, evidenced by reduced loss rates at comparable sites, integration with the client's existing systems, and a wage trajectory model that the procurement team can defend internally when the next National Living Wage uplift lands. ASIS International publishes useful benchmarking on enterprise security risk management that has slowly worked its way into UK procurement language, and the GDV approach to insurance-linked security investment, while German in origin, increasingly informs the way British underwriters look at industrial sites.

A bid that does not address TUPE explicitly, with a transition plan that names the inherited workforce categories and the retraining pathway, fails the diligence phase regardless of price. A bid that does not name the SIA Approved Contractor status, the ISO 27001 certification scope, and the relevant alignment with NIST CSF 2.0 and IEC 62443 fails the technical evaluation. A bid that does not price the National Living Wage trajectory across the contract term, with explicit indexation language, fails the financial evaluation as soon as the client's procurement team runs the numbers past their own finance function. The British industrial SOC is, in commercial reality, a regulated, indexed, and audited service. The technology is necessary but it is not what closes the contract.

What holds

The economics of running an industrial Security Operations Centre in the United Kingdom rest on three regulatory and economic realities that move independently of the technology stack: TUPE carries the workforce, the SIA licenses the activity, and the National Living Wage moves the floor every April. The SOC model exists because the labour leverage it offers is the only credible answer to a wage trajectory that has risen by roughly seventy percent in a decade and shows no sign of slowing. An operator that builds without pricing all three of these realities into the architecture builds a control room that wins its first contract and loses its second.

The technology that sits inside a credible UK SOC is convergent with international practice. The standards are international, the analytics are international, the cyber posture aligns with NIST CSF 2.0 and ISO 27001, the OT boundary aligns with IEC 62443, and CISA advisories on industrial threats are read in British control rooms as carefully as in American ones. What is distinctly British is the labour and regulatory layer that wraps around the technology. Operators who understand this build profitable SOCs. Operators who do not, build expensive ones.

For directors weighing whether to keep guarding in-house, move to an outsourced SOC, or build their own capability, the conversation worth having is the one that starts with the wage trajectory and the TUPE position before it moves to the camera estate. Path I, a sixty minute confidential conversation, is the appropriate format for that first exchange. It is structured to surface the three or four assumptions that determine whether the existing security model holds for the remainder of the decade, and it is offered without obligation. The technology choices follow. They never lead.

Frequently asked questions

What is TUPE?

TUPE is the Transfer of Undertakings (Protection of Employment) Regulations 2006, the British legal framework that protects employees when the business or service they work for changes hands. In industrial security it applies when a service contract transfers between providers and an organised grouping of staff is principally assigned to that activity. Affected employees move to the new provider on their existing terms, with continuity of service and protection against dismissal connected to the transfer. For an incoming SOC operator, TUPE means the workforce arrives with the contract, complete with its history, premia, and skill profile.

What does SIA license?

The Security Industry Authority licenses individuals to perform specific front line security activities in the United Kingdom. The categories most relevant to industrial security are security guarding for personnel deployed to sites, public space surveillance CCTV for operators monitoring identifiable individuals in public spaces, and door supervision, close protection, cash and valuables in transit, and vehicle immobilisation for related activities. The SIA also operates the Approved Contractor Scheme at organisational level, which matters for procurement particularly in critical national infrastructure. Licences require training, identity verification, and criminal record checks. They are individual, portable, and valid for three years.

How does NLW affect cost?

The National Living Wage sets the legal hourly minimum for workers aged 21 and over. It has risen from £7.20 in 2016 to £12.21 in April 2025 and is on a Low Pay Commission trajectory toward two thirds of median earnings. For industrial security, where labour is the dominant cost line, every annual uplift compresses margin unless contracts include effective indexation clauses. The static guard model absorbs the full impact because labour is roughly eighty percent of the cost base. The SOC-led model absorbs less because technology, infrastructure, and management overhead share a larger portion of the cost structure and do not move with the wage floor.

Who staffs UK SOCs?

UK industrial SOCs typically staff in three tiers. Tier one operators handle routine alerts under documented runbooks; many transfer in under TUPE from preceding guarding contracts and hold SIA licences for guarding or CCTV monitoring. Tier two analysts handle pattern interpretation, incident management, and escalation; they combine security experience with technical training in analytics platforms and incident response. Tier three engineers handle system administration, integration with operational technology, and post-incident analysis; they come from IT and OT backgrounds and align their work with ISO 27001, NIST CSF 2.0, and IEC 62443. Effective SOCs blend the inherited workforce with technical recruits rather than treating one as a constraint on the other.