Martyn's Law: What the SIA Actually Checks When They Review You
Martyn's Law compliance isn't about having a policy. It's about producing evidence when the SIA asks. Here's what that evidence actually looks like.
When the Security Industry Authority begins assessing Martyn's Law compliance in April 2027, the question they will ask is not "do you have a public protection procedure?" Every venue within scope will have one. A Word document with policy language is easy to produce.
The question that matters is narrower: can you demonstrate that your staff understood the procedure and can apply it under pressure?
That is an evidence question. And it is where most venues' compliance will fail — not because the training didn't happen, but because the evidence of its effectiveness was never captured.
This article explains what the SIA is likely to ask for, why a training completion certificate isn't sufficient, and what evidence looks like when it's strong enough to withstand a regulatory review.
What the SIA Is Actually Looking For
The Security Industry Authority is the regulator for Martyn's Law. Their published approach — consistent with how they enforce other security-related regulations — is risk-proportionate and evidence-based.
In practice, this means the SIA will not arrive at your venue on 3 April 2027 and demand to see every document. They will triage. Venues with public incidents, complaints, or high-profile events will be prioritised for review. Lower-risk venues may not be reviewed at all for years.
But when a review does happen, inspectors will ask for four categories of evidence:
- A documented public protection procedure specific to the premises, reviewed within the last 12 months.
- Training records for all staff responsible for public safety at the venue — showing who was trained, when, on what, and how their comprehension was verified.
- Evidence of practice — tabletop exercises, drills, or simulations showing the procedures have been rehearsed in realistic conditions.
- Evidence of review and continuous improvement — notes from staff debriefs, lessons captured after drills or incidents elsewhere, changes to procedures in response.
The first category is usually in place. Every compliance-aware venue has a written procedure. The other three are where evidence gaps appear.
Why Completion Certificates Are Not Evidence
The default training evidence produced by most e-learning platforms is a completion certificate. Learner name, course title, completion date, sometimes a score.
This is evidence of attendance. It is not evidence of comprehension.
Consider what a completion certificate actually proves. A learner logged into a course. They advanced through it. They passed an end-of-module quiz, typically a multiple-choice test that rewards recognition of information rather than application.
None of that answers the SIA's likely question: "if a member of your public-facing staff notices someone photographing your fire exits on a Tuesday afternoon, do they know what to do?"
The gap between knowing and doing is the gap the SIA cares about. A generic awareness video does not close it. A scenario-based exercise that puts the learner inside the decision — what to look for, who to report to, how to phrase the report — is closer to the evidence a regulator would find defensible.
This isn't opinion. It's how regulatory guidance in adjacent compliance domains has evolved. The MoJ's Adequate Procedures guidance for the UK Bribery Act, the FCA's conduct rules for financial services, and the ICO's accountability principle for GDPR all emphasise that training must be proportionate to risk and demonstrably effective — not just delivered.
Martyn's Law guidance is early, but the direction is the same.
What Stronger Evidence Looks Like
There are three layers of evidence that the SIA would find progressively more credible.
Level 1: Attendance records. Who completed what, when. This is what most venues will have. It proves training happened but not that it worked.
Level 2: Comprehension assessment. A pass/fail score from a knowledge test at the end of training. Better than nothing, but multiple-choice tests are notoriously weak at predicting real-world application. A learner who aces the quiz may still freeze in the actual moment.
Level 3: Decision-level evidence. A record of the decisions each learner made during a scenario-based exercise — what they chose, what alternatives they rejected, and the reasoning they applied. This is the evidence that demonstrates applied competence, which is what the SIA's "reasonably practicable" standard is ultimately measuring.
A venue that can produce Level 3 evidence for every member of its public-facing staff has a substantially stronger compliance position than one that can only produce Level 1.
Level 3 evidence also supports the second and fourth SIA categories — practice and continuous improvement — because the decision logs from scenario training naturally surface patterns. If 40 per cent of your staff chose to evacuate when the correct response was invacuation, that is not a staff failure. It is a training signal. You adjust the training, re-run the scenario, and document the improvement.
The Practice and Drill Question
Alongside training records, the SIA will want evidence that procedures have been practised.
For smaller standard-tier venues (200-799 capacity), this does not need to be an elaborate exercise. A 30-minute tabletop review with the evening team, walking through an evacuation scenario and identifying who does what, is credible evidence of practice when documented.
What "documented" means in this context:
- Who attended — full names and roles
- When it ran — date and duration
- What scenario was run — a brief summary (e.g. "suspected hostile reconnaissance observed at the main entrance during a 300-capacity event")
- What decisions were made — by whom, and whether they aligned with the written procedure
- What was learned — any gaps identified, any procedural changes proposed
A half-page document for each exercise, filed in the compliance folder, is sufficient. The SIA isn't looking for professional incident-management software. They're looking for a reasonable, consistent process that demonstrates the venue takes the duty seriously.
For enhanced-tier venues (800+ capacity), the practice bar is higher. A full tabletop exercise annually, supplemented by scenario-based learning and live drills where feasible, is closer to the standard. The designated Senior Responsible Person should sign off on the exercise record.
The Continuous Improvement Question
The fourth evidence category is often overlooked. Regulators across every compliance domain look for evidence that the responsible person is actively reviewing and updating their approach.
What this looks like in practice for Martyn's Law:
- Annual procedure review with a signed and dated record
- Post-incident reviews for any near-misses or security-related events at the venue, even minor ones
- External learning — evidence that you have paid attention to post-incident reports from other venues, NaCTSO guidance updates, and SIA communications, and considered whether your procedures need updating
- Staff feedback loop — evidence that staff are asked about the usability of procedures during drills or after incidents, and that their feedback is recorded and considered
None of this needs to be burdensome. A quarterly 30-minute review with the Responsible Person, a short written note filed, and the annual procedure review done formally. That's the standard a reasonable SIA inspector would find credible.
The Training Record Template
For standard-tier venues, a compliant training record for each member of staff should capture:
| Field | Example |
|---|---|
| Learner name | Jane Smith |
| Role at venue | Front-of-house supervisor |
| Training course completed | Martyn's Law Standard Tier — Scenario Modules 1-5 |
| Completion date | 14 January 2027 |
| Completion evidence | Decision-log from 5 scenarios, score 4/5, reviewed by manager |
| Next refresh due | 14 January 2028 |
| Refresh reason | Annual requirement + any procedural changes |
For enhanced-tier venues, additional fields are worth capturing:
- Threat scenarios practised — evacuation, invacuation, lockdown, hostile reconnaissance, suspicious package, communications failure
- Drill participation — date of last live drill the staff member participated in
- SRP sign-off — confirmation by the Senior Responsible Person that the staff member's training meets the requirements for their role
This level of record-keeping does not require expensive software. A well-structured spreadsheet, or a modest Learning Management System, is sufficient.
What matters is that the record is current, consistent, and retrievable. A venue that cannot produce training records within an hour of an SIA request has failed the evidence test before the inspector has even read the documents.
Common Gaps to Audit Before 2027
If you're running the evidence test on your own venue today, the most frequent gaps:
No record of comprehension assessment. Staff attended training but there is no evidence of whether they understood it or could apply it. Fix: adopt training that generates decision-level evidence, or add a post-training scenario-based exercise and log the outcomes.
No record of practice. Staff were trained but have never walked through the procedure in a simulated scenario. Fix: run a tabletop exercise this quarter and document it.
No review cadence. The procedure was written in 2025 and has not been reviewed since. Fix: book a procedure review now, get it signed and dated, and schedule annual reviews on the compliance calendar.
No evidence of external learning. The Responsible Person is not capturing notes on SIA communications, NaCTSO alerts, or post-incident reviews from similar venues. Fix: start a simple log. A single shared document with dated entries is enough.
Agency and third-party staff training is not documented. Your own staff training records may be complete, but the security contractor staffing your events has no documented training under your records. Fix: require training evidence as a contract term for any third-party staff with public-safety roles at your venue.
The Practical Path Forward
The SIA will not punish a venue that has tried to build proportionate evidence and fallen short in a specific area. They will punish venues that have clearly not tried.
The difference between those two positions is, in practice, about six months of consistent attention. A venue that starts building evidence now — running training that generates decision-level records, documenting a quarterly drill, maintaining a simple review log — will be in a defensible position by April 2027. A venue that starts in January 2027 will be scrambling.
For most venues, the cost-effective path is to treat the compliance-evidence question as an operational discipline rather than a one-off project. Build the records into monthly venue-management routines. File them the same way you file fire-safety records. Review them quarterly. Update them when anything material changes.
Our Martyn's Law scenario training is designed specifically to produce the Level 3 decision-level evidence described above — every learner's decisions are logged during each scenario, exportable for the venue's compliance records. For a broader primer on what Martyn's Law requires, see our earlier article on Martyn's Law training for UK venues.
If you want a structured way to audit where your current evidence stands, the compliance training diagnostic scores your position across six dimensions in five minutes — including the evidence question.
The April 2027 deadline is not a finish line. It is the point from which the SIA starts measuring. What matters is what you can show them when they arrive.