Conduct a Physical Security Assessment in 5 Steps

When people think about physical security, they often imagine a simple process. Lock the doors, make sure smoke detectors and alarms are working, and mount cameras around entrances to the building.

Covering the basics is important, but the devil is in the details. The door to the loading dock doesn’t quite latch closed sometimes. There’s a light in the parking lot stairwell that’s been out for two weeks. You haven’t updated evacuation plans and maps after a company reorganization.

None of these issues is an immediate hazard, but they all represent potential security threats that could harm your company’s people and property. As a security professional, mitigating these risks before they materialize is one of your core objectives. But to solve a problem, you need to know it exists in the first place. That’s where a physical security assessment comes in.

In this article, we’ll cover what a physical security risk assessment is, why it’s important, and a physical security assessment template so you can better protect your organization.

What Is a Physical Security Assessment?

A physical security assessment is a comprehensive audit of your organization’s physical security measures protecting your facilities, personnel, and assets. The assessment process evaluates your security systems and procedures, relative to the threats and risks you face, and recommends ways to improve physical security in the workplace. While security should be an organization-wide focus and cyberthreats are more important to address than ever, they’re outside the scope of a physical security assessment.

Unlike more limited evaluations—such as testing fire alarms or making sure cameras are working—a physical security audit is a 360-degree review. It covers everything from your building and security systems to plans and procedures to potential threats from your surrounding environment.

Some organizations have the expertise and resources to perform physical security assessments in-house, but many companies turn to security consultants who specialize in them. When possible, it’s best to both leverage your team’s knowledge and engage a specialist—an extra set of eyes can provide fresh perspectives and catch details that might otherwise slip through the cracks.

Why Are Physical Security Risk Assessments Important?

At its core, security should prevent negative outcomes, be they injuries, loss of life, property damage, or theft. A physical security audit reduces the likelihood of these outcomes by identifying potential risks.

However, improved security through risk assessment isn’t merely preventative—it provides benefits in a few other ways too.

Improve business resilience and risk management

Every company will face challenges, whether it’s severe weather, accidents, or acts of malice. An in-depth physical security assessment can identify vulnerabilities for all of these scenarios and curative measures you can take for risk mitigation. By implementing these safeguards, you can improve your business resilience and give your team the resources they need to deal with problems as they occur.

Foster a positive safety culture

One of the key tenets of a positive safety culture is providing an environment where employees believe you have their security and welfare in mind. By performing physical security assessments, addressing vulnerabilities, and communicating updated procedures, you’re displaying organizational commitment to safety and security.

Maintain regulatory compliance

In some industries, physical security and vulnerability assessments aren’t just a good idea; they’re a requirement. There are a variety of regulations covering physical security—many of them related to companies storing sensitive information—but these are four of the most common:

• International Organization for Standardization (ISO) 27001, which is a comprehensive set of guidelines for information security
• The Health Insurance Portability and Accountability Act (HIPAA), a U.S. law that governs how companies can handle health data
• Payment Card Industry Data Security Standards (PCI-DSS), a security standard for any business that processes credit card transactions
• Occupational Safety and Health Administration (OSHA) Hazard Identification and Assessment, which provides industry-specific guidelines for security and hazard inspections

Five Steps to a Thorough Physical Security Risk Assessment

The details and specifics will vary based on organizational and environmental factors, but the following five areas should be part of any physical security assessment checklist.

1. Inspect your facilities and sites

The first step is to evaluate the spaces and structures you’re securing. The goal is to understand both strengths and weaknesses, keeping in mind that physical security management isn’t just about preventing crime—it’s also about protecting against accidents, natural disasters, and other potential threats.

Here are some of the most common items to consider during a building security assessment:

• Is there appropriate lighting in both internal and external spaces?
• What are the sightlines like around entrances and exits to the facility?
• Have electrical systems and wiring shown any signs of degradation?
• Are there any plumbing issues that could lead to building damage or accident hazards?
• Do all of the doors, windows, gates, and other points of entry close and lock properly?
• Are areas with critical assets physically partitioned from spaces with general access?
• Is safety equipment, like fire extinguishers and smoke detectors, all in good working order?

2. Audit your physical security systems

Next, you need to assess your security systems and how they cover the physical spaces your company has. Target-hardening techniques include:

• Access control systems, whether it’s biometric, card-based, or old-fashioned keys
• Personnel, including supervisors, staff in your security operations center (SOC), and security guards throughout your facility
• Surveillance cameras, monitors, and the storage devices that contain recordings
• Alarm systems and supporting systems that notify local law enforcement in the event of a problem

Since all of these systems work hand-in-hand, the questions you’ll ask will usually involve interactions between systems and/or resources. For example:

• Are there any times of day when security personnel aren’t monitoring the CCTVs covering sensitive areas?
• Are there alarms that should go off if someone bypasses access control systems, and will they notify the right people?
• Does your surveillance camera network have any critical blind spots that would allow unauthorized access?
• Can your SOC seamlessly leverage all of your security systems to both prevent and respond to security issues as they arise?

3. Review your operating procedures

Even the most robust security systems are useless if your organization’s procedures don’t align with your security goals. For example, a company that manufactures toxic chemicals would establish the security goal of keeping the general public away, for everyone’s safety. But if they leave external doors unsecured and don’t partition off sensitive areas, their procedures wouldn’t reflect that goal.

In this phase of the process, you’ll be assessing the effectiveness of your policies and security plans. While the focus of this exercise is physical security, the rise of converged security means you’ll also be touching on cybersecurity issues.

In this step, you’ll evaluate everything from security policies to emergency plans, such as:

• What kind of overnight/off-hours security presence do you maintain on-site?
• How should employees report suspicious activity or a potential security issue?
• Which essential personnel have elevated access to the facility in the event of an emergency, and how is that controlled?
• Do you have evacuation plans available and emergency exits clearly marked?
• Have you trained all of your employees on using your two-way communication platform?
• Do you have emergency response plans for events like robberies or active shooter situations?
• Are all of your employees aware of your plans and procedures and able to access them easily?

4. Identify physical security risks

Every business faces different risks, based on a combination of both internal and external factors. For example, a bank in the heart of New York City houses extremely valuable assets in a dense, urban environment, with a high volume of people visiting every day.

Conversely, a vacuum repair shop in South Dakota will operate in a slower-paced environment, with fewer visitors and less valuable inventory. That’s not to say the vacuum repair shop necessarily faces fewer risks, but they’re very different from the bank’s.

Specific risk factors will vary based on your company, but these are some core topics all businesses should consider:

• Surroundings: What are the crime rates in your area, and what types of crime are most prevalent?
• Natural disasters: Are you in a region that’s prone to specific disasters or severe weather like earthquakes, hurricanes, or snowstorms?
• Workforce: Does your company have high turnover and thus a repeated influx of new people in positions of responsibility?
• Visitors or customers: Are you in an industry that has a constant stream of unknown entities at your facility?
• Inventory and assets: Do you store or possess high-value items at your facility, and how portable are they? Securing small but valuable items like gold coins is very different from large objects like expensive printing presses or machinery.

5. Assess specific threats and vulnerabilities

Once you have a handle on the risks your company faces, you can assess which threats are the most realistic. The two most important factors to consider are the likelihood of a threat materializing and its potential impact on your business. For example, a meteor striking your office would be devastating, but the event is unlikely enough to more or less ignore.

In the course of assessing threats, you’ll be looking for vulnerabilities and ways to fix them with security measures. For example, a retail establishment in an urban environment would view theft as a key threat. The occasional stolen candy bar won’t put anyone out of business, but losses add up over time. With that in mind, they’d look at retail loss-prevention strategies in the context of their business to minimize theft, such as:

• Having a security guard at the entrance as a visible means of deterrence
• Constantly monitored surveillance cameras
• Keeping valuable merchandise in secured areas of the store
• Training staff on how to deal with shoplifters and whether they should engage them
• Lighting with motion sensors to deter loitering in the evening and overnight
• Rollup doors or external gates to provide an extra layer of security while the business is closed

A Proactive Approach to Improving Physical Security

Security professionals face a constantly evolving threat landscape, and it can feel daunting to try to predict what’s coming next and meet your organization’s security needs. Between weather, worldwide pandemics, bad actors, and the vagaries of life, there are a wide array of factors outside your control.

However, what you do control is your company’s preparedness to meet the unknown. By taking a proactive approach to identifying realistic threats and determining how your physical security shapes up against them, you can anticipate problems before they happen. You might not be able to see every hazard lurking, but you’ll have confident procedures to activate and trained individuals ready to act on known and unknown threats.