How to evaluate your facility the way an attacker would, from the perimeter to your incident response plan
By Christopher Orta, Physical Security Consultant
A physical security assessment is a structured evaluation of how well your facility, systems, policies, and people protect your organization from unauthorized access, theft, sabotage, and violence. This guide explains why assessments matter, walks through how to conduct one step by step, and gives you a complete on-page checklist you can start using today.
A physical security assessment is a systematic review of every layer of protection around your people, property, and information. It examines the physical environment (perimeter, doors, locks, lighting), the technology (access control, cameras, alarms), the procedures (visitor management, key control, incident response), and the human element (staff awareness and daily habits). The output is a documented picture of where you are exposed and a prioritized plan to fix it.
You will also hear the term physical security risk assessment. The distinction is emphasis: a risk assessment weighs each vulnerability against the threats your organization actually faces and the consequences of a successful attack, so you can rank what to fix first. In practice, a competent assessment always includes this risk analysis. A list of problems without priorities is not a plan.
A physical security assessment matters because most organizations do not know where they are vulnerable until someone exploits the gap. Security controls are installed at one point in time, then buildings change, staff turn over, doors get propped open, and cameras stop being watched. The controls on paper and the controls in practice drift apart, and that drift is exactly what an intruder looks for.
Physical and information security are also inseparable. An attacker who can walk into your server room does not need to defeat your firewall, and a stolen laptop or an unlocked records room can trigger the same regulatory and legal consequences as a network breach. Frameworks that organizations already follow, including NIST guidance and ISO 27001, treat physical and environmental security as a required control area for exactly this reason, and ASIS International publishes widely used standards for conducting security risk assessments.
There is also a compliance dimension. Healthcare organizations must safeguard patient records physically as well as digitally, law firms carry confidentiality obligations to clients, and financial services firms face their own regulatory expectations. An assessment produces the documentation that shows you evaluated your risks and acted on them, which matters to regulators, insurers, and courts alike.
Finally, an assessment protects your budget. Without one, security spending tends to follow sales pitches: more cameras, more sensors, more monitoring fees. With one, spending follows evidence. Our real-world penetration testing case studies show how facilities with significant security investments were still breached through simple, unglamorous gaps that an assessment would have flagged.
A defensible assessment follows a repeatable process. Here is the sequence professionals use, adapted so you can apply it to your own facility.
Start by listing your critical assets: people, cash and valuables, controlled substances, client and patient records, server rooms and network closets, intellectual property, and anything whose loss would halt operations. For each asset, note where it lives, who needs access to it, and what the consequence of losing it would be. Every later judgment in the assessment traces back to this list, because a vulnerability only matters in proportion to what it exposes.
Next, define who or what you are defending against. Common threat categories include opportunistic theft, targeted burglary, insider theft, social engineering and impersonation, workplace violence, vandalism, and activist or competitor intrusion. Your industry shapes the list: a medical clinic worries about pharmaceutical theft and patient record exposure, while a law firm worries about confidential case files. Review your own incident history and talk to local law enforcement about crime patterns around your address.
Survey the property the way an intruder would approach it: start at the street, move through the parking areas and grounds, then circle the building envelope before going inside. Note sightlines, lighting, hiding spots, unsecured ladders or dumpsters near the roof line, and every possible entry point including windows, loading docks, and utility doors. Do this at least twice, once during business hours and once after dark, because a facility presents two different faces.
Review each technical control against what it is supposed to accomplish. Do cameras cover the areas that matter, and does anyone actually review the footage? Do badge readers log access, and are those logs ever audited? Does the alarm system cover all entry points, and when was it last tested and updated? Aging systems deserve special attention: older electronic locks, sensors, and alarm panels can carry known weaknesses that modern tools exploit cheaply.
Controls fail through habits more often than hardware. Interview staff and observe daily routines: Are doors propped open for convenience? Do employees hold secure doors for strangers? Is there a visitor process, and is it actually followed? Who has keys and badges, and does anyone reclaim them when people leave? Read your written security policies, then compare them to what you just observed. The gap between the two is a core finding of any honest assessment.
Where it is safe and authorized, verify controls instead of trusting them. Pull on locked doors to confirm the latches engage. Attempt to enter through the lobby without signing in. Have someone unfamiliar walk the halls and see whether anyone challenges them. This is where professional security audits and penetration tests add the most value: trained testers use the same techniques as real intruders, under controlled rules of engagement, to prove which weaknesses are exploitable rather than theoretical.
Document every finding with its location, the asset it exposes, the likelihood of exploitation, and the potential impact. Rank the list so the most severe and most easily exploited issues rise to the top, and pair each finding with a specific corrective action, an owner, and a target date. Fix the cheap, high-impact items immediately: door hardware, lighting, and procedural changes often cost little. Then schedule a follow-up review to confirm the fixes happened and still work.
Work through this checklist area by area. Every item you cannot confidently check off is a finding to record and prioritize. No download is required: the full checklist is right here on this page.
The cost of a physical security assessment is driven by scope rather than a standard price, so the honest answer is: it depends on what you ask the assessor to do. The factors that move the number are consistent across the industry:
Be cautious of free or heavily discounted assessments from companies that sell security hardware, because the findings tend to match the product catalog. An independent assessor has no incentive to inflate the fix list. Ask any provider to put the scope, method, deliverables, and price in writing before work begins, and compare proposals on scope rather than price alone.
Bring in a professional when the stakes exceed what a self-assessment can safely confirm: you hold regulated or high-value assets, you have had an incident or near miss, you are moving or renovating, or your last independent review is more than a year old. The checklist on this page will surface obvious gaps, but familiarity is the enemy of assessment. People who walk past a propped door every day stop seeing it, and an outside expert is paid to see it.
A professional engagement also adds capabilities you cannot replicate internally: structured physical security consulting built on attacker experience, formal security audits with documented findings you can hand to regulators and insurers, and authorized penetration testing that proves which vulnerabilities are actually exploitable. If you are unsure where to start, our team explains what to expect from a consultant in why hire a physical security consultant, and you can request a free security audit qualification to find out whether your facility qualifies for an initial review.
Most single site assessments take from a few days to a few weeks from kickoff to final report. The timeline depends on the size of the facility, the number of buildings, the depth of testing included, and how quickly staff interviews and document reviews can be scheduled.
The cost of a physical security assessment is driven by scope, not a flat rate. The main factors are facility size, the number of locations, whether hands-on penetration testing and social engineering are included, the compliance requirements of your industry, and the depth of reporting you need. A focused walkthrough of a small office costs far less than a multi-site assessment with covert testing. Ask any provider for a scoped proposal in writing before you commit.
Conduct a physical security assessment at least once a year, and repeat one after any major change: a move or renovation, significant staff turnover, a security incident or near miss, new regulatory requirements, or the installation of new security systems. Security controls degrade over time, so an assessment is a recurring practice rather than a one-time project.
A physical security assessment is a broad, cooperative review of your facility, systems, policies, and people, usually conducted openly with staff awareness. A physical penetration test is an adversarial exercise in which testers actively attempt to defeat your controls, often covertly, to prove which weaknesses are exploitable in practice. The two complement each other: the assessment maps your exposure, and the penetration test validates it.
Yes, you can complete a useful baseline self-assessment using the checklist on this page, and doing so is far better than doing nothing. The limitation is familiarity: people who work in a building every day stop seeing its weaknesses. An independent professional brings an outside perspective, attacker experience, and testing methods that a self-assessment cannot replicate.
Red Cell Solutions conducts physical security assessments, audits, and penetration tests for healthcare, legal, education, and financial organizations. Tell us about your facility and we will scope an assessment that fits it.
Schedule a Consultation