Physical Security Assessment: The Complete Guide and Checklist

How to evaluate your facility the way an attacker would, from the perimeter to your incident response plan

By Christopher Orta, Physical Security Consultant

A physical security assessment is a structured evaluation of how well your facility, systems, policies, and people protect your organization from unauthorized access, theft, sabotage, and violence. This guide explains why assessments matter, walks through how to conduct one step by step, and gives you a complete on-page checklist you can start using today.

What Is a Physical Security Assessment?

Security consultant reviewing physical security assessment findings and site documentation

A physical security assessment is a systematic review of every layer of protection around your people, property, and information. It examines the physical environment (perimeter, doors, locks, lighting), the technology (access control, cameras, alarms), the procedures (visitor management, key control, incident response), and the human element (staff awareness and daily habits). The output is a documented picture of where you are exposed and a prioritized plan to fix it.

You will also hear the term physical security risk assessment. The distinction is emphasis: a risk assessment weighs each vulnerability against the threats your organization actually faces and the consequences of a successful attack, so you can rank what to fix first. In practice, a competent assessment always includes this risk analysis. A list of problems without priorities is not a plan.

What a physical security assessment covers:

  • Site and perimeter: grounds, fencing, lighting, landscaping, parking, and approach routes
  • Building envelope: doors, windows, roof access, loading docks, and utility entrances
  • Security systems: access control, badge readers, cameras, alarms, and sensors
  • Operations: visitor management, key and credential control, mail handling, and deliveries
  • People: employee awareness, challenge culture, and susceptibility to social engineering
  • Response: incident reporting, emergency planning, and coordination with law enforcement

Why Does a Physical Security Assessment Matter?

A physical security assessment matters because most organizations do not know where they are vulnerable until someone exploits the gap. Security controls are installed at one point in time, then buildings change, staff turn over, doors get propped open, and cameras stop being watched. The controls on paper and the controls in practice drift apart, and that drift is exactly what an intruder looks for.

Physical and information security are also inseparable. An attacker who can walk into your server room does not need to defeat your firewall, and a stolen laptop or an unlocked records room can trigger the same regulatory and legal consequences as a network breach. Frameworks that organizations already follow, including NIST guidance and ISO 27001, treat physical and environmental security as a required control area for exactly this reason, and ASIS International publishes widely used standards for conducting security risk assessments.

There is also a compliance dimension. Healthcare organizations must safeguard patient records physically as well as digitally, law firms carry confidentiality obligations to clients, and financial services firms face their own regulatory expectations. An assessment produces the documentation that shows you evaluated your risks and acted on them, which matters to regulators, insurers, and courts alike.

Finally, an assessment protects your budget. Without one, security spending tends to follow sales pitches: more cameras, more sensors, more monitoring fees. With one, spending follows evidence. Our real-world penetration testing case studies show how facilities with significant security investments were still breached through simple, unglamorous gaps that an assessment would have flagged.

How to Conduct a Physical Security Assessment

A defensible assessment follows a repeatable process. Here is the sequence professionals use, adapted so you can apply it to your own facility.

Step 1: Define What You Are Protecting

Start by listing your critical assets: people, cash and valuables, controlled substances, client and patient records, server rooms and network closets, intellectual property, and anything whose loss would halt operations. For each asset, note where it lives, who needs access to it, and what the consequence of losing it would be. Every later judgment in the assessment traces back to this list, because a vulnerability only matters in proportion to what it exposes.

Step 2: Identify Your Realistic Threats

Next, define who or what you are defending against. Common threat categories include opportunistic theft, targeted burglary, insider theft, social engineering and impersonation, workplace violence, vandalism, and activist or competitor intrusion. Your industry shapes the list: a medical clinic worries about pharmaceutical theft and patient record exposure, while a law firm worries about confidential case files. Review your own incident history and talk to local law enforcement about crime patterns around your address.

Step 3: Walk the Site From the Outside In

Survey the property the way an intruder would approach it: start at the street, move through the parking areas and grounds, then circle the building envelope before going inside. Note sightlines, lighting, hiding spots, unsecured ladders or dumpsters near the roof line, and every possible entry point including windows, loading docks, and utility doors. Do this at least twice, once during business hours and once after dark, because a facility presents two different faces.

Step 4: Evaluate Your Security Systems

Review each technical control against what it is supposed to accomplish. Do cameras cover the areas that matter, and does anyone actually review the footage? Do badge readers log access, and are those logs ever audited? Does the alarm system cover all entry points, and when was it last tested and updated? Aging systems deserve special attention: older electronic locks, sensors, and alarm panels can carry known weaknesses that modern tools exploit cheaply.

Step 5: Review Policies, Procedures, and People

Controls fail through habits more often than hardware. Interview staff and observe daily routines: Are doors propped open for convenience? Do employees hold secure doors for strangers? Is there a visitor process, and is it actually followed? Who has keys and badges, and does anyone reclaim them when people leave? Read your written security policies, then compare them to what you just observed. The gap between the two is a core finding of any honest assessment.

Step 6: Test Your Assumptions

Where it is safe and authorized, verify controls instead of trusting them. Pull on locked doors to confirm the latches engage. Attempt to enter through the lobby without signing in. Have someone unfamiliar walk the halls and see whether anyone challenges them. This is where professional security audits and penetration tests add the most value: trained testers use the same techniques as real intruders, under controlled rules of engagement, to prove which weaknesses are exploitable rather than theoretical.

Step 7: Prioritize Findings and Build a Remediation Plan

Document every finding with its location, the asset it exposes, the likelihood of exploitation, and the potential impact. Rank the list so the most severe and most easily exploited issues rise to the top, and pair each finding with a specific corrective action, an owner, and a target date. Fix the cheap, high-impact items immediately: door hardware, lighting, and procedural changes often cost little. Then schedule a follow-up review to confirm the fixes happened and still work.

What Should a Physical Security Assessment Checklist Include?

Work through this checklist area by area. Every item you cannot confidently check off is a finding to record and prioritize. No download is required: the full checklist is right here on this page.

Perimeter and Grounds

  • Property boundaries are clearly defined by fencing, walls, or landscaping in good repair
  • Exterior lighting covers parking areas, walkways, and all building entrances without dark gaps
  • Landscaping is trimmed so it does not conceal intruders or block camera sightlines
  • Signage identifies restricted areas and directs visitors to the correct entrance
  • Dumpsters, ladders, and stored equipment cannot be used to reach the roof or upper windows
  • Parking areas are visible from occupied spaces or covered by monitored cameras

Entry Points and Doors

  • Every exterior door closes and latches fully on its own, with no slipping or misalignment
  • No doors are propped open or wedged, and staff know why that matters
  • Door frames, hinges, and strike plates resist prying and forced entry
  • Windows, roof hatches, loading docks, and utility entrances lock and are included in alarm coverage
  • Emergency exits allow egress but do not permit re-entry from outside
  • Secondary and after-hours entrances receive the same scrutiny as the front door

Access Control

Badge reader and access credential being examined during a physical security assessment
  • Access is granted by role, with sensitive areas limited to the people who genuinely need entry
  • Badges and keys are inventoried, and credentials are recovered or deactivated the day someone departs
  • Access logs exist and someone reviews them for anomalies on a regular schedule
  • Badge technology is current; legacy card formats can be cloned with inexpensive commercial tools
  • Master keys are strictly limited, logged, and stored securely
  • Server rooms, records storage, and pharmaceutical or cash storage have their own access layer

Cameras and Surveillance

  • Cameras cover all entrances, receiving areas, and paths to critical assets, with no blind corners
  • Recorded footage is retained long enough to support an investigation and is checked for quality
  • Someone is responsible for reviewing footage or responding to camera alerts, not just recording
  • Camera positions are verified after any renovation, furniture change, or landscaping growth
  • Recording equipment itself is physically secured so an intruder cannot remove the evidence

Alarms and Detection

  • Intrusion detection covers every exterior entry point, not just the front and back doors
  • The alarm system has been tested recently, and the test is documented
  • System age is known; older panels and wireless sensors may use outdated frequencies or protocols that modern tools can defeat
  • Alarm response is defined: who is called, in what order, and how quickly
  • Arming and disarming codes are individual, not shared, and are changed when staff leave
  • Duress or panic alarms exist where staff face the public alone, and staff know how to use them

Visitor Management

  • All visitors sign in, show identification, and receive a visible badge that expires
  • Visitors are escorted in non-public areas, and contractors and vendors are verified before entry
  • Staff are trained to challenge or report anyone without a visible badge, regardless of appearance
  • Tailgating through controlled doors is prohibited and the rule is actually enforced
  • Deliveries are received at a defined point, and drivers do not roam the facility

Personnel Practices

  • New hires receive security orientation, and all staff get recurring awareness training
  • Background screening appropriate to the role is performed before granting access
  • Departing employees have access revoked, credentials collected, and codes changed promptly
  • Staff know how to report suspicious behavior and feel safe doing so
  • A clean desk habit keeps credentials, keys, and sensitive papers out of sight
  • Social engineering awareness is trained: impersonation of IT staff, inspectors, and maintenance workers is a standard intrusion technique

Documents and Sensitive Materials

Server room protected by dedicated access control, a critical checklist area in a physical security assessment
  • Paper records containing personal, medical, legal, or financial data are stored in locked rooms or cabinets
  • Documents are shredded or destroyed under a defined retention and disposal policy, never just discarded
  • Server rooms and network closets are locked at all times and never used for general storage
  • Laptops, backup media, and portable devices are secured when unattended
  • Printers, copiers, and fax areas are positioned so sensitive output is not left in the open
  • Whiteboards and displays visible from windows or public areas do not reveal sensitive information

Incident Response and Emergency Planning

  • A written plan covers intrusion, theft, workplace violence, fire, and severe weather
  • Every incident and near miss is reported and recorded, and the log is reviewed for patterns
  • Roles are assigned: who calls law enforcement, who directs staff, who communicates afterward
  • Evacuation and lockdown procedures exist and have been practiced, not just written
  • Emergency contact lists are current and accessible without network or power
  • After any incident, findings feed back into this assessment so the same gap is not exploited twice

How Much Does a Physical Security Assessment Cost?

The cost of a physical security assessment is driven by scope rather than a standard price, so the honest answer is: it depends on what you ask the assessor to do. The factors that move the number are consistent across the industry:

  • Facility size and complexity: square footage, number of buildings, and number of entry points
  • Number of locations: multi-site engagements cost more but often less per site
  • Depth of testing: a walkthrough and document review costs less than an engagement that includes covert penetration testing and social engineering
  • Compliance requirements: regulated industries such as healthcare, legal, and financial services require deeper documentation
  • Reporting depth: an executive summary versus a full remediation roadmap with prioritized findings

Be cautious of free or heavily discounted assessments from companies that sell security hardware, because the findings tend to match the product catalog. An independent assessor has no incentive to inflate the fix list. Ask any provider to put the scope, method, deliverables, and price in writing before work begins, and compare proposals on scope rather than price alone.

When Should You Bring In a Professional?

Bring in a professional when the stakes exceed what a self-assessment can safely confirm: you hold regulated or high-value assets, you have had an incident or near miss, you are moving or renovating, or your last independent review is more than a year old. The checklist on this page will surface obvious gaps, but familiarity is the enemy of assessment. People who walk past a propped door every day stop seeing it, and an outside expert is paid to see it.

A professional engagement also adds capabilities you cannot replicate internally: structured physical security consulting built on attacker experience, formal security audits with documented findings you can hand to regulators and insurers, and authorized penetration testing that proves which vulnerabilities are actually exploitable. If you are unsure where to start, our team explains what to expect from a consultant in why hire a physical security consultant, and you can request a free security audit qualification to find out whether your facility qualifies for an initial review.

Physical Security Assessment: Frequently Asked Questions

How long does a physical security assessment take?

Most single site assessments take from a few days to a few weeks from kickoff to final report. The timeline depends on the size of the facility, the number of buildings, the depth of testing included, and how quickly staff interviews and document reviews can be scheduled.

How much does a physical security assessment cost?

The cost of a physical security assessment is driven by scope, not a flat rate. The main factors are facility size, the number of locations, whether hands-on penetration testing and social engineering are included, the compliance requirements of your industry, and the depth of reporting you need. A focused walkthrough of a small office costs far less than a multi-site assessment with covert testing. Ask any provider for a scoped proposal in writing before you commit.

How often should you conduct a physical security assessment?

Conduct a physical security assessment at least once a year, and repeat one after any major change: a move or renovation, significant staff turnover, a security incident or near miss, new regulatory requirements, or the installation of new security systems. Security controls degrade over time, so an assessment is a recurring practice rather than a one-time project.

What is the difference between a physical security assessment and a penetration test?

A physical security assessment is a broad, cooperative review of your facility, systems, policies, and people, usually conducted openly with staff awareness. A physical penetration test is an adversarial exercise in which testers actively attempt to defeat your controls, often covertly, to prove which weaknesses are exploitable in practice. The two complement each other: the assessment maps your exposure, and the penetration test validates it.

Can I do a physical security assessment myself?

Yes, you can complete a useful baseline self-assessment using the checklist on this page, and doing so is far better than doing nothing. The limitation is familiarity: people who work in a building every day stop seeing its weaknesses. An independent professional brings an outside perspective, attacker experience, and testing methods that a self-assessment cannot replicate.

Find Your Gaps Before an Intruder Does

Red Cell Solutions conducts physical security assessments, audits, and penetration tests for healthcare, legal, education, and financial organizations. Tell us about your facility and we will scope an assessment that fits it.

Schedule a Consultation