Physical Security Assessment: What It Covers

A physical security assessment is the structured, evidence-based inspection of a premises or facility against a defined threat level. It produces a prioritised finding register and actionable recommendations. When conducted properly, it identifies vulnerabilities before an incident exploits them. When conducted by someone who knows what they are looking for, it rarely fails to find something significant.

The demand for physical security assessments has increased as organisations have recognised that technology investment alone does not produce secure premises. A building can have extensive CCTV, electronic access control, and manned guarding and still have fundamental vulnerabilities in the way systems are configured, maintained, and used. The assessment process surfaces these gaps systematically.

What a Physical Security Assessment Is Not

It is worth clarifying what a physical security assessment is not, because the terms are sometimes used interchangeably in ways that cause confusion.

A risk assessment is a strategic document that identifies the threat environment, assesses the organisation’s vulnerability to specific threat types, and evaluates the consequences. It is typically desk-based and may cover a programme or organisation rather than a single site.

A physical security assessment (also called a security survey) is an on-site inspection. It takes the threat picture as an input and tests whether the physical measures in place at the specific premises adequately address that threat. It is evidence-based – it relies on direct observation, testing of systems, and documentation review, not assumption.

A penetration test or red team exercise attempts to defeat the physical security measures through simulated attack. This is a useful follow-on to a security survey but is a distinct activity with a different methodology and scope.

Who Commissions Assessments and Why

The most common triggers for commissioning a physical security assessment are:

New premises occupation. A company moving to new office space should commission an assessment before committing to the lease or as a condition of the move. The assessment informs both the fit-out specification and the security operating procedures for the new site.

Post-incident review. After a physical security incident – breach, theft, assault, or near-miss – an independent assessment provides objective analysis of what failed and what changes are required.

Annual review cycle. The professional standard for organisations at moderate or elevated threat levels is an annual independent assessment of all occupied premises. This is specified in ASIS International’s Physical Security Professional (PSP) standards and reflected in the UK Security Institute’s (SyI) guidance on corporate security programme management.

Threat level change. A change in the organisation’s threat profile – a high-profile transaction, a public controversy, receipt of credible threat communications, or a significant change in operating environment – warrants a review of physical security outside the annual cycle.

Major renovation or system change. Building work can create access vulnerabilities. New access control systems may not be configured correctly on installation. A post-implementation review is standard practice.

The Assessment Methodology

A physical security assessment follows a structured sequence. The specific methodology used should be documented in the assessor’s scope of work so the commissioning organisation knows what has been covered.

External site assessment

The assessment starts outside the building perimeter. The assessor evaluates:

Approach and perimeter. How is the site approached by vehicle and on foot? What are the entry and exit points? Is the perimeter clearly defined and maintained? Are there areas where the perimeter can be approached or crossed without passing through a controlled access point?

Standoff distance. The distance between the vehicle perimeter and the building face is critical for blast threat scenarios. CPNI (Centre for the Protection of National Infrastructure) Hostile Vehicle Mitigation (HVM) guidance specifies minimum standoff distances for different threat levels. Most commercial premises – particularly those in urban environments with constrained footprints – have very limited standoff. The assessment should quantify what exists and note the gap against the threat level.

Vehicle access control. How are vehicles permitted onto or adjacent to the premises? Are delivery vehicles vetted or screened? Are there uncontrolled areas where a vehicle could be left or driven close to the building?

Lighting. External lighting has a direct relationship to physical security. Areas of inadequate illumination create cover for approach and surveillance. The assessment should note coverage gaps and conditions at night as well as during daylight.

CCTV coverage. Are all entry points, vehicle access areas, and perimeter approaches covered? Are cameras positioned to capture usable facial images at entrance points? BS EN IEC 62676 (video surveillance systems for use in security applications) sets the relevant standards for image quality by application type.

Internal assessment

Reception and access control. The reception function is the primary human access control layer in most commercial buildings. The assessment examines: how visitors are logged and verified, whether pre-notification is required and enforced, whether visitor badges are issued and collected, and whether reception staff are briefed on challenging unknown individuals who attempt to bypass the process. Tailgating – following an authorised person through a controlled door without independent authorisation – is the most consistently identified vulnerability in access control assessments. It is almost always a behavioural issue, not a technical one.

Electronic access control. Access card or fob systems are evaluated for: zone segmentation (can all cardholders access all areas, or is access appropriately restricted by role and need?), revocation procedures (how quickly are cards for departed employees disabled?), audit trail capability and whether logs are reviewed, and physical condition of readers and door hardware.

Server rooms and comms infrastructure. High-value information assets require physical security proportional to their value. The assessment examines access restriction, environmental controls (fire suppression, temperature), cable management, and whether access logs are maintained and reviewed.

Executive suite and board room. Areas where sensitive discussions take place warrant a TSCM (technical surveillance countermeasures) review in addition to physical access assessment. The physical security assessment should note whether the TSCM function is part of the programme.

Car park and loading areas. Underground and structured car parks are consistently under-secured relative to the risk they represent. The assessment examines access control, lighting, CCTV coverage, and security patrolling. Loading bays and goods-in areas represent an access point that is often managed separately from the main building access control system, frequently to a lower standard.

Stairwells and secondary exits. Stairwells in multi-tenancy buildings are often accessible from multiple tenancies without passing through controlled access points. Secondary and emergency exit doors are sometimes propped open, bypassing access control entirely.

Documentation and procedural review

A physical security assessment is not only an inspection of hardware and technology. It includes review of the procedural framework:

Security operating procedures. What written procedures govern access control, visitor management, key management, alarm response, and out-of-hours security? Are they current and do staff know they exist?

Key management. Physical key management is an underestimated vulnerability in many organisations. The assessment reviews: how keys are issued and tracked, whether keys to sensitive areas require enhanced controls, whether master keys exist and who holds them, and what happens when a key is reported lost.

CCTV maintenance and retention. CCTV systems that are not maintained will fail. The assessment checks when cameras were last serviced, whether recording equipment has been tested, and what the image retention period is. The minimum retention period for security CCTV under BS 8418 is 31 days for detector-activated systems; the assessment should verify compliance.

Alarm system. Intruder detection system coverage, testing frequency, response procedures, and key-holder arrangements.

Common Findings

Based on assessments across a range of commercial premises, the most consistently identified vulnerabilities are:

Tailgating at controlled doors, enabled by the social reluctance of staff to challenge unknown individuals. Physical barriers (airlock vestibules, security turnstiles) address this technically; staff culture and briefing address it behaviourally. Both matter.

Inadequate CCTV coverage due to incremental installation over years rather than designed coverage. The result is patchy, with significant blind spots at key access points.

Stale access card lists: cards for departed employees that remain active because the revocation process is not reliably followed on departure.

Uncontrolled loading and goods-in access: delivery personnel routinely accessing internal areas without logging or escort.

Poor lighting in car parks, external walkways, and perimeter areas.

No documented procedure for security incidents: staff unsure what to do and who to call when something happens.

The Report

A physical security assessment report should deliver practical value, not academic volume. The components that matter: an executive summary identifying critical and high-priority findings, a site-by-site findings section with photographic evidence, a risk-graded finding register (critical, high, medium, low), prioritised recommendations with indicative cost bands, and a review date.

Each recommendation should be actionable – the commissioning organisation should be able to read it, assign ownership, and act on it without seeking further clarification.

For the broader corporate security programme context in which physical security assessments sit, see our corporate security programme design guide. For premises where technical surveillance is a concern alongside physical security, see our TSCM guide. For the specific physical security requirements of financial district and CBD locations – including hostile vehicle mitigation standards, commercial tower access control, and counter-surveillance methodology in high-footfall environments – see our security in financial districts and CBDs guide.

Source: ASIS International Physical Security Professional (PSP) Certification standards (2024). CPNI (Centre for the Protection of National Infrastructure) Hostile Vehicle Mitigation (HVM) Guidance 2023. BS EN IEC 62676: Video Surveillance Systems for Use in Security Applications (current edition). BS 8418: Installation and Remote Monitoring of Detector-Activated CCTV Systems (current edition). Security Institute (SyI): Corporate Security Programme Management guidance 2024. BSIA (British Security Industry Association): Code of Practice for CCTV (2024).

For critical national infrastructure sites including water treatment works, electricity sub-stations, and utility facilities – which have specific CPNI physical security standards beyond standard commercial assessments – see our security for water and utilities infrastructure guide. For nuclear sites assessed under NISR 2003 and ONR Security Assessment Principles – where the detection-delay-response model, Category I material protection, and Civil Nuclear Constabulary armed response capability require a physical security assessment framework that goes beyond standard commercial premises criteria – see our security for nuclear energy facilities guide. For chemical plants and HAZMAT sites – where COMAH 2015 compliance, process-safety and physical-security boundary questions, and vehicle access control requirements create a specific assessment framework beyond standard commercial premises criteria – see our security for chemical plants and hazmat sites guide. For TAPA FSR-certified warehouse and distribution facilities – where Freight Security Requirements Class A/B/C define the physical security standard and the assessment is structured against TAPA audit criteria – see our security for cargo theft and freight logistics guide.