When it comes to securing your physical premises, following best practices isn’t just a recommendation—it’s a necessity. Whether you manage a small office or a sprawling industrial complex, ensuring physical security is about more than just cameras and locks. It’s about building a comprehensive security posture that helps you identify and address vulnerabilities before they become risks.

Before we begin, we want to share a story of a recent physical security assessment.

Our goal was to break into a large high security data center. 

For most people, I like to explain why, because it’s not so intuitive why we would do this. 

Our customer had spent millions on badge readers, full-time security staff, high security fencing, security lighting, biometrics, you name it. 

So it’s a fair question to ask, was it working? 

Back to our goal, can a motivated attacker, actually get in?

We started by doing remote recon. Looking at satellite images, pulling up county records for zoning and building permits, and Linkedin and Facebook recon for folks who worked in the building.

By then, we had an okay understanding of the perimeter, some internal floor plan layouts and a list of folks who worked in the building. We also had an idea of the badge system that was used. From the Google Street View, we could see the badge reader style and brand for the secure parking lot. 

We showed up after a week or so of prep. We found the biggest rental vehicle we could get our hands on to fit our team and equipment. Our equipment consisted of laptops, long range wifi antennas, badge cloners and a handful of physical security tools (picks, shims and under the door tools). 

We found a spot to park behind a few trees and just far enough to not be obvious to anyone outside the building that we’re doing surveillance. 

The first day creeped by, but by the end, we had a plan.

We’d send the youngest looking person on the team into the building in the guise of a student, trying to meet with an engineering manager we knew worked at the building. Once inside, the “student” would attempt to plug a device into the network, that would call back to our command and control server. 

Fake resume in hand, our physical assessor walked up to the building, buzzed security and waited. A minute later, the security guard asks what he wanted. 

“Uh, I’m a student. I’m hoping to drop my resume off with John Keats, the engineering manager I met at a job fair last week”

The security guard stood his ground. “Sorry, no walk ins here, you’ll have to go through the web site”

As our “student” walked away from the building in defeat, someone was walking up to the building to show up for work in the morning. 

This new unwitting participant in the exercise, had his badge around his neck.

Bingo.

“Hey! I was hoping I could drop a resume off with you” our student says. As he pulls his back pack off, he keeps it right in front of our victims badge. 

The interaction is short and sweet, and our student speed walks around the block into the waiting car. 

We pulled the badge reader out of the back pack, and sure enough, the backpack held in front of the badge grabbed the badge credentials. Now we had a key. 

Long story short, that badge gave us after hours access to the building, and the physical security kiosk didn’t monitor the side entrance to the building, where our badge works. 

We were in.

This audit checklist is designed to guide you through a thorough review of your site’s security based on leading standards from organizations like ASIS International, ISO, NFPA, and BOMA. Let’s break it down into actionable steps, making sure you can spot weak spots and implement fixes without drowning in paperwork.

1. Perimeter Barriers: Locking Down the Basics

Your perimeter is the first line of defense. It’s easy to overlook, but a quick walk around your facility can reveal vulnerabilities. Are your walls, fences, and gates in good shape? Do they provide full coverage, or are there weak points?

• Check for gaps or damaged sections in your perimeter walls or fences.
• Verify that gates and vehicular barriers are functional and undergo regular inspections.
• Look for unauthorized access points—even a small gap can be exploited.
• Is signage visible? Make sure “Authorized Personnel Only” signs are placed strategically and aren’t faded or obscured.

2. Surveillance & Monitoring: Eyes on the Ground

Surveillance is crucial for early detection of intrusions. Regular inspect properly placed cameras and motion sensors.

• Ensure cameras cover critical areas like entrances, exits, and parking lots.
• Test motion sensors regularly to verify they trigger alarms correctly.
• Verify guards are present and properly trained to respond to incidents.
• Test alarm systems to ensure they're functioning and trigger timely responses.

3. Access Control: Lock It Down

Access control measures, like locks and badge readers, need more than just a one-time installation. They require ongoing care and attention. Is every entrance and exit under proper control?

• Test doors, locks, and badge readers to make sure they’re in good working condition.
• Secure windows and skylights—these often overlooked areas can be easy access points for intruders.
• Visitor management procedures should include sign-ins and escorts in secure areas.
• Entrances/exits, including windows, doors, and loading docks, should be monitored and logged.

4. Lighting: Don’t Let Shadows Hide Your Weaknesses

Proper lighting is more than a deterrent for crime—it also improves overall safety. Walk your fence lines, parking lots, walkways, and loading docks at night. Are they well-lit?

• Ensure all exterior areas are free of shadows and adequately illuminated.
• Don’t forget blind spots—corners and areas that are often ignored can be vulnerable.

5. Fire Detection & Suppression: Safety First

Your fire detection and suppression systems protect lives and property. They need regular inspections and testing.

• Check placement of smoke detectors and test them regularly.
• Ensure fire extinguishers and sprinklers are present, accessible, and properly maintained.

6. Power & Utilities: Keep It Steady

Your power and internet connections should be stable and secure. It’s not just about keeping the lights on—it’s about preventing service interruptions that could impact security systems.

• Inspect your power supply to ensure it’s stable and there are no risks of outages.
• Check the internet connection to make sure it’s secure and stable, especially if your security systems rely on cloud services.

7. Sensitive Areas: Protect What Matters Most

If your business has areas where sensitive data is stored, such as server rooms or document storage, these areas need extra attention.

• Ensure barriers are secure, whether they’re physical walls or digital locks.
• Monitor environmental conditions like temperature and humidity, particularly for tech-heavy spaces.
• Test fire suppression systems regularly, since sensitive areas can be more prone to fire risks.

8. Office Areas: Don’t Overlook the Obvious

It’s easy to focus on the big things and forget that day-to-day security practices matter just as much. Make sure employees are securing desks, offices, and common areas.

• Check that storage areas are secure and regularly checked.
• Ensure offices and desks are locked when not in use.
• Shred bins should be emptied frequently, and sensitive documents shouldn’t be left unattended.

9. Personnel: Security Starts with People

Your security systems are only as strong as the people operating them. Make sure your team is well-trained and knows what to do in case of emergencies.

• Verify that security staff are trained, well-deployed, and understand their roles.
• Ensure all staff have basic security training to recognize and respond to potential threats.

Wrapping It Up: Actionable Next Steps

You don’t have to wait for a breach to happen before you take action. Use this checklist as part of a regular audit routine—quarterly at the least—and take the necessary steps to fix issues as soon as they’re spotted.

By building a habit of reviewing your physical security, you’re not just protecting your assets—you’re safeguarding the trust of your customers, employees, and stakeholders.

Start today. Walk the perimeter. Check your lights. Test your alarms. And keep your facility secure.

‍