CONDUCTING A PHYSICAL SECURITY RISK ASSESSMENT FOR BUILDINGS AND OFFICES

Back to Blog

CONDUCTING A PHYSICAL SECURITY RISK ASSESSMENT FOR BUILDINGS AND OFFICES

Physical security is an essential aspect of protecting an organization's assets, people and information. A physical security audit is a process that aims to identify and evaluate the risks, vulnerabilities and protective measures that exist in a physical environment. The purpose of a physical security audit is to provide recommendations to improve security and reduce risk.

Improving security with physical security audits

A physical security audit can bring several benefits to an organization, such as:

  • Raise awareness of the importance of physical security and the responsibility of all employees and visitors.
  • Detect and correct flaws, deficiencies or inconsistencies in physical security policies, procedures and practices.
  • Prevent or minimize loss, damage or disruption caused by internal or external threats, such as theft, vandalism, sabotage, fire, flood, terrorism or natural disasters.
  • Comply with standards, regulations and legal requirements applicable to physical security.
  • Improve the organization's trust, reputation and competitiveness in the market.

The importance of physical security audits

Physical security audits are important because they allow you to assess the security level of a building or office in relation to the potential risks it faces. Some of the factors that can influence the level of risk are:

  • The geographic location, type and use of the building or office.
  • The value and criticality of assets, people and information present on site.
  • The frequency and intensity of internal or external threats that may affect the site.
  • The effectiveness and adequacy of existing protective measures, such as fences, gates, doors, windows, locks, alarms, cameras, sensors, lighting, fire extinguishers, smoke detectors, etc.
  • Compliance with the organization's established physical security policies, procedures and practices.

A physical security audit can help identify areas that need improvements or corrections to ensure an adequate level of security. Additionally, a physical security audit can serve as a prevention tool as it can anticipate potential problems or incidents before they occur.

What is involved with a physical security audit?

A physical security audit involves the following steps:

  • Planning: consists of defining the scope, objectives, criteria and methods of the audit. It also involves collecting preliminary information about the location to be audited, such as floor plans, maps, photos, documents, etc.
  • Execution: consists of carrying out a visual and physical inspection of the site, checking the conditions and functioning of existing protection measures. It also involves interviewing those responsible for the physical security of the location, as well as employees and visitors who frequent the location. Furthermore, it involves testing the effectiveness of existing protection measures through simulations or hypothetical scenarios.
  • Report: consists of preparing a document that records the results of the audit, including observations, conclusions and recommendations to improve the physical security of the site. The report must be clear, objective and based on evidence.

External versus internal physical security audits

Physical security audits can be carried out by teams external or internal to the organization. Each has its advantages and disadvantages.

External audits are carried out by independent professionals specialized in physical security, who can offer an impartial and up-to-date view of the site's level of security. External audits can bring greater credibility and trust to the organization, as well as greater compliance with external standards and regulations. However, external audits can also be more costly and more dependent on third parties.

Internal audits are carried out by employees of the organization itself, who may have greater knowledge and involvement with the audited location. Internal audits can bring greater agility and flexibility to the organization, as well as greater integration with other areas and internal processes. However, internal audits may also have a lower degree of independence and objectivity, as well as less adherence to external standards and regulations.

Creating a physical security audit checklist

A physical security audit checklist is an instrument that assists in carrying out the audit, as it contains a series of questions or items that must be checked during the site inspection. A physical security audit checklist should be tailored to the specific characteristics and needs of the audited location, but may follow a general template that covers the following aspects:

  • Perimeter: refers to the external area that delimits the audited location, including fences, gates, walls, fences, etc. The checklist should check whether the perimeter is well defined, signposted, lit and monitored, as well as whether there are controlled and restricted access points.
  • Entrances and exits: refers to doors, windows, stairs, elevators, etc. that allow access to the interior of the audited location. The checklist should verify that entrances and exits are well identified, locked, alarmed and guarded, as well as that there are access control and identification systems for employees and visitors.
  • Internal areas: refers to the internal spaces of the audited location, including corridors, rooms, offices, closets, deposits, etc. The checklist should verify that internal areas are well organized, clean and ventilated, as well as that there is adequate signage and guidance for emergencies.
  • Assets: refers to material assets, people and information present at the audited location. The checklist should verify that assets are well inventoried, classified and protected, as well as that there are procedures for proper handling, transportation and disposal.
  • Protection measures: refers to equipment and devices that aim to prevent or detect threats to the audited location, such as alarms, cameras, sensors, fire extinguishers, smoke detectors, etc. The checklist should verify that protective measures are well installed, functioning and periodically tested.
  • Policies and procedures: refers to the standards and rules that govern the physical security of the audited location. The checklist should verify that policies and procedures are well defined, documented and publicized, as well as that there is training and awareness for everyone involved.

Internal physical security audit

An internal physical security audit is carried out by employees of the organization itself who are responsible for the physical security of the audited location or who have knowledge on the subject. An internal physical security audit may follow the following steps:

  • Form a team of internal auditors: consists of selecting the employees who will carry out the internal physical security audit. The team must be composed of qualified, experienced and impartial people in relation to the audited location.
  • Define the scope of the audit: consists of determining which areas or aspects of the site will be audited. The scope of the audit must be based on a prior analysis of the risks existing on site.
  • Prepare an audit plan: consists of establishing the objectives, criteria and methods of the audit. The audit plan should include a schedule of activities

    ages and responsibilities of internal auditors.

    • Communicate the audit: consists of informing those responsible for the audited location about the internal physical security audit. Audit communication should include the scope, plan, and date of the audit, as well as request collaboration and access to necessary documents and facilities.
    • Perform the audit: consists of carrying out a visual and physical inspection of the site, following the physical security audit checklist. The audit must be carried out in a systematic, objective and professional manner, recording the evidence and observations found.
    • Prepare the audit report: consists of preparing a document that presents the results of the internal physical security audit. The audit report must contain observations, conclusions and recommendations to improve the physical security of the site, as well as indicate deadlines and those responsible for corrective actions.
    • Share the audit report: consists of sending the internal physical security audit report to those responsible for the audited location, as well as to other interested or affected by the physical security of the location. Sharing the audit report must be done in a transparent, respectful and constructive manner, seeking commitment and support for the implementation of suggested improvements.
    • Monitor corrective actions: consists of monitoring and verifying whether the corrective actions proposed in the internal physical security audit report were implemented effectively and within the established deadlines. Monitoring of corrective actions must be carried out continuously, until the desired level of safety is achieved.

    Internal cybersecurity audit

    An internal cybersecurity audit is carried out by employees of the organization itself who are responsible for the cybersecurity of the audited location or who have knowledge on the subject. An internal cybersecurity audit can follow the same steps as an internal physical security audit, but with some differences:

    • The scope of the audit must include the systems, networks, devices, applications, and data that are related to the audited location.
    • The cybersecurity audit checklist should verify that there are adequate protection measures in place to prevent or detect cyber attacks, such as firewalls, antivirus, encryption, backup, authentication, etc.
    • The execution of the audit must include penetration or vulnerability tests to assess the resistance of systems and networks against possible intrusions or infections.
    • The audit report should include observations, conclusions, and recommendations to improve the site's cybersecurity, as well as indicate the risks and potential consequences of a cyber incident.

    Physical Security Checklist

    The following is an example of a physical security checklist that can be used to perform an internal or external physical security audit of a building or office. The checklist is divided into five categories: perimeter, entrances and exits, internal areas, assets and protection measures. Each category contains a series of questions or items that should be checked during the site inspection. Possible answers are: yes (Y), no (N) or not applicable (NA). Observations must be recorded in case of a negative or not applicable response.

    Category Question/Item Response Observation
    Perimeter Is the perimeter well defined? Y/N/NA  
    Perimeter Is the perimeter well signposted? Y/N/NA  
    Perimeter Is the perimeter well lit? Y/N/NA  
    Perimeter Is the perimeter well monitored? Y/N/NA  
    Perimeter Are there controlled and restricted access points? Y/N/NA  
    Inputs and outputs Are the entrances and exits well identified? Y/N/NA  
    Inputs and outputs Are the entrances and exits locked? Y/N/NA  
    Inputs and outputs Are the inputs and outputs alarmed? Y/N/NA  
    Inputs and outputs Are the entrances and exits monitored? Y/N/NA  
    Inputs and outputs Are there access control and identification systems for employees and visitors? Y/N/NA  
    Internal areas Are the internal areas well organized? Y/N/NA  
    Internal areas Are the internal areas clean? Y/N/NA  
    Internal areas Are the internal areas ventilated? Y/N/NA  
    Internal areas Is there adequate signage and guidance for emergencies? Y/N/NA  
    Active Are the assets well inventoried? Y/N/NA  
    Active Are the assets well classified? Y/N/NA  
    Active Are assets well protected? Y/N/NA  
    Active Are there procedures for proper handling, transportation and disposal of assets? Y/N/NA  
    Protective measures Are protective measures well installed? Y/N/NA  
    Protective measures Are protective measures working? Y/N/NA  
    Protective measures Are protective measures tested periodically? Y/N/NA  

    Next steps after with an office safety checklist

    After performing a physical security audit with an office security checklist, the next steps are:

    • Analyze the results of the audit, identifying strengths, weaknesses, opportunities and threats to the physical security of the site.
    • Develop an action plan to implement the improvements suggested by the audit, defining priorities, resources, those responsible and deadlines for each action.
    • Execute the action plan, monitoring the progress and effectiveness of the implemented actions.
    • Evaluate the impact of implemented actions, measuring the level of security achieved after the audit.
    • Review the action plan, making the necessary adjustments to maintain or increase the site's security level.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to Blog
en_US