Physical Security Audit Checklist: 50+ Items to Assess

A physical security audit is a systematic evaluation that identifies vulnerabilities before criminals exploit them. Whether you're assessing your own client sites, offering security consulting services, or conducting due diligence for a new contract, a comprehensive methodology ensures nothing gets overlooked. The checklist format enables consistent evaluation across different facilities and provides documentation that supports recommendations and tracks remediation.

Perimeter Security Assessment

The perimeter represents the first line of defense—and often the most neglected. Walk the entire property boundary looking for vulnerabilities that would allow unauthorized access or concealment. What looks secure from the front entrance may have significant gaps in back corners or along adjacent properties.

Fencing and Barriers

Fencing effectiveness depends on height, condition, and features appropriate to the threat environment. An industrial facility needs different perimeter protection than a residential community.

• ☐ Fence height adequate for threat level (typically 6-8 feet minimum)
• ☐ No gaps, holes, or damage in fence line
• ☐ Bottom secured to prevent crawling under
• ☐ Anti-climb features where risk warrants (barbed wire, razor ribbon)
• ☐ Gates secure when closed, locks functioning
• ☐ Vehicle barriers appropriate to threat (bollards, planters, gates)

Perimeter Lighting

Lighting deters criminal activity and enables observation. Dark areas become hiding spots and approach routes. Evaluate lighting at night when vulnerabilities become visible.

• ☐ All perimeter areas adequately illuminated
• ☐ No dark spots, shadows, or blind areas
• ☐ Lights positioned to avoid blinding glare
• ☐ Backup power for critical perimeter lighting
• ☐ Routine maintenance performed, burned-out bulbs replaced

Landscaping Security

Beautiful landscaping can create security vulnerabilities. Shrubs provide concealment, trees enable climbing over fences or onto roofs, and decorative features may aid unauthorized access.

• ☐ No concealment opportunities near building entrances
• ☐ Trees trimmed away from fences and roof lines
• ☐ Clear sightlines maintained for surveillance
• ☐ No items that could aid climbing (benches, dumpsters near fence)

Access Control Evaluation

Access control determines who can enter where—and how effectively those determinations are enforced. Evaluate both physical barriers and the systems and procedures that control them.

Entry Points

Every door and window is a potential entry point. Assess each one for physical security and controlled access.

• ☐ All entry points identified and access controlled
• ☐ Doors and frames in good condition, no warping
• ☐ Hinges secured with non-removable pins on out-swing doors
• ☐ Strike plates properly installed with long screws
• ☐ Glass resistant to break-in (film, laminated, or tempered)
• ☐ Emergency exits alarmed and secure from outside entry

Electronic Access Control

Access control systems only work when properly maintained and managed. Credentials must be deactivated promptly, access levels reviewed regularly, and system integrity verified.

• ☐ All readers and controllers functioning properly
• ☐ Terminated employee credentials deactivated promptly
• ☐ Access levels appropriately assigned and reviewed
• ☐ Audit trails generated and reviewed regularly
• ☐ Backup power maintains system during outages
• ☐ Fail-safe or fail-secure configuration appropriate to area

Key Control

Physical keys remain common even with electronic access. Poor key control undermines all other access security.

• ☐ Key inventory accurate, all keys accounted for
• ☐ Keys secured when not in use (locked cabinet)
• ☐ Key issuance documented with signature
• ☐ Lost key triggers rekey procedure
• ☐ Master key access restricted to minimum necessary

Surveillance System Review

Camera systems provide deterrence, real-time monitoring, and forensic evidence. But systems installed years ago may have coverage gaps, failed cameras, or inadequate recording that nobody has noticed.

Coverage Assessment

Review camera placement against actual coverage. What the system was designed to cover and what it actually captures may differ significantly.

• ☐ All critical areas covered (entrances, high-value storage, sensitive areas)
• ☐ Every entry and exit point monitored
• ☐ Parking areas covered, including perimeter
• ☐ No blind spots in coverage due to obstructions or camera failure
• ☐ Image quality adequate to identify individuals and activities
• ☐ Night vision or low-light capability for 24-hour coverage

System Functionality

A camera that doesn't record or can't be reviewed provides no security value. Test actual functionality, not just power lights.

• ☐ All cameras operational with clear images
• ☐ Recording system capturing footage continuously
• ☐ Storage retention adequate for needs (typically 30-90 days)
• ☐ Playback capability verified—can footage be reviewed?
• ☐ Remote access functional for off-site monitoring
• ☐ Backup power maintains recording during outages

Alarm System Assessment

Alarm systems detect intrusion and alert responders—but only if properly designed, maintained, and monitored. Systems that generate frequent false alarms get ignored; systems that aren't tested may fail when needed.

Detection Coverage

• ☐ Intrusion detection covers all vulnerable entry points
• ☐ Motion detection provides interior coverage
• ☐ Glass break detection protects vulnerable windows
• ☐ Panic/duress alarms available and known to staff
• ☐ Coverage extends to roof access and utility areas

System Integrity

• ☐ Regular testing performed and documented
• ☐ All sensors functioning, no bypassed zones
• ☐ Communication to monitoring center verified
• ☐ Backup communication path available (cellular if primary is landline)
• ☐ Backup power maintains system during outages
• ☐ Access codes managed, changed after personnel changes

Interior Security Evaluation

Interior security protects high-value assets, sensitive information, and critical systems. Not all interior areas require the same level of protection—assess based on what each area contains.

High-Value and Sensitive Areas

• ☐ Server rooms, data centers secured with additional access control
• ☐ Cash handling areas protected appropriately
• ☐ Pharmaceutical, chemical, or controlled substance storage secure
• ☐ Inventory and warehouse controls adequate
• ☐ Safes and vaults properly rated for contents

General Interior

• ☐ Office areas secured after hours
• ☐ IT equipment protected from theft and unauthorized access
• ☐ Sensitive documents secured (locked when unattended)
• ☐ Visitor access controlled and monitored

Emergency Preparedness Review

Security and safety intersect in emergency preparedness. Fire systems, evacuation procedures, and emergency plans affect both life safety and security response.

Fire and Life Safety

• ☐ Fire alarm system tested and functional
• ☐ Sprinkler system operational and inspected
• ☐ Fire extinguishers inspected and accessible
• ☐ Exit routes clear and properly marked
• ☐ Emergency lighting functional throughout
• ☐ Evacuation plans posted and current

Emergency Planning

• ☐ Emergency procedures documented and distributed
• ☐ Evacuation routes and assembly points designated
• ☐ Emergency contact information current
• ☐ Drills conducted and documented regularly
• ☐ Special needs populations accommodated

Operational Security Assessment

Physical security measures fail without operational procedures to support them. Policies, training, and day-to-day practices determine whether security infrastructure actually provides protection.

Security Procedures

• ☐ Written security policies documented and accessible
• ☐ Visitor management procedures followed consistently
• ☐ Contractor access controlled and monitored
• ☐ Package and mail handling procedures address threats
• ☐ After-hours access procedures enforced

Personnel Security

• ☐ Background checks performed for appropriate positions
• ☐ Security awareness training provided
• ☐ Termination procedures include immediate access revocation
• ☐ Incident reporting procedures known and followed

Documenting and Prioritizing Findings

Audit findings only create value when documented clearly and prioritized for action. Generic observations like "improve perimeter security" don't drive remediation. Specific findings with clear recommendations and risk-based priority enable effective response.

Document each finding with specific location, observed condition, security implication, and recommended remediation. Photographs provide evidence and clarify issues. Prioritize by risk level so the most critical vulnerabilities get addressed first.

• Critical: Immediate action required—significant vulnerability actively exploitable
• High: Address within 30 days—serious vulnerability requiring prompt attention
• Medium: Address within 90 days—moderate vulnerability or enhancement opportunity
• Low: Address when convenient—minor issue or best practice improvement