1. All Resources
  2. Facility Security

Facility security plan: template and examples on how to create one that works

This site security plan will act as a template that ideally should be customized to the specific site based on its security needs. It should summarize all personnel responsibilities and procedures involved, and be fully understandable by everyone in your organization.

Scope of the template:

The site security plan intends to provide direction for facility officers to make adjustments to improve the overall facility.

In addition to pre-existing security, this sample plan also outlines the mechanism for:

  • Applicability
  • Risk assessment
  • Defining threats levels
  • Authority and responsibility
  • Access control
  • Restrictions
  • Data management
  • Monitoring and updating
  • Security testing


The site security plan is applicable to every individual within the site and should receive the appropriate training or briefing before entering the building. This includes all staff, security personnel, faculty, and visitors.

Risk Assessment

The Information Technology Officer and the Security Officer are responsible for assessing the level of risk. Risk assessments are made in response to a potential of actual effects of an incident. From the facility’s physical security level perspective, this is completed through monitoring and testing the floor layout, location and security of restricted as well as sensitive areas, emergency standby equipment, existing policies, procedures, guidelines, training, and finally the knowledge of individuals on site.

Looking at risk assessment from the perspective of data security, the site security plan should be stored in a central location for easy access to individuals within the site, but protected from any outside use. It should also be updated when necessary and examined by the designated officials (such as the Information Technology Officer and the Security Officer) daily.

By constantly monitoring for changes and testing present procedures, the level of risk to the facility can effectively be gauged and the security countermeasures can be put in place.

When responding to an occurrence the format the of the response should start by reporting the event, notifying the pertinent responders or officers, responding to the incident, recovering, documenting, and briefing individuals on site on the occurrence.

Determining Threat Level

Similar to risk assessment, both the Information Technology Officer and the Security Officer must look at the security levels of the facility and its contents. However, the officer should also focus on the internal software security as well as the geographical context of the facility. This includes but is not limited to the security level of the region and country, as well as the history of the security software being used in PDAs, laptops, web-based servers, and file transfer protocol servers.

Access Control

It should be noted that access control includes both access to data, servers, and networks, as well as access to the physical site. The site security plan should include biometric or card-swipe security controls, isolation of restricted areas, password encryption, etc.

When a facility has more than one level of security (for example has public areas or several levels of security or clearance levels) separate procedures should be dedicated to each level of security. With restricted or higher security concerned areas, they should be physically more isolated, have more physical and network barriers, as well as a noticeable increase in closed-circuit television. Additionally, these areas should also involve systems with a higher probability of infiltration detection. More secure or restricted areas should include software that will assess or prevent unauthorized access.

Are you looking to meet security compliance requirements and secure your facility with the most advanced technology? Discover how the Kisi platform is changing the physical security industry.

Roles and Responsibility

The designated officials, primarily the Information Technology Officer and the Security Officer, are responsible for the physical security and integrity of data on site. This also includes overseeing the procedures for data disposal, account access control, password and protection policies, backup, and system storage. In addition to establishing these procedures, officers are also responsible for the training, education, and awareness of the site security plan.

Though a site security plan and the authority involved should always include the Information Technology Officer and the Security Officer, or similar equivalents, it can include other positions of authority. These roles and responsibilities are dependent on how this site security plan template is adjusted to the site. Common examples include but are not limited to a facility security committee, additional designated officers, security organizations, financial authority, and so on.


Human Resource Officers are also responsible for site security through the due diligence hiring process. While hiring potential individuals the Human Resource Officer must exercise an additional security vetting process as well as include non-disclosure and confidentiality agreements. This security vetting should include pre-employment background, criminal checks, as well as drug screenings administered by the appropriate agencies.

The Human Resource Officer is also responsible for communicating and passing on the employee handbook. Within the handbook should include the site security plan, as well as the confidentiality agreement, national and state labor laws, equal employment and non-discrimination policies, and leave or compensation policies. Finally, after initial hiring, the new employee should also attend any training conducted by the Information Technology Officer and the Security Officer.


The use of detection and application for security measures should be constant. Designated officers should push for updated firewall protection, anti-virus management software, and intruder detection devices. Any activity or behavior that leaves individuals or systems vulnerable should be immediately detected, reported, and repaired. A line of communication should also be established to ensure that all individuals on site have an equivalent understanding of the site security plan.

Updating and Testing

The site security plan should be updated and tested at least once a year. However, it is the responsibility of the Information Technology Officer and the Security Officer to critically evaluate and continuously improve the site security plan. With every new change, the site security plan should then be communicated accordingly.

Kisi Products
Regain Full Control the Easy Way

Discover what makes Kisi the most advanced cloud access control solution.

Starting a new project?
Download our Physical Security Guide

Get the full guide and other great security content from Kisi. 

Download Guide
Kisi Physical Security Guide