Everything You Need to Know About Physical Security

Understanding Physical Security and Best Practices


Physical Security Best Practices

Security is crucial to any office or facility, but understanding how to get started in this field can be difficult, to say the least. Even in small spaces, there can be dozens, if not hundreds, of moving parts that can confuse even the most seasoned business professional. Deciding how to protect your business and its assets can be a process that seems nearly impossible at first. But with the right tips and tricks, anyone can become an expert on physical security, no matter how lost you might feel at first. You can make the most of your skills to implement an effective plan and better protect your assets and data. Use this list to better understand physical security and to implement its best practices into your space.

Physical Security

This part is simple, at least. Every building needs a way to keep unwanted guests outside, and most organizations also need to restrict access to certain areas within their premises, even to people who have already been invited inside. Because of this, you need to adopt a set of security measures with which to grant access to protected amenities to authorized personnel only, ones that have been handpicked for this privilege. These security measures should be introduced in accordance with a broader plan designed to protect your equipment, resources and any other assets within a production facility or office space. All these measures, working in tandem, make up your physical security strategy.

The best, most viable physical security strategies make use of both technology and specialized hardware to achieve its safety goals. You will need to protect your assets from intruders, internal threats, cyber attacks, accidents and natural disasters, which in turn requires a mix of technology and in-person monitoring that requires careful planning and placement of security staff and other tactics. For your preventive measures and countermeasures to be effective, you also need to introduce a security perimeter, the size and scope of which may vary depending on your specific needs and possible threats to your facility. Physical security bundles many needs together, so make sure you consider your space as a whole, not as separate parts.

Physical Security System Components

Physical security is always a component of a wider security strategy, but it makes up a sizeable piece of this larger plan. Security experts agree that the three most important components of a physical security plan are access control, surveillance, and security testing, which work together to make your space more secure.

Access control may start at the outer edge of your security perimeter, which you should establish early in this process. You can use fencing and video surveillance to monitor access to your facility and secure the outdoor area, especially if you have on-site parking or other outside resources. A comprehensive access control system and strategy would also include the use of advanced locks, access control badges, mobile phones, or biometric authentication and authorization. Most spaces start their access control at the front door, where cardholders swipe their unique identification badges, or mobile phone, to gain entry. From there, you can place card readers on almost anything else, including offices, conference rooms and even kitchen doors. At the end of the day, each employee swipes out using the same process, eliminating the need for clocking out or wondering if anyone is still inside the building after closing hours.

Surveillance is another important component to consider in your space. Modern security systems can take advantage of multiple types of sensors, including ones that detect motion, heat and smoke, for protection against intrusion and accidents alike. These sensors can hook up directly to your alarm system, allowing them to trigger alarms and alert you and other system administrators without any human intervention. Naturally, your security strategy should also include the adoption of surveillance cameras and notification systems, which can capture crimes on tape and allow you to find perpetrators much more easily. Cloud-based access control systems update over the air and provide real-time reports, allowing you to monitor the system from your mobile dashboard.

When disaster strikes, you need to act fast and in accordance with your adopted procedures. That is why you need to test your disaster recovery plan on a regular basis, both on a technological level and a human one. Drills should test your ability to react both to natural disasters and emergencies caused by internal or outside threats that can threaten data or personal safety. Thankfully, access control systems allow you to tell who is still in your building and who is outside in the case of an emergency that requires evacuation. You should also check for weak points concerning access to critical business resources, such as server rooms, data centers, production lines, power equipment and anything else that may impact your daily operations. If you’re outfitting a sensitive area, such as a school or a place of worship you may want to consider a system with a lockdown feature.

Examples of Best Practices

The specific security practices you should implement when creating a solid physical security strategy always depend on the specifics of your premises and the nature of your business, but many physical security plans share certain core elements. Working examples of security strategy and countermeasures in physical security have a number of best practices in common.

Your first line of defense may include fenced walls or razor wires that work at preventing the average by-passer from entering your security perimeter. Protective barriers are used for preventing the forced entry of people or vehicles and should always be complemented by gates, security guards and other points of security checks. Once you get to the main building, locks are a very effective method that enables only individuals with a key or a proper level of access control to open or unlock a door or gate. Locks may be connected to a more comprehensive security monitoring system, which is quite simple to do. You can place alarms at each of these points that are triggered if doors are held open for too long, if access cards have been swiped too many times or if a badge has been used to swipe into a space twice before being used to swipe out of a space. Even better, you can control access based on the time of day, keeping employees out before and after regular hours. Cloud-based access control systems can be programmed or integrated with a calendar so that the doors remain unlocked during certain times of day—for example, a yoga studio might find it useful to keep the door unlocked up to 5 minutes after the class begins and then the doors can automatically lock to prevent the teacher from pausing class or latecomers from interrupting.

Your physical security should incorporate surveillance cameras and sensors that track movements and changes in the environment, especially after hours. You also need to install proper security lighting to ensure all monitored areas are visible at any given moment. Security guards should cover all entry points to your facility during regular hours and even overnight, while also securing business-critical areas indoors, like labs or server rooms. Water, smoke and heat detectors, as well as a sprinkler system, are your protection against natural disasters like water leakages, smoke buildup and fire.

Your last point of defense against unauthorized access is the use of smart cards, biometric identification and real-time clearance aimed at allowing only authenticated, authorized personnel to get into a restricted area or gain access to a certain amenity. In any event, you need to assess all possible scenarios and study past examples of successful physical security procedures before implementing feasible countermeasures for your facilities. By adding multiple layers of authentication you make sure that only the people you have approved can access certain parts of your facility. Thanks to huge leaps in technology, this is all possible now.

Wrapping Up

While all spaces are different, certain best practices are shared between many different types of physical security plans. Access control, especially, is a great way to make sure that you know who is entering your space, plus when and how they are doing it. By protecting your important assets and sensitive data, you are saving yourself trouble down the line, especially for spaces that deal with important clients or secretive information. Physical security can be confusing, but it doesn’t have to be — with the right planning, any space can become more secure.

The Physical Security Guide for Workplaces

Practices to keep your colleagues safe & automate your office.


Visitor Management

At one point or another, every office will need to invite visitors inside. Whether you’re showing investors your facility, guiding tours through the office or hiring contractors to fix a piece of equipment, non-employees will have to come through your doors. Relying on classic versions of visitor management, however, is simply not enough in today’s competitive business world, where innovations improve workplace management on an almost daily basis. Companies that want to remain secure, prove their solid safety procedures and leave a positive impression with customers and investors should consider implementing an access control system with strong policies regarding visitors.

Visitors are largely a beneficial presence, but even the most humble offices still have private information and sensitive data that they would prefer to keep away from outsiders, especially ones who might use it for less than positive reasons. By improving your current visitor management system, you can impress visitors while demonstrating just how secure your facility is. Use this article to make sure your system is up to date and ready to guard your space.

Understanding Access Control

Unlike the old-fashioned method of logging visitors by hand, access control systems allow you to keep track of who is in your space and where they are at all times. Access control works by assigning badges to the people who use your space. Encoded in each of the badges, which can take the form of swipeable cards, RFID chips or even QR codes, is a unique, identifying number for that cardholder. Each ID number has a designated level of access, which allows cardholders to access certain amenities based on clearance level, the time of day and any other factor that you would like to monitor. Cloud-based access control systems integrate with visitor management software, like Envoy.

Visitor access control allows you to assign temporary badges to visitors. These badges are designed to expire after a certain amount of time and allow you to decide where, exactly, each visitor can go within your facility. Instead of turning visitors loose, you can control their movements and even revoke their access if they stay inside too long. A certain feeling of trust is inspired in visitors when they enter your building, where the staff at the front desk welcomes them with a warm smile and a personalized badge that is entered into a visitor pass management system. As a first impression, this action makes your organization appear careful, diligent and well-managed. On your end, this action ensures that everyone who enters your space has entered identifying information into your system, meaning that they are responsible for the actions they take once they’re inside. The value of electronic visitor access control is not only about giving that special client treatment. Among other perks, this step amplifies the worth of your current business, creating an extra real estate opportunity. Office buildings with proper visitor management systems often sell or rent for higher rates than comparable buildings without this resource.

Employee Benefits of Visitor Management

With today’s abundant, affordable technology, it is so easy to use a visitor badge system and let computers do the work for you that it can be hard to imagine why any office wouldn’t choose to put an electronic access control at the front door. Modern software can make the entryways and other access points into watchdogs, and adding further checkpoints within your facility allows you to continue implementing access control throughout multiple offices or areas inside your building. Installing a separate reader on each door, allows you to know exactly who tried to enter and when they did. Personalized badges enable this.

Data recorded from each access control reader, including data from visitor badges, is stored in your system, so managers or trained security staff can access the reports and read the events log as evidence for employee and client movement. A visitor badge system is like having a discreet, watchful eye that automates your security functions. You and your personnel can worry less, allowing you to spend more time on work without having to deal with complex security tasks. It’s simple, but powerful, and your entire office will be able to work more effectively knowing that they are safe.

Safety Benefits of Visitor Management

Knowing that you have an office visitor management system also scares off potential intruders and burglars who might want to target your facility. A common tactic used by these criminals is doing unannounced recon visits to offices that they might want to target. They take note of each office’s security measures, deciding if it’s worth the trouble to try to infiltrate the space. If they notice that their visit is only being recorded on paper, they might be more likely to attempt a burglary. Access control systems and proper visitor management, which are often combined with video surveillance, is more likely to keep them away and sends them out to search for more vulnerable offices as potential targets.

Business Benefits of Visitor Management

Don't underrate the impact of visitor management systems on productivity and resource control as well. Tracking and measuring data extracted from your visitor management system offers direct insight into the number of visitors you get on multiple time scales and can help you direct your focus toward your most active client base. Knowing the movements of visitors, too, can help you optimize your office for people who are coming inside. Sometimes, a proper visitor management system is not only a convenience, but also a necessary tool. You may just need to meet specific legal requirements and standards for safety, especially if you’re the owner of a company that handles sensitive data or client information. You have a very real need for safety, and a special license or certification for working in riskier industries, such as healthcare, finance, and approved vendors, is impossible without having a reliable office visitor management system. It’s an investment that will help you reap rewards in the long run.

Checking this data also helps you decide who should be invited back to your space. Time spent inside is a solid indicator of how effective a maintenance team has been, for example. If a certain low-stakes repair takes just half an hour for one contractor but two hours for another maintenance company, the visitor access control data can help you choose the more efficient one for a long-term contract. Similarly, if a visitor triggers an alarm within your space, you can revoke their access and refuse to give them the ability to enter again.

Managing Low- and Medium-Security Buildings

Employees spend a large part of their days in the office and, as an employer, you probably want this time to be spent productively. The entire facility should enable hard and thorough work and bring out the best in all of your staff, in addition to being accessible, safe and energy efficient. Visitor access control, then, is an incredibly important issue to consider, especially through this lens. Although the comfort may be a priority for an office building that only requires a low or intermediate level of scrutiny, an office visitor management system can help in both ease of use and physical security.

If your office building is classified as low- or medium-level risk, the data that allows you to do business is most likely easily shared or even publicly disclosed, at least to a certain limit. The loss of this confidential data, then, would not harm your reputation or finances critically, or at least enough to drive you out of business. However, you should not be lax about protecting this information. It is better, after all, to avoid breaches entirely than to react to them. As a general rule, office buildings of these security levels can avoid the hassle associated with creating an excessive visitor access control system, especially one that would require special licensing or multi-factor authentication of visitors. But even when you don’t need to meet the necessary criteria for legal security audits, your visitor management system should include the following minimum elements:

  • A front desk visitor pass management system
  • Dedicated visitor management system software
  • A visitor badge printer, which should be able to encode paper badges
  • Printable access cards that work with your existing card readers
  • A video surveillance system to monitor the building perimeter, access points and public areas
  • Parking lot or garage access control
  • A central visitor access control board or system
  • Motion detectors and other alarm inputs
  • Access readers at each critical access point
  • A method of contacting the proper authorities within your system in the event of a break-in or breach

Depending on the needs of your business, you can decide to upgrade or downsize these system requirements, but this is a good place to start. For example, small businesses that operate out of residential buildings and educational or institutional organizations will likely be at the bottom of the scale of security classifications, while corporate outposts and industrial, chemical or research-based businesses will be near the top of the scale. For very large commercial buildings, it is important to consider how an automated visitor management system can be integrated into the overall building automation system. You can also choose to include options for the monitoring and control of HVAC and lighting systems as a measure of energy efficiency.

High-security office buildings typically require the more advanced protection of data and other assets by law. Part of these requirements are met by employing trained staff and conducting regular reporting and audits with official authorities. In case you need a physical security audit example. A crucial part of this, too, is a rigorous visitor management system. The loss of data or an attack on the system would significantly endanger the future, safety and budget of a any high-risk organization, and such an event could also adversely impact the people and resources that are important to stakeholders, clients and investors. All of this means that the risk that arises from an inadequate visitor access control system is enough to potentially result in a major litigation or investigations, massive financial losses, and detrimental consequences to the health and safety of your employees.

Imagine, for a moment, the effects of an improper visitor management system in a building that houses a laboratory. If anyone can simply walk inside or access high-security areas because of a flawed access system, burglars or hackers could walk away with highly sensitive information or industry secrets, which could bring ruin to any business. Obviously, it’s better to avoid this type of situation entirely. When you are in charge of designing a visitor management system for a high-risk office, follow the lead of public buildings to create a security framework that fits your needs, adjusting the design to the most advantageous form for your own business. Use these important security requirements when you’re setting up the visitor management system in a high-security office:

  • Perimeter protection, including appropriate fencing, turnstiles, doors and locks
  • Security staff to support video surveillance and triggered alarms
  • Authority-based visitor access control, which is the most rigorous type of this kind of system
  • Comprehensive, clearly delineated levels of security clearance for staff
  • Emergency escapes and alarms at all access points
  • An incident response plan with regular testing
  • Frequent staff security training
  • Strong parking standards with personalized passes for visitors, clients and staff
  • Two-factor authentication for secure rooms and areas
  • Backups of the visitor management system log reports

Wrapping Up

A dedicated visitor management system is the secret weapon of any secure office. While much energy is spent trying to make the employee experience safer, paying attention to visitors helps to keep them from using your trust as a tool to gain access to your secure files and data. It’s worth the extra effort to spend time creating a comprehensive plan, complete with access control, dedicated security measures and plenty of backups for each component.

Download our visitor management guide

Streamline visitor access and workflows.


Access Control With CCTV Cameras

For cameras and video systems for the purpose of video surveillance and security, there are 4 main options:

- Standalone smart home camera for small business use

- Standalone DVR system

- Standalone IP video camera system

- Integrated IP video and access control system

In the end it helps to start with the purpose: Why do i need a video system? Legitimate reasons:

Documentation of ongoing events in the space

Basically you want to have proof of events or suspicious behavior to show to law enforcement or police if things get stolen. In startups laptops or other re-sellable items get stolen more often than people think. It's not a topic that appears in the media a lot, so it's not on everyone's radar. But basically if you think of ongoing documentation and no other needs, you could just buy a Deli-style DVR system which records a certain amount of video hours. If something happens, you could go back in time on the video and see what happens. Make sure to buy a system that has some sort of infrared / night vision capabilities.

Alerting of Suspicious Behavior - on-Demand Video Surveillance

If you'd like to have alerts set up for when a door unlocks and two people enter or something more specific, you'd need to either buy an integrated IP video and access control system, or if something more basic is enough, get a consumer grade wireless video camera which can send alerts during certain hours also.

Real Time Monitoring of Your Facility

Real time monitoring means you have to have some sort of remote video visualization and surveillance capabilities. Live streaming of video can cost a lot of bandwidth and it is highly recommended to have a sophisticated IT manager on board when planning this - otherwise your network goes down from the video stream volume alone. Again, standard consumer grade wireless cameras can be a great start before jumping into more precise video solutions.

Audit Compliant Security Tracking Including Image Verification

If you need to verify identities with video image recognition or behavior tracking, you need the highest end systems the market can provide. Milestone Systems or similar are great video technology companies who provide cutting edge systems for enterprise.

Smart Home

Smart home cameras are great, affordable and fast to deploy products. Perfect for small businesses with a minimum IT budget and they allow many advanced functions. Of course precision, image quality, transmission speed, security and many more features are somewhat basic, but you can get an ok security with a Ring Wireless Doorbell or Nest Camera.

Kisi's opinion: You are looking for a fast start or a quick fix - this is the way to go. Don't expect anything beyond though.

DVR Systems

If you've ever visited a Deli-Shop you know DVR systems. Typically those system have four to six hardwired cameras with a DVR recorder. You can also connect a TV screen to the DVR so you see events in real time. Sometimes these systems are called "security systems" - keep in mind that a security system typically has alarm, video but also access control.

Kisi's opinion: Just having something in hand in case a break-in happens makes sense and is the perfect use-case for DVR systems. No need for ADT or the likes.

Standalone IP Video

Typically it gets expensive here. For a standalone IP video system, you need a custom setup and companies like Milestone System will charge you a large price tag. Stores like Trendnet provide customizable solutions which you would most likely buy through a local integrator. The great thing is that you can call most manufacturers and they'll recommend you a local security company to work with.

Kisi's opinion: IP video surveillance means going "pro" - make sure you have the budget and the IT infrastructure to support those solutions.

Integrated IP video surveillance and access control

There are good reasons to have video surveillance and access events combined in one central dashboards. Most likely companies who operate SOC's (Security Operations Control rooms) have exactly that setup. A popular provider in the startup world is S2 Security who is actually an access control provider but has their own video solutions on top.

Kisi's opinion: Going this route means you are a fortune 500 company or need to behave like one.

Download the Basics of Office Security

Professional insights on how to secure your workplace.


Physical Penetration Testing

Ryan Manship, the president of RedTeam Security Consulting, explains his suggested approach to physical security when it comes to penetration testing. He also told us what to avoid during testing and gives tips on some of the best practices.

UPDATE: Anyone concerned about the security of their access card can send it to Kisi Labs to be tested for free. The original access card will be sent back to the user with a cloned or copied card and a report on how difficult it was for Kisi’s technicians to hack. Rather than hiring a security consultant or paying thousands of dollars for a penetration test, Kisi Labs aims to automate the process and offer this free service to as many people as possible.

About RedTeam Security Consulting

RedTeam Security Consulting is a specialized, boutique information security consulting firm led by a team of experts. The company, founded in 2008, is based in Saint Paul, Minnesota. Its areas of business include in-depth manual penetration testing, application penetration testing, network penetration testing and social engineering.

When Is Testing Needed?

When is a physical testing needed? There are certain situations when an IT director needs to start thinking about testing his company’s physical security. Ryan listed three of the most important situations where he thinks a testing is required.

When physical security becomes a realistic attack factor that cannot be ignored, it means that you truly want to understand what your attack surface looks like. That is when you need to consider having a physical penetration testing toolkit. Similarly, you need to prepare and test social engineering campaigns to reduce the likelihood of the success of these campaigns.

Sometimes there are people at your company who don’t exactly understand the security weakness. Or they understand them but need buy-in from their decision maker. In those cases, you might want to learn about the ‘unknown unknowns.’

Finally, compliance also drives suggestions for testing; but usually, the regulatory bodies only suggest testing, but do not require it specifically.

What Happens If You Never Do Security Testing?

The most important aspect of security testing is to validate the assumptions you have about the current security setup. If you are not testing it, two crucial problems might occur:

  • You don’t have the opportunity to confirm that your assumptions about the current security system are correct, or that the system is indeed working.
  • You can’t test your own response behaviors.

It is important to test your response capabilities and speed: What do you do if something like this happens and how will you react? How well can you handle the situation and how fast can you react? Those things have to be learned through testing.

What Can You Learn By Completing a Penetration Test?

In a physical security penetration test you can learn about it in a controlled set of circumstances. People used to say “if something happens.” Now, this is shifting to “when something happens.” That’s to say, in doing a penetration test you’re preparing for the event knowing the event will happen—just not when it happens. What does the communication plan look like, how are you dealing with it timewise and publicity-wise? The theme here is, “preparing to prevent and preparing to react.”

For testing physical security, specifically, you should focus on the different controls—are you able to breach the perimeter, are you able to get in the building? Once you’re inside, are you able to obtain the objectives?

Physical security testing is often not done in a vacuum. “Red Teaming” is the name for the approach to understand the entire attack surface across three different verticals:

  • Cyber Security
  • Human Social Engineering
  • Physical Security

Of those, often the physical vector is the most underrated, but humans are statistically still the weakest link. The application/cyber security is the second weakest link, right after human social engineering.

What Does The Testing Process Typically Look Like?

If you’re wondering how the testing process is done, or physical penetration tools, Ryan gave a real-life example of how Red Team Security conducts its testing:

First, they work with a small leadership group. The right people need to know, but they don’t want too many other people to know, otherwise it would spoil the value of the test.

They work with clients to understand the client’s assets—such as customer data. Then they come up with an attack plan on how to potentially obtain those assets. Only the minimum amount of information is collected during the discovery. Next they have an operational plan to get approval from the client and they execute the plan. During execution, they stay in touch with their point of contact in order to map their actions against the client’s reactions and evaluate their response capabilities. Lastly, they consider re-testing to confirm that this has been fixed and to also set up a schedule for re-testing.

Finally, it’s important to realize that these tests are not meant to be a punitive exercise to find out what your company and your people are doing wrong. Ideally, everyone at your company does their best, but there are new problems arising all the time—problems you just don’t have time to worry about, especially when your priority is uptime or the performance of the systems.

Download our guide to intrusion detection

Discover the best solutions to protect your business.


Facilities Security Plan

This site security plan will act as a template that ideally should be customized to the specific site based on its security needs. It should summarize all personnel responsibilities and procedures involved, and be fully understandable by everyone in your organization.

Scope of the template:

The site security plan intends to provide direction for facility officers to make adjustments to improve the overall facility.

In addition to pre-existing security, this sample plan also outlines the mechanism for:

  • Applicability
  • Risk assessment
  • Defining threats levels
  • Authority and responsibility
  • Access control
  • Restrictions
  • Data management
  • Monitoring and updating
  • Security testing


The site security plan is applicable to every individual within the site and should receive the appropriate training or briefing before entering the building. This includes all staff, security personnel, faculty, and visitors.

Risk Assessment

The Information Technology Officer and the Security Officer are responsible for assessing the level of risk. Risk assessments are made in response to a potential of actual effects of an incident. From the facility’s physical security level perspective, this is completed through monitoring and testing the floor layout, location and security of restricted as well as sensitive areas, emergency standby equipment, existing policies, procedures, guidelines, training, and finally the knowledge of individuals on site.

Looking at risk assessment from the perspective of data security, the site security plan should be stored in a central location for easy access to individuals within the site, but protected from any outside use. It should also be updated when necessary and examined by the designated officials (such as the Information Technology Officer and the Security Officer) daily.

By constantly monitoring for changes and testing present procedures, the level of risk to the facility can effectively be gauged and the security countermeasures can be put in place.

When responding to an occurrence the format the of the response should start by reporting the event, notifying the pertinent responders or officers, responding to the incident, recovering, documenting, and briefing individuals on site on the occurrence.

Determining Threat Level

Similar to risk assessment, both the Information Technology Officer and the Security Officer must look at the security levels of the facility and its contents. However, the officer should also focus on the internal software security as well as the geographical context of the facility. This includes but is not limited to the security level of the region and country, as well as the history of the security software being used in PDAs, laptops, web-based servers, and file transfer protocol servers.

Access Control

It should be noted that access control includes both access to data, servers, and networks, as well as access to the physical site. The site security plan should include biometric or card-swipe security controls, isolation of restricted areas, password encryption, etc.

When a facility has more than one level of security (for example has public areas or several levels of security or clearance levels) separate procedures should be dedicated to each level of security. With restricted or higher security concerned areas, they should be physically more isolated, have more physical and network barriers, as well as a noticeable increase in closed-circuit television. Additionally, these areas should also involve systems with a higher probability of infiltration detection. More secure or restricted areas should include software that will assess or prevent unauthorized access.

Are you looking to meet security compliance requirements and secure your facility with the most advanced technology? Discover how the Kisi platform is changing the physical security industry.

Roles and Responsibility

The designated officials, primarily the Information Technology Officer and the Security Officer, are responsible for the physical security and integrity of data on site. This also includes overseeing the procedures for data disposal, account access control, password and protection policies, backup, and system storage. In addition to establishing these procedures, officers are also responsible for the training, education, and awareness of the site security plan.

Though a site security plan and the authority involved should always include the Information Technology Officer and the Security Officer, or similar equivalents, it can include other positions of authority. These roles and responsibilities are dependent on how this site security plan template is adjusted to the site. Common examples include but are not limited to a facility security committee, additional designated officers, security organizations, financial authority, and so on.


Human Resource Officers are also responsible for site security through the due diligence hiring process. While hiring potential individuals the Human Resource Officer must exercise an additional security vetting process as well as include non-disclosure and confidentiality agreements. This security vetting should include pre-employment background, criminal checks, as well as drug screenings administered by the appropriate agencies.

The Human Resource Officer is also responsible for communicating and passing on the employee handbook. Within the handbook should include the site security plan, as well as the confidentiality agreement, national and state labor laws, equal employment and non-discrimination policies, and leave or compensation policies. Finally, after initial hiring, the new employee should also attend any training conducted by the Information Technology Officer and the Security Officer.


The use of detection and application for security measures should be constant. Designated officers should push for updated firewall protection, anti-virus management software, and intruder detection devices. Any activity or behavior that leaves individuals or systems vulnerable should be immediately detected, reported, and repaired. A line of communication should also be established to ensure that all individuals on site have an equivalent understanding of the site security plan.

Updating and Testing

The site security plan should be updated and tested at least once a year. However, it is the responsibility of the Information Technology Officer and the Security Officer to critically evaluate and continuously improve the site security plan. With every new change, the site security plan should then be communicated accordingly.

The Physical Security Guide for Workplaces

Practices to keep your colleagues safe & automate your office.


Hiring Office Security Experts

Office security is essential for peace of mind and proper business practices. But implementing safety procedures and equipment can be a confusing process to a security novice, especially in today’s digitally-driven world. Thankfully, you don’t need to be an expert on physical security to benefit from the knowledge of one. If you are just starting out with access control, you should consider hiring a physical security consultant to help with your access control project. Choosing the right one can be a difficult process in itself, so follow these rules to make sure that you make the best choice for your business.

Understanding Physical Security

Physical security is exactly what it sounds like: Protecting physical assets within your space. This includes expensive equipment, sensitive files and hardware like electronic locks and doors. It takes an expert to make sure that you’re optimizing your physical security system for the unique needs of your building or facility. If you find yourself in charge of a smaller company, the installer you choose can often act as a kind of security consultant as well, which will help you to get the basics covered while avoiding hiring another contractor. Spaces that do not have any sort of special restrictions or requirements around security can get the job done in this way—it’s up to your discretion.

However, if you are part of a larger company or have more demanding security needs, you might want to think about hiring a physical security consultant for your project. An important fact that most people don't know is that these consultants can also write your system specs and help you get bids from security companies for your new security system, which removes the stress of doing it all on your own. They probably have a deep bench of installation companies at hand with which to distribute your bid, which can be better than the ones that you might dig up on Yelp. In fact, some installers don't even consider working with people they don't know, meaning that if you don't come recommended, they won't work with you. While not every job might require a consultant, they could save you money or time during installation.

Understanding Security Consultants

There are many small reasons why people hire a physical security consultant, from being able to complete a project faster to added security assurance. One main reason is that they can simply devote more resources to security analysis and planning, which usually takes time during the day that a full-time worker might not have. This lets them avoid being bogged down by other work that could otherwise distract in-house security managers. They can also offer new insights for your business from a seasoned perspective. Within a company, you can often find yourself taking things for granted, not thinking about changing them until someone from outside comes in and disrupts tradition. Your consultant knows the tricks and best practices of other organizations of your size, which helps because most problems in security are shared across a great deal of companies, many of whom have already found an answer to the issue.

By being involved in the industry day in and day out, absorbing the latest trends and developments, consultants can also bring important know-how and authority when submitting a security request for proposal (RFP). Consultants can assume a neutral position, recommending equipment and practices objectively. They also know how to write and present security plans, plus how to spot issues that might be hidden at first. Due to the experience in writing and presenting, the security consultant can possibly communicate their findings and strategies better than an in-house security manager. The technical experience the security consultant brings to the table is unique when compared to the general security knowledge of regular employees. Standard situations can be handled easily and unique ones can find solutions much faster.

Security Consultants vs. Security Firms

If you’re considering hiring a security consultant, you get to decide whether you want to employ an independent consultant or a full-fledged security firm. Independent security consultants often boast years of training and experience offering their professional advice, and many offices prefer hiring them because they are not affiliated with larger firms or agencies that might have certain stiff operational procedures or preferred vendors. They also might be more cost-effective for smaller operations. If you choose this path, make sure that you find a consultant that is certified by at least one security organization. You can tell their qualifications based on their credentials, including Certified Protection Professional (CPP), Physical Security Professional (PSP) and Certified Security Professional (CSP). There are also industry-specific certifications, including Certified Healthcare Protection Administrator (CHPA). These, generally, are the hallmarks of a more trustworthy consultant. They can also belong to the International Association of Professional Security Consultants (IAPSC).

Security firms are often favored by larger businesses or offices that want the backing of a major organization. They tend to boast greater resources and can be easier to research based on their sheer size. If you would prefer to buy your equipment through your consultant, this is the route you can take. Firms have fewer certifying organizations, so the best way to choose one is to look at online reviews, research their clients, and find their annual revenue reports. When it comes to hiring a security consulting firm, bigger is often better, but don’t discount local options.

Hiring Security Consultants

If you’ve made it this far, you’re likely ready to take the next step and hire a physical security consultant. While this can be the most difficult part of the process, there are plenty of resources to make this decision a little easier. As mentioned above, the IAPSC is a great resource for finding independent consultants. Members come from all over the world and specialize in dozens of industries, so you should easily be able to find a consultant that fits your needs through their site. Finding the right security firm can be a little bit harder, but you’ll probably recognize the bigger names within the industry. Deloitte, PwC and Accenture are all popular firms in the security space, but many other firms might be best for your requirements and your budget.

Key Takeaways

Each business is different, so before you make the decision on whether or not to hire a security consultant, consider the needs of your space. You should have a security system, and if you lack the expertise to install an effective one, a consultant might be the perfect solution to your problem. Like any other contractor, make sure you do your due diligence and make sure that you can afford to pay for their insights and advice. The right consultant can make your business more efficient, more secure, and, of course, much safer.