What is a physical security audit?

Key takeaways

• A physical security audit measures three things: what the policies say, what the technology supports, and what the workforce actually does.
• For manufacturers, the gap between policy and practice is usually wider on the physical side than on the IT side.
• The audit produces a documented baseline that informs remediation, insurance renewal, and (in regulated environments) compliance attestation.
• It is paired with physical penetration testing in mature programs: the audit measures the design, the pen test measures the design under contact.
• ARG runs the audit and the pen test as one engagement: the auditor observes for one week, then exercises pretexts and entries the following week, with findings consolidated.

What does a physical security audit cover?

A physical security audit covers six surfaces, each in three dimensions (policy, technology, practice).

1. Perimeter and approach. Fence, gate, driveway, lighting, exterior cameras, parking, and the visible signaling to a passerby. Policy: what does the documented perimeter posture require. Technology: what fence, gates, lighting, sensors are installed. Practice: how the perimeter is staffed and monitored in reality.

2. Lobby, reception, and visitor management. Sign-in process, badge issuance, escort policy, visitor expectations, lobby attendant coverage and breaks. Policy: documented visitor management standard. Technology: visitor management system, badge printer, sign-in kiosk, lobby cameras. Practice: how a visitor is actually onboarded.

3. Internal access control. Doors between zones, access control panels, badge readers, mantraps, turnstiles. Policy: which roles have which access. Technology: the access control system itself. Practice: which doors are propped open, which credentials are widely shared, which exceptions have become routine.

4. Sensitive area protection. Network closets, server rooms, engineering offices, control rooms, document storage. Policy: dual-control, escort, time-of-day, audit-log expectations. Technology: door locks, dedicated cameras, environmental monitoring. Practice: who actually accesses these rooms and how the access pattern looks in the access control logs.

5. CCTV, alarms, and detection. Camera coverage, recording retention, alarm panels, monitoring path. Policy: retention period, review cadence, response standard. Technology: NVR/VMS, alarm panels, monitoring vendor. Practice: who actually watches the cameras, who responds to alarms, how often the recording is reviewed.

6. Workforce, vendor, and procedure. Badging process, contractor management, delivery management, after-hours staff, key control, key audit. Policy: documented workflows. Technology: HRIS-tied badging, vendor management portal. Practice: how new hires actually get badged, how contractors actually move through the site, how lost badges are actually reported and revoked.

The audit measures each of the eighteen cells in this matrix (six surfaces times three dimensions) and produces findings against documented standards.

The difference between a physical security audit and a physical penetration test

The two are complementary but not the same.

A physical security audit measures the design of the facility's controls against documented standards and the gap between design and practice. The auditor observes, asks, reads logs, reviews policies, and inspects technology. The auditor does not attempt unauthorized entry. The output is a structured assessment with findings.

A physical penetration test measures the controls under contact. The tester attempts unauthorized entry using pretext, tailgating, badge work, and lock work. The test produces evidence of what actually fails when an attacker tries. See What is physical penetration testing?.

A mature program runs both. The audit reveals which controls are designed correctly and which are not. The pen test reveals which controls work under pressure. The two together produce a complete picture that neither alone delivers.

A facility audited but never penetration-tested usually has a clean report and a long list of "we have a policy for that" answers. The first pen test produces a shock. A facility penetration-tested but never audited has dramatic finding stories but no systematic baseline for measuring progress over time.

Why manufacturers benefit from auditing physical, IT, and OT environments together

A manufacturer is not a single security surface. Physical, IT, and operational technology (OT) are entangled in ways that compliance frameworks rarely model.

• Engineering workstations sit physically in IT space but provide programming access to OT systems. A physical breach of the engineering area is an OT breach by adjacency.
• Network closets distribute both office and plant network traffic. Physical access to a closet often means logical access to OT segments.
• Vendor remote access crosses both surfaces. A vendor with VPN access to an HMI is the same access as a vendor with physical access to that HMI; both bypass perimeter controls.
• Operational rhythm ties IT and OT together. Shift change, vendor visits, maintenance windows all involve both digital and physical access patterns.

A physical-only audit misses the IT/OT entanglement. An IT-only audit misses the physical access path to OT. The audit ARG runs at manufacturing clients explicitly covers all three together, with a single finding set that maps the cross-surface chains. See What is operational technology (OT) security? and What is the IT/OT convergence problem?.

Examples of physical security audit findings

From recurring patterns across mid-market manufacturer engagements:

• Documented visitor management policy that is not followed. Policy: all visitors are pre-registered, escorted, badged for one day. Practice: vendors recurring from week to week are waved through; reception attendant takes lunch without coverage. Finding: policy and practice diverge, with specific instances logged.
• Network closets unlocked during business hours. Policy: all utility rooms locked, key checked out. Practice: closets unlocked between 7 a.m. and 6 p.m. for "convenience". Finding: rooms reachable from the unattended lobby within four minutes.
• Badge access rights that have grown over time. Policy: roles have specific access. Practice: employees who moved between departments accumulated access; ex-employee badges still active months after departure. Finding: more than half of active badges hold access rights inconsistent with current role.
• CCTV coverage with no live monitoring. Policy: 24/7 monitoring. Practice: cameras record to NVR, no one watches them, recordings are reviewed only after an incident. Finding: detection latency between event and discovery measured in days or weeks.
• Key control without audit. Policy: master keys controlled. Practice: a "general manager's key" and a "maintenance master" exist; the people who hold them are unclear. Finding: number of effective master keys in circulation is unknown.
• Vendor-managed remote access without physical-side coordination. OT vendor with VPN access to specific control systems; the physical access policy treats the vendor as visitor-only. The two policies do not reference each other.
• Loss-prevention surface uncontrolled. Receiving and shipping zones have inbound access controls; outbound rarely has equivalent process. Items can leave without being checked.

Each finding is policy-versus-practice in a specific cell of the audit matrix. Remediation usually targets the practice, not the policy.

What deliverables come out of a physical security audit

A serious audit produces five artifacts:

1. Executive narrative. A short document, written for the owner or CTO, describing the facility's posture, the three to five most material findings, and the business impact framing.
2. Detailed findings report. Each finding documented with location, observation, evidence, applicable policy or standard, business impact, and remediation recommendation. Mapped to NIST CSF, CIS Controls, ISO 27001 Annex A, or other relevant frameworks. See What is the NIST Cybersecurity Framework (CSF 2.0)? and What is CIS Controls v8?.
3. Photographic and observational evidence. Annotated photos, floor plans marked up with finding locations, observation logs with timestamps. The evidence supports the findings and survives hostile review.
4. Prioritized remediation plan. Findings sequenced by exploitability, business impact, and cost. The plan distinguishes immediate fixes (cost-free policy or staffing changes) from project-scale fixes (badge technology migration, lobby renovation).
5. Risk register entries. Findings formatted for direct entry into the organization's risk register, with severity, owner, target date, and treatment plan. See What is a risk register?.

Where the audit is paired with a physical penetration test, the deliverables consolidate. The pen test evidence becomes part of the audit's documentation, and the audit's policy review provides the standard against which the pen test findings are scored.

Best practices for preparing for a physical security audit

For organizations expecting a physical security audit:

1. Collect existing documentation. Visitor management policy, access control standard, key control procedure, vendor management policy, after-hours staffing, alarm response standard. Gathering before the audit accelerates the engagement and surfaces gaps in documentation that are themselves findings.
2. Identify a facility lead. One person inside the organization owns the engagement. They are the auditor's primary contact, the operational interface, and the person who carries the remediation forward.
3. Brief the trusted-agent group. Executive sponsor, head of security or facilities, head of IT, and the facility lead. The group holds the rules of engagement and the get-out-of-jail letter if pen testing is paired.
4. Do not warn the floor. Front-line staff are the test population, not the test designers. Warning produces theater; the audit is meant to reflect normal operation.
5. Block calendar time for the executive sponsor. Mid-engagement check-in, end-of-engagement debrief, and the formal report walkthrough. The audit produces decisions; the decisions need scheduled attention.
6. Plan the remediation phase before the audit. Who owns implementation, who approves spend, how progress is tracked. Audits that finish without an execution path produce reports that sit.
7. Use the audit to update the risk register. The findings flow directly into ongoing risk management. The audit is a feed into the risk program, not a one-off engagement.

Physical security audit FAQs

How long does a physical security audit take?

Typically one to three weeks on site for a single-facility audit, plus one to two weeks of pre-engagement document review and one week of reporting. Larger or multi-building facilities run longer. The on-site component is the irreducible part because the policies on paper rarely match the practice on the floor.

Does a physical security audit disrupt production?

A well-run audit does not. The auditor observes, documents, and asks questions; the only operational impact is occasional staff conversations during normal work. Disruptive elements like badge-system reviews and after-hours testing are scheduled with the facility lead. The audit should be invisible to production staff who are not directly interviewed.

How often should a physical security audit be done?

Once a year for facilities with material risk, every two years as a minimum cadence, and after any significant change (new building, M&A integration, major equipment install, ownership change, insurance policy change). Findings from continuous monitoring can trigger interim audits as needed.

What credentials should a physical security auditor have?

Industry credentials (ASIS PSP, Board-certified Physical Security Professional) signal training, but operational background in the relevant industry matters more. For a manufacturing audit, an auditor who has worked on a plant floor or in industrial operations picks up findings credentials-only auditors miss. The right credential mix depends on the facility type and the regulatory environment.

How ARG structures the founding-year physical audit

The physical security audit is the first deliverable of ARG's first-year engagement at a manufacturing client. It is conducted on site, in person, by David Ashby, and runs across two consecutive weeks.

Week one: observation and document review. The operator arrives at the facility. The first three days are observation: where shifts hand over, where badges accumulate, which doors get propped open, which gate the delivery drivers actually use, how reception handles unannounced visitors, how the maintenance shift moves through the building after hours. The remaining days cover document review (visitor management, access control, key control, vendor management, alarm response) and structured interviews with the facility lead, the head of IT, the head of operations, and key plant staff.

Week two: testing under contact. Where the engagement scope authorizes it, the same operator exercises the controls observed in week one: tailgating attempts at the entries observed to be busiest, pretexted entries using vendor and inspector identities credible to the specific facility, badge cloning at conversational distance where the technology permits (What is badge cloning?), and document recovery from unattended areas. The week-two activity tests what week-one observed.

The deliverable consolidates audit findings (policy and practice gaps) with pen test findings (exploitability evidence). Findings map to NIST CSF and the client's compliance framework. Photographs, floor plans, and observation logs support the report. Prioritized remediation runs from no-cost policy changes through project-scale technology migrations.

The audit stands up the continuous simulation layer for the rest of the year and informs the next on-site engagement's scope. The cycle alternates: even years on site, odd years digital-only review.

For founding clients, the physical audit is part of the first-year fee; subsequent audits are scoped against the continuous layer's findings.

Apply as a founding client or see how the engagement works for the full delivery cycle.