8 physical security best practices that hold up

1. Build in layers, not single controls

The first best practice is the model itself: defense in depth. No single camera, lock, or guard is enough on its own. Arrange controls in layers so that if one fails, another still stands. The classic sequence is deter, detect, delay, respond, and communicate, working from the perimeter inward toward your most critical assets.

Map your controls against those layers and look for any layer that depends on a single point of failure. A gap in delay, for example, means a detected intruder can reach a target before a response arrives.

• Concentric layers from perimeter to critical asset
• No layer relying on a single control
• Each layer mapped to deter, detect, delay, or respond

2. Control access and manage every visitor

Decide who is allowed where, enforce it, and keep a record. Use the principle of least privilege: each person gets access only to the areas their role requires, and access is revoked the day they leave or change roles. Treat tailgating and propped doors as policy violations, not minor annoyances.

Visitors are the most common gap. Every guest should be identified, logged, badged, and escorted in sensitive areas, with the visitor record retained. A visitor management process is where many otherwise strong programs leak.

• Least-privilege access by role
• Same-day deprovisioning for leavers and movers
• Visitor sign-in, badging, and escort rules
• Audit trail of who entered which space and when

3. Design the environment to prevent crime (CPTED)

Crime Prevention Through Environmental Design, or CPTED, is the practice of shaping a site so it naturally discourages bad behavior. Its core principles are natural surveillance (open sightlines so people are easily seen), natural access control (using landscaping, paths, and entrances to guide movement), territorial reinforcement (clear ownership of space through markings and maintenance), and maintenance (a well-kept site signals that it is watched and cared for).

CPTED is often the cheapest layer to improve. Trimming overgrown shrubs near an entrance, fixing broken lighting, and clarifying where public space ends and private space begins can reduce risk before you spend on technology.

• Open sightlines and natural surveillance
• Landscaping and paths that channel movement
• Clear public-versus-private boundaries
• Prompt repair of damage, lighting, and signage

4. Cover the site with surveillance that gets reviewed

Cameras should cover every entry point, the perimeter, and high-value areas with no blind spots, and the footage should be retained long enough to support an investigation. Position and maintain cameras so the image is usable, lit, and aimed where it matters.

Coverage is only half the practice. Footage that no one watches and alarms that no one answers add little protection. Pair surveillance with monitoring, whether staffed or analytics-driven, so a detection turns into a response.

• No blind spots at entries, perimeter, and critical areas
• Adequate retention for investigations
• Active monitoring or analytics, not just recording
• Regular checks that cameras are working and aimed correctly

5. Assess risk regularly, not just once

A physical security program is only as current as its last assessment. Sites change, threats change, and controls drift out of date. Best practice is a recurring, documented assessment, sometimes called a site security survey, that walks every domain, scores the gaps, and produces a prioritized remediation plan.

Run assessments on a schedule and after any significant change: a renovation, a new tenant, an incident, or a shift in the threat environment. Keep the results in a system you can track over time rather than in a one-off spreadsheet that is stale the day after you finish it.

• Scheduled, recurring assessments
• Every domain scored and gaps prioritized
• Reassessment after renovations, incidents, or new threats
• Results tracked over time, not stranded in a spreadsheet

6. Have an incident response plan and use it

When something happens, the time to decide what to do is not during the event. Document clear procedures for the incidents you can foresee: intrusion, theft, an active threat, a medical emergency, severe weather. Define who does what, how to escalate, how to communicate, and how to recover.

An incident response plan that lives in a binder no one has opened is not a plan. Keep it current, make sure responders know their roles, and capture what you learn from every real incident and near miss to improve it.

• Documented procedures per incident type
• Clear roles, escalation, and communication paths
• Mass-notification and recovery steps
• After-action review feeding back into the plan

7. Test the program with drills

Controls and plans that are never tested fail when it counts. Best practice is to exercise them: test alarms and sensors, run lockdown and evacuation drills, attempt to tailgate your own doors, and review whether monitoring actually responded. Treat each test as a chance to find the gap before an adversary does.

Drills also keep people ready. A procedure staff have practiced is one they can execute under stress; one they have only read is not.

• Scheduled alarm and sensor tests
• Lockdown, evacuation, and shelter drills
• Red-team checks such as tailgating attempts
• Findings logged and remediated

8. Make it consistent across every site

If you protect more than one location, the biggest risk is inconsistency: strong controls at headquarters, weak ones at the satellite office no one has assessed in two years. Best practice is a common standard applied everywhere, so every site is measured against the same domains and scored the same way.

Consistency is what lets a security leader compare sites, find the weakest links in a portfolio, and direct budget where it reduces the most risk. It is hard to do by hand across many locations, which is exactly where a single assessment platform earns its place.

• One assessment standard for every location
• Comparable scoring across the portfolio
• Visibility into the weakest sites
• Central tracking of remediation across all sites

Best practices are only as good as your follow-through

Every practice here depends on doing it consistently and keeping the record current, which is the part that breaks down on a spreadsheet and across many sites. The RiskWatch physical security assessment platform operationalizes these practices: it runs standardized site security surveys, scores every domain, schedules reassessments, and rolls results up across your whole portfolio so nothing drifts out of date unnoticed. To put the practices to work on a single site by hand, start with the free physical security checklist.