Physical Security 101

How to Start Building a World-Class Security Program

Down Arrow in White


Is the prospect of starting a new physical security program at your workplace intimidating? Are you concerned that good physical security relies on expensive secrets protected by industry experts?

Well, don’t worry. Every business is capable of developing a world-class physical security program. This guide presents everything you need to plan, design, implement, and test your physical security program.

Download a PDF version of this guide by filling out this form, or keep scrolling to read.


Chapter 1

What Is Physical Security?

Physical security consists of the tools, people, and practices that an organization uses to:

  • Control access to business resources
  • Deter potential threats
  • Detect active threats
  • Respond to threats
  • Ensure the day-to-day safety of employees and business resources

When a business organizes all of these security measures to work together, it creates a physical security program. A good program looks to balance the costs of the methods it implements against the actual risks faced by a particular organization. For example, the correct security at a federal prison is going to look different than security at a grocery store.

Why Physical Security Is Important

You will see many benefits to applying good physical security. Not only will you better manage the threats faced by your organization, but you’ll prevent unnecessary costs from eating into your bottom line. 

Good physical security will protect your business and employees from emergencies. It will also protect against day-to-day risks like theft and negligence while helping you control access to valuable assets and manage who is in your facility.

Scanning ID - Physical Security 101

Top Physical Security Problems that Businesses Face Today

The security risks a business will face change from year to year. Today, some o the main threats businesses face include:

  • Insider threats, like theft or fraud
  • Natural disasters
  • Insecure mobile technology
  • Business continuity disruptions
  • Workplace violence

Although these threats continuously change, the assets every business must protect remain the same: their people, facilities, and equipment. Companies also need to ensure that they meet regulatory compliance and protect the keys used to access those assets.

Be Aware of Security Convergence

Convergence is the unification of physical and IT security. It is important to consider how your own IT systems and security measures will need to overlap with physical security when designing your new physical security program.

The explosive growth in mobile and Internet of Things (IoT) technology has made everyday objects that people carry in their pockets threats to physical and network security. These physical devices move through your facility and the outside world, often either transmitting business data or linking to internal resources. Although 86 percent of CEOs prioritize cybersecurity over physical security, businesses need security tools that protect both their physical and digital assets.

Chapter 2

How to Plan a New Physical Security System Installation

Right now, you probably have just one particular physical security problem that you want to solve. Let’s go through the process you should follow to design and purchase the best system for your needs.

1. Plan

To get the most value from a physical security purchase, you need to define your desired outcomes. What is your organization looking to gain from this purchase:

  • Improved safety?
  • Better compliance?
  • Alignment of security operations with strategic goals?

You need to do a few things to answer that question accurately:

Identify Stakeholders

Stakeholders are the people inside and outside your organization who care about how your new physical security system will operate. Internal stakeholders could be from your security team, physical plant team, or IT department. External stakeholders could be local law enforcement or business partners.

Understand Their Expectations

Seek input from your stakeholders about what outcomes they want to see from this new system installation. Do they have any particular concerns about how it will be installed and used?

Determine How to Assess Performance

What key indicators will determine how effectively your new system does its job? For example, if you’re considering purchasing a key control system, you might want to track the number of lost keys reported in your business to see if that number goes down. Or you might decide to use the number of rekeyings your business has to do each quarter as a measure of security breaches.

Physcial Security Design

2. Design

Once you agree upon the outcomes you’re hoping to achieve and how you’re going to measure performance, you can get down to designing your new physical security system.

Identify Necessary Products

The design phase is the correct time to purchase any tools or integrated security systems that you will need. You already understand the outcomes you hope to achieve, so you can evaluate each product against those needs to see how well it might perform. 

If your goal is to protect and track physical keys, consider exploring a key management system. If you’d like to secure or track physical assets or people, consider secure storage and real time location and tracking products

Plan Installation Location

Now you need to decide how your new system will fit into the day-to-day workflows at your organization. Think about when and where staff will need to use it. Will your new system need to integrate with other existing security products or building infrastructure?

For example, if you’re deploying a new asset management system, you might be able to integrate with your IT department’s incident tracking system. The asset management system could automatically send incident information to your IT department if an employee logs a problem when they sign a device out or back in.

→ Want to learn more about best practices for tracking and storing valuable company assets? Download our free guide.

Determine System Configuration

If the physical security systems you’ve purchased can be customized, now is the time to do that. Also, determine what physical layout you want your system to have. Will any of the integrations you’ve identified require software updates?

If your new system uses access control, decide which access control methods you will deploy. This method could be one you already use at your organization or something separate.

If you want to choose a separate method, some options could include PIN codes, proximity (prox) cards, mobile phone apps, RFID tags, or biometrics like iris scans or fingerprints. We’ll go over access control in more detail in the next chapter.

3. Implement

Correctly implementing a new physical security system requires more work than just setting up some hardware and software. You need to define appropriate policies governing the system’s use. Who will use it? How will it be monitored?

You also need to train employees on how to use the system. You’ve invested a great deal of time and money to get this far in your implementation. If no one uses your security systems effectively, they will lose value.

Chapter 3

Essential Components of Physical Security

You can divide physical security into four distinct operations, with technical solutions available to support each:

  • Access control
  • Surveillance
  • Deterrence
  • Response

These operations need to work together as part of an overall program if they are going to thoroughly protect your organization.

Let’s go over some of the major technical solutions an organization should consider. Some are designed to support one specific operation. Others do a little bit of everything.

1. Access Control

Access control solutions manage the flow of traffic through entryways and access points in your facility. They can be used to restrict access for different types of employees and visitors.

Although security guards and other personnel can perform access control when needed, in most cases, it is more cost-effective to use a technical access control solution. Those technical solutions can include:

Electronic Access Control

These systems connect to a central database where employee access privileges are recorded. When an employee authenticates themselves at an access point, the system verifies whether they are allowed through and opens the access point accordingly.

Employees authenticate themselves using a token, such as:

  • Swipe cards: Identification data is stored on a magnetic strip, like on a credit card. The card is swiped at a reader to authenticate the holder.
  • RFID fobs: Radio frequency identification keychain tokens that communicate over short-range wireless. The fob is waved near a reader to authenticate.
  • Prox cards: Flat cards that are pressed against readers to authenticate the holder. Newer prox cards use embedded RFID antennas to transmit credentials.
  • Mobile phone apps: A secure app on a user’s phone identifies them when they approach access points. Phones authenticate the holder by transmitting their identity over Bluetooth or NFC, short-range wireless antennas common in mobile devices.

Electronic access controls are very secure, but they can be expensive. Most organizations only deploy electronic access control at their most sensitive access points.

Mechanical Access Control

Given the high cost of electronic access control, most doors and other access points continue to be secured by mechanical lock-and-key systems. Mechanical access control is cost-effective for managing access points with routine levels of security.

The major downside to using mechanical controls is that they lack built-in tracking and accountability. Because electronic systems communicate with a central computer system for every access request, they generate a complete access log in real time. Mechanical keys don’t have this capability by themselves.

Key Management Systems

Combining mechanical access controls with an electronic key management system is one model that many organizations employ as a cost-effective alternative to electronic access control. At their core, key management systems are secure cabinets with electronic access control terminals attached. 

Users authenticate themselves at the terminal and specify which key ring they want to sign out. The request is logged, and the key management system unlocks only the keyring selected.

Key management systems can also automate many useful but time-consuming administrative tasks. Managers can set curfews on key sign-outs or limit the number of keys a single employee can have in their possession. If an employee misses a curfew or does not return their keys at the end of their shift, the key management system can send alerts to the employee’s supervisor.

Asset Management Systems

As with keys, many businesses find it beneficial to control access to sensitive or expensive equipment. Like key management systems, asset management systems use a combination of secure cabinets, access control terminals, and smart sensor technology to control who uses assets, as well as when and how assets are used.

Content surveillance sensors inside locker compartments can identify assets when they’re signed out or returned for better accountability and inventory tracking. Curfews and alerts also help prevent unnecessary losses and ensure vital equipment is ready when employees need it.

2. Surveillance

Surveillance is the process of gathering information relevant to an organization’s physical security. That information commonly includes the locations of potential threats, personnel, and valuable equipment moving through your facility, as well as the activities of security personnel.

Video Surveillance

Traditionally, video surveillance systems had to be actively monitored by security personnel to identify threats on screen. Either that or they were just used to collect footage for review if a security incident occurred.

More modern security systems use video analytics software that is capable of detecting potential threats on its own. This software can recognize cars entering a secured lot after hours, or even the motion of an attacker swinging a punch. When a potential threat is identified, the analytics system automatically notifies human security personnel so they can respond.


Whereas video surveillance systems record what is happening inside a particular location, alarm systems monitor for attempts in access to unattended sites. Different kinds of sensors are employed for different alarm functions.

Motion sensors detect movement in low light or dark environments. Perimeter sensors detect when a door or other access point is breached. Glass break sensors detect the unique frequency of glass breaking.

These are some of the most common sensor types. All of them notify security personnel to respond when a breach is detected.

Women entering building scanning ID - Physical Security

3. Deterrence

The purpose of deterrents is to prevent threats from ever arising in the first place. They include:


Maintaining good visibility indoors and outdoors is an excellent way to deter potential threats. Lighting is particularly important around access points, like doors and windows. It is also vital in parking lots and other areas where people are likely to be alone.

Physical Barriers

Fences, vehicle gates, walls, even shrubbery can deter criminals looking for an easy target. A barrier that requires extra effort to cross can deter many threats from breaching your perimeter.

Environmental Design

Environmental design is most important for organizations with large, open campuses, like universities and medical centers. Open pathways, courtyards, and plazas increase visibility, leaving criminals with no hidden locations in which to operate. Consider reducing tall vegetation inside the perimeter of your campus to maintain sightlines in every possible direction.

4. Response

Lastly, physical security can use technical solutions to aid response efforts after a threat is identified.

Personnel Tracking 

Personnel tracking is most important in high-security environments, like corrections centers. Any facility at high risk of experiencing violence or of becoming the target of an attack must instantly identify the locations of security personnel for rapid response. A guard tour system is one kind of solution that monitors personnel movement in real time to ensure maximum readiness.

Evacuation Management

Fires, natural disasters, and other emergencies require an immediate response from all parts of your organization to ensure your personnel's safety. Managing evacuations is one of the most important parts of emergency management.

Automated emergency mustering and roll call systems verify whether personnel are safe at muster points or still at risk inside your facility. This information helps emergency managers and first responders act more effectively during chaotic and dangerous circumstances.

Chapter 4

Tips for Planning an Air-Tight Security Program

Better planning of individual security system installations will certainly help protect your business, but you can take a much more effective approach.

Develop a Full Physical Security Program

Tackling security challenges one issue at a time is not efficient in the long run. It's like closing the windows out back while waiting for a reason to lock your front door.

A full physical security program is a much more efficient approach. Physical security programs are made up of people, processes, technology, and documentation. They also include the performance data you collect on how those elements function.

In a good physical security program, all of these elements will be designed and measured against a recognized security framework. Doing so allows you to benchmark and evaluate your performance and apply changes to your program according to established best practices. Professional or industry-specific standards are available to guide these decisions, such as ISO 27001 and NIST PE-3.

Security - Identify Physical Security Gaps

How to Identify Your Physical Security Gaps

Your organization is only as safe as its least secure asset. The process of identifying where these shortcomings are in your security program is called an audit or gap analysis. You determine the gap between how effective you are now at a given practice and where you want to be.

To take key management as an example, are you handing out keys to third shift contract cleaners? Are those key transactions time-stamped and recorded? What security incidents could be avoided if you implement that kind of tracking?

Penetration testing is one method you can use as part of a gap analysis. It involves conducting mock attacks against your security measures to see how far an attacker might be able to penetrate your organization’s defenses. Conduct your penetration testing and gap analysis according to the best practices outlined in the security framework that makes sense for your business.

Employee Accountability

Physical security programs do more than manage significant risks associated with crime and natural disasters. They also protect your business against costly day-to-day accidents and errors. A physical security program can protect against regulatory violations that stem from lost or damaged equipment and productivity loss. 

Physical security programs can also prevent small operational inefficiencies from snowballing into full-blown safety and security problems. For example, poorly maintained equipment might cause a fire that requires emergency evacuation.

Chapter 5

Overlooked Physical Security Best Practices Checklist

Many physical security best practices are just common sense, but some aren’t apparent until you’ve already suffered the consequences. Here are some of the most essential best practices we see overlooked by businesses designing new physical security programs.

Designing a Secure Facility

  • Keep signage for high-security facilities to a minimum. Don’t help attackers by enhancing the facility’s visibility.
  • During design, invest in fireproofed doors, walls, and ceilings.
  • Remove all non-essential flammable materials from high-security spaces.
  • Have two entryways at most.
  • Reduce the size of windows so they can’t be used to gain access.
  • Train personnel authorized for these facilities in emergency evacuation and lockdown procedures.  

Protecting Business Equipment

  • Identify which equipment is general use and which is essential. Store and manage each type separately.
  • Store equipment away from doors, windows, and HVAC systems, like air conditioning vents and radiators.
  • Secure loose cabling away from high foot traffic areas.
  • Maintain records for all essential equipment, including model numbers, serial numbers, and warranty information.
  • Before maintenance is needed, identify internal or external technicians certified to repair essential equipment.
  • Create an equipment damage policy that outlines the behavior you expect employees to follow and explains how damages should be handled.

Preventing theft - physical security

Prevent Theft

  • Clearly and permanently label all expensive and essential equipment with your organization’s contact information.
  • Train staff to challenge all visitors who are not presenting access credentials.
  • Log all equipment transfers into and out of secured facilities. Log both essential and general-use equipment.
  • Train staff in secure transportation and storage procedures for mobile electronics.

Protect Business Data on Paper Too

  • Keep photocopiers, fax machines, and scanners away from high foot traffic areas and out of view.
  • Configure printers and copiers to label all confidential materials as “confidential” upon printing.
  • Provide secure shredding bins for staff to discard confidential paper records.

Chapter 6

Finding a Trusted Physical Security Partner

Physical security is not a one-off task; it is an ongoing practice. Threats are always evolving, and you need a business security partner who can adapt with you.

Evaluate each consultant and service provider you work with. Are they able to customize services to your particular business and facility needs? What kind of ongoing support do they offer? Will they be available when a critical system needs attention?



Chapter 7

Every Business Can Have Better Physical Security

There are no hidden secrets to running a good security program. There are, however, proven frameworks and best practices to build upon.

It takes hard work and focus, but the end result will be a customized physical security program that prevents unnecessary losses and improves efficiency at your organization.

Contact us for a free consultation



close chapters modal

Physical Security 101: How to Start Building a World-Class Security Program

Want your own copy of this guide? Simply fill out the form to get PDF version delivered straight to your inbox.