A building security assessment is a structured review of how well a facility protects its people, assets and operations against unauthorised access, theft, sabotage and harm. Done properly, it replaces assumptions with evidence, and gives the owner a prioritised, costed plan rather than a list of products to buy.
Key takeaways
- A building security assessment examines the whole site, the outer perimeter, the inner perimeter and the interior, not just the alarm system.
- It is driven by risk: the controls should match the threats and consequences a specific building actually faces.
- Recognised principles, layered defence and crime prevention through environmental design (CPTED), guide good design.
- For Australian Government facilities the assessment is aligned to the physical security requirements of the Protective Security Policy Framework.
- The output is a prioritised program of works, not a single purchase.
What is a building security assessment?
A building security assessment identifies the assets within a facility, the threats to them, and the vulnerabilities that a threat could exploit, then evaluates how effectively existing measures reduce that risk. It covers physical barriers, access control, surveillance, lighting, intrusion detection, security personnel, and the procedures that tie them together. The assessment is grounded in a risk method consistent with AS ISO 31000:2018, so that effort and budget are directed at the risks that matter most.1
When should you assess building security?
Most organisations commission an assessment at a defined trigger point rather than on a fixed cycle alone. Common triggers include a new build or major refurbishment, a change of tenancy or building use, a lease or insurance requirement, a relocation or fit-out, a merger, or a rise in the assessed threat to staff and assets. A periodic review, at least annually for higher-risk sites, keeps the picture current as the threat environment and the building both change.
How to assess building security, step by step
The following method reflects how an experienced consultant approaches a building, and an in-house team can follow the same sequence.
1. Establish the context and risk appetite
Define what the building is for, who uses it, what it holds, and what a security failure would cost, in safety, financial, legal and reputational terms. This sets the level of protection the building should aim for.
2. Identify assets and threats
List the people, information, equipment and operations that need protecting, then identify the credible threats to them, from opportunistic theft and vandalism through to targeted intrusion, workplace violence and, for some sites, terrorism. Use current, Australia-specific threat information rather than assumptions.
3. Review the layers of defence
Assess protection as concentric layers: the outer perimeter (boundary, approach, vehicle access), the inner perimeter (building fabric, doors, windows, loading docks) and the interior (reception, internal access control, secure areas). Layered, or defence in depth, means no single failure leaves an asset exposed.
4. Evaluate access control and electronic systems
Examine how entry is authorised and recorded, and how CCTV, intrusion detection and alarms work together. Technology is one layer within the system, not a substitute for sound design. A current electronic security review determines which measures are warranted and how they should integrate.
5. Test procedures and people
The best hardware fails if doors are propped, passes are shared or incidents are not reported. Review opening and closing routines, visitor and contractor management, key and pass control, and incident response, and confirm staff understand their role.
6. Analyse gaps and prioritise treatment
Compare the current state against the target level of protection, rank the gaps by risk, and set out treatments in priority order, separating quick, low-cost fixes from capital works. This is where a security risk assessment method keeps decisions defensible.
What standards and principles apply?
Two design principles underpin good building security. Layered defence ensures protection does not rely on any single control. Crime prevention through environmental design (CPTED) uses layout, sightlines, lighting and natural surveillance to reduce opportunity for crime, and is set out in ISO 22341:2021.2 Risk is assessed in line with AS ISO 31000:2018.1 For Australian Government entities, physical security is governed by the physical domain of the Protective Security Policy Framework, administered by the Department of Home Affairs under PSPF Release 2025.3 For details of how these fit together, see Agilient’s physical and facility security overview.
How to turn findings into a program of works
An assessment is only useful if it drives action. Group the recommendations into a sequenced program: immediate procedural fixes, short-term improvements, and capital projects tied to budget cycles. Where assurance is needed that controls remain effective over time, a periodic security audit confirms they are working as intended.
How Agilient can assist
Agilient is an independent, vendor-neutral security consultancy. Because Agilient does not sell or install equipment, its building security assessments recommend what the risk justifies, not what a supplier wants to sell. Agilient works across government, healthcare, critical infrastructure and commercial property, and its consultants hold the relevant security licences in each state where it operates. Engagements range from a single site review to a portfolio program, each producing a clear, prioritised plan.
To discuss an assessment, request a building security assessment or book a short briefing.
Frequently asked questions
How long does a building security assessment take?
For a single, lower-risk site a review can take one to two weeks from inspection to report. Large or complex facilities, and portfolios, take longer because each site is inspected and analysed in turn.
What is the difference between a building security assessment and a security audit?
An assessment determines what protection a building needs and where the gaps are. A security audit checks whether agreed controls and standards are actually in place and working. Many organisations use the assessment to set the baseline and periodic audits to maintain it.
Does every building need CCTV?
No. CCTV is one control among many, and it is only worthwhile where it addresses an identified risk and is supported by monitoring and response. The assessment determines whether it is warranted and how it should be configured.
Who should commission a building security assessment?
Facility managers, security managers, property owners and risk managers typically commission assessments, often prompted by a new project, a lease or insurance condition, or a change in the threat picture.
How often should a building be reassessed?
At least annually for higher-risk sites, and whenever the building, its use or the threat environment changes materially.
References
- Standards Australia, AS ISO 31000:2018 Risk management — Guidelines, standards.org.au
- International Organization for Standardization, ISO 22341:2021 Security and resilience — Protective security — Guidelines for crime prevention through environmental design, iso.org
- Department of Home Affairs, Protective Security Policy Framework, protectivesecurity.gov.au
