How to Run a Business Security Audit


Protecting staff, property, and assets is a priority for every business. However, many businesses are dangerously unaware of their own vulnerable points, leaving them exposed to a wide range of potential threats.

Taking stock of your organization’s current security strengths and weaknesses, both physical and digital, is the first step in preventing any intrusions. By performing regular security audits, you can identify (and eliminate) any vulnerabilities—before criminals find them.

Audits should be done regularly and consistently to assess physical and digital security alike…even if you are confident in the systems you’ve set up to protect both fronts. “The best planned security systems and security procedures lose their effectiveness if they are not continually monitored,” writes LockNet’s Katie Willie in “Physical Security Audit Checklist.”

Set a security audit schedule, and establish criteria (such as “a change in location, a new threat, suspicion of loss or actual loss”) for unscheduled audits. “Performing a security audit on a regular basis will help your organization minimize loss and increase the safety of employees and customers. With each audit, the facility will become increasingly less vulnerable.”

Physical Security Checklist

In her checklist, Willie advises doing a thorough assessment of your entire premises. This includes not only the physical security of your buildings and their access points, but also the technology used to monitor them and policies in place to restrict access.

Here are some questions to consider when performing a physical security audit of your property.

  • Physical Layout
    Do the topography and landscaping of your premises reduce the risk of intrusion, or heighten it? How secure are your points of entry? Are there security checkpoints—turnstiles, swipe-card locks, or the like—in place at crucial entryways?
  • Lighting
    Are your premises well-lit, or are there shadowy recesses which might provide concealment? Are doors and other access points well-lit? Do lights turn on automatically at nightfall?
  • Alarms
    Have you installed adequate smoke, fire, water, intrusion, tamper, and motion detectors? Are the sensors in good working order? Have you set up notifications to be sent to your mobile device?
  • Physical Barriers
    Are fences tall enough to prevent intrusion? Are they free of holes or other damage? Are driving entrances gated and staffed by an attendant?
  • Access Points
    Do all doors, gates, and windows latch and lock properly? Are windows protected with a security lamination to prevent breakage? Who monitors (in person or via camera) access points?
  • CCTV
    Do you have adequate camera coverage for your premises? Are cameras programmed to switch to night vision or low-light mode at dusk? How safe is your camera system from glitches, power shortages, and other recording disruptions? Is footage continuously monitored, or only infrequently reviewed?
  • Guards
    Do guards verify visitors’ identities, and if so, using what method or information? Do guards patrol the premises? How frequently, and how do they record their findings? Are guards able to clearly see key access points or assets from their station?
  • Access Methods
    Are access points secured with key locks, swipe cards, or codes? Who has access to keys, cards, or codes? How frequently are codes updated? Has the access of former employees been revoked?
  • Communication About Breaches
    How soon will you become aware of an intrusion or other emergency at your place of business? What is your company’s typical response time? How will you communicate with staff, shareholders, and the public afterward?

Surveying your current physical security status helps your company to shore up any vulnerable points to protect your staff and assets in the future. Perform checks regularly and thoroughly, and use what you learn from every incident to prevent future attempts.

Digital Security Checklist

Changing technologies present new, ever-evolving data security concerns. But just as with physical intrusions into your premises, digital intrusions can be prevented and mitigated with robust security measures, careful monitoring, and immediate response to any threats. A security audit of your computing equipment and business network should begin with the following checklist.

  • Digital Security Personnel and Software
    Do you have qualified digital security personnel to install, manage, and monitor your security tools? If not, do you have a comprehensive security system professionally managed by a trusted service provider? Do you have, at minimum, basic firewall protection plus virus and spyware detection in place?
  • Access to Data and Equipment
    Who has access to which data and equipment, and what are the limits of that access? Are laptops, tablets, and other portable devices properly secured when not in use?
  • Encryption
    Is all of your business data encrypted, on every device? What about customer data and your email communications? How frequently does re-encryption happen?
  • Mobile Device Usage
    Are all mobile devices (personal and company) locked with a PIN or fingerprint ID? Is company data accessed and transmitted via mobile devices encrypted?
  • Patching
    Do you regularly update your software to patch known security issues? Are updates installed immediately?
  • Cloud Usage
    When working remotely, how do employees access your network or data? Are staff members using unauthorized cloud storage or collaboration programs? Is data stored in or accessed from the cloud encrypted?
  • Passwords
    Does your company have policies regarding strong password creation, using separate passwords for different websites, and time between changing passwords? Do you have a password management system in place for automating password creation?
  • Policies and Employee Training
    Are employees thoroughly trained on your security policies and best practices—including recognizing suspicious emails and links, securing mobile devices, creating strong passwords, and safely using cloud programs?
  • Disposal of Old Computing Equipment
    How does your organization dispose of unwanted computing equipment—are hard drives wiped or destroyed prior to disposal?
  • Communication About Breaches
    What is your company’s average response time during a breach? How do you communicate with employees, stockholders, and the public in the aftermath of a breach?

Proper security of physical premises and information is an ever-present factor in a company’s ongoing success. By thoroughly and consistently assessing your physical and digital security systems, you can effectively protect your business from dangers of many kinds.

Scroll to Top