Physical Security Review Checklist: What Good Actually Looks Like

One of the most consistent findings from physical security assessments across Perth and regional WA is that most organisations don’t actually know whether their security is working.

They have cameras. They have access control. They have a guarding contract. But whether those things are doing what they’re supposed to do — whether the cameras cover the right areas, whether the access control permissions are current, whether the patrol routes still make sense — is rarely checked in any structured way.

Security drifts. Systems that were specified correctly at installation become misconfigured over time. Patrol routes designed around one threat environment stop being relevant when the site changes. Lighting that met the required standard when it was installed has degraded and no longer performs. Access cards that belonged to contractors who left two years ago are still active in the system.

This checklist won’t replace an independent security review — there are things a structured assessment captures that a self-check cannot. But it will help you understand where the obvious gaps are, and whether what you have is actually performing the way you think it is.

 

Lighting — Is It to the Right Standard and Is It Still Working?

Lighting is one of the most consistently underperforming elements in physical security — not because organisations don’t have it, but because it’s rarely tested against the standard it was specified to meet, and it degrades over time without anyone noticing.

What to check:

Lux levels against relevant standards. AS/NZS 1158 sets out the Australian standard for public lighting, including carparks, pedestrian paths, and road interfaces. AS 4282 covers obtrusive light. Most organisations have no idea whether their current lighting meets these standards — they just know the lights are on. Knowing the lights are on is not the same as knowing the lights are adequate. A lux measurement confirms whether the standard is being met.

Uniformity, not just average output. A site can have adequate average lux levels while having dark patches — areas where the light level drops significantly between fittings. Dark patches are where incidents happen and where CCTV footage becomes unusable. Uniformity ratios matter as much as average output.

Lamp degradation. LED and fluorescent fittings lose output over time even when they appear to be functioning. A fitting at 60% of its original output may still illuminate but may no longer meet the standard it was specified for. Periodic photometric testing identifies this before it becomes a problem.

Coverage of key areas. Building entries and exits, carparks and access ramps, pedestrian paths and laneways, after-hours entry points, and CCTV camera fields of view all require adequate lighting. Check whether the existing layout covers these areas or whether there are unlit zones that represent a gap.

After-hours performance. Many sites have lighting that is adequate during business hours because ambient light is supplementing the artificial sources. After-hours, when ambient light disappears, the same areas may become significantly darker than expected. After-hours lighting checks are often the most revealing.

 

CCTV — Are Cameras in the Right Places and Is the Footage Actually Usable?

The most common CCTV finding from independent reviews is not that organisations have too few cameras — it’s that the cameras they have aren’t positioned or configured to produce footage that can be used when an incident occurs.

What to check:

Coverage of key choke points and transition areas. Entry and exit points, lift lobbies, reception areas, loading docks, basement access, cash handling areas, and after-hours access points are the locations where coverage matters most. Check whether existing cameras cover these areas or whether they’re pointing at areas of lower risk because that’s where they were easiest to install.

Image quality and resolution. A camera that produces a usable image of a car park is not necessarily producing a usable image of a person’s face at a building entry. Different applications require different resolution and field of view specifications. AS/NZS 62676 sets out the requirements for different surveillance objectives — detection, observation, recognition, and identification each require different performance parameters. Check whether your cameras are specified and configured to meet the objective they’re actually serving.

Lighting and camera alignment. CCTV and lighting need to work together. A camera pointed into a backlit area, or covering a zone that isn’t adequately lit after hours, will produce unusable footage regardless of its specification. Check whether cameras are positioned to take advantage of existing lighting, or whether the lighting and camera layout are working against each other.

Recording and retention settings. Check that cameras are recording to the correct resolution, that retention periods meet your obligations (many WA councils and government bodies have specific requirements), that storage is not full or overwriting before the retention period expires, and that the system can actually be accessed and exported when footage is needed.

System health and maintenance. A camera that appears active may have a degraded lens, misaligned field of view, or corrupted recording stream. Periodic health checks — including confirming that every camera is producing a usable image — should be part of your regular maintenance schedule, not something you discover is broken when you need the footage.

 

Access Control — Are Permissions Current and Is the System Actually Working?

Access control drift is one of the most common and most underappreciated vulnerabilities in physical security. The system was configured correctly when it was installed. Then people left, contractors came and went, positions changed, and the access database was never updated to reflect any of it.

What to check:

Active credentials against current personnel. Compare your access control system’s active credential list against your current HR records. In most organisations, this exercise will reveal a significant number of active credentials belonging to people who have left — former employees, contractors, service providers, and temporary staff. Every active credential belonging to a non-current person is an uncontrolled access point.

Access permissions against current roles. Even where credentials belong to current staff, the permissions may no longer reflect the person’s role. Someone who moved from a back-office function to a customer-facing role two years ago may still have access to areas that are now irrelevant to their work — including areas like server rooms, plant rooms, cash storage, and management offices.

Door hardware and locking performance. Access control software is only as effective as the hardware it controls. Check that door closers are functioning, that doors are latching correctly, that electromagnetic locks are releasing and securing as intended, and that there are no doors being propped open or bypassed by users because the hardware is inconvenient or broken.

Alarm integration and response. Many access control systems are integrated with alarm panels and monitoring arrangements. Check that this integration is functioning — that forced-door alarms are generating a response, that after-hours access attempts are being captured and acted on, and that the escalation pathway from an alarm event to an appropriate response is current and tested.

Testing and audit logs. Access control systems generate logs of every access event. These logs are one of the most valuable tools available for understanding how your site is actually being used — and for identifying anomalies. Check whether logs are being reviewed, how long they’re retained, and whether your team knows how to access and interpret them when needed.

 

Patrols — Are They Still Relevant and Is Anyone Checking?

Security patrols are one of the most commonly over-specified and under-reviewed elements of a security program. Patrol routes and frequencies are often set at contract commencement and never reassessed — even when the site, the threat environment, and the operational context have changed significantly.

What to check:

Patrol routes against current risk. Are the areas being patrolled the areas where the risk actually is? A patrol route designed around a site as it was three years ago may not reflect where incidents are now occurring, where new vulnerabilities have emerged, or where the built environment has changed. Review patrol routes against your current incident data and site layout.

Frequency against operational need. Patrol frequency is a resource decision — but it should be an evidence-based one. High-frequency patrols of low-risk areas and low-frequency patrols of high-risk areas is a common and expensive misconfiguration. Check whether the frequency applied to each area is proportionate to the risk that area actually carries.

Proof of patrol — are guards actually attending? Guard welfare and proof-of-patrol systems — wand readers, NFC checkpoints, GPS tracking, or electronic patrol management systems — confirm that patrols are being conducted as contracted. Without a verification mechanism, the assumption that patrols are occurring is not supported by evidence. If you’re paying for a patrol, you should be able to demonstrate it was conducted.

Guard knowledge and response capability. Do the guards conducting patrols know what to do when they observe an incident, a safety concern, or a system fault? Are incident reporting procedures current? Is the escalation pathway — who to call, in what order, under what circumstances — clearly understood and documented? A patrol conducted by a guard who doesn’t know what to do when something happens is of limited value.

 

Procedures — Are They Written Down, Current, and Actually Used?

Physical security measures are only as effective as the procedures that govern how they’re used, maintained, and responded to. A well-specified CCTV system with no procedure for reviewing footage after an incident provides limited value. An access control system with no process for deactivating credentials when staff leave will drift into vulnerability regardless of how good the hardware is.

What to check:

Incident reporting and escalation. Is there a documented, current procedure for reporting security incidents? Does every relevant staff member know what constitutes a reportable incident, who to report it to, and what information to capture? Are incidents being recorded in a way that allows patterns to be identified over time?

After-hours response. What happens when an alarm activates after hours? Who receives the notification, what decisions do they make, who do they call, and under what circumstances is a physical response warranted? If you can’t answer these questions with reference to a current, documented procedure, the after-hours response is improvised — which means it’s inconsistent.

System maintenance and testing schedules. Are CCTV, access control, alarm, and duress systems being maintained under a scheduled program? Are testing dates and outcomes being recorded? Maintenance schedules and service records are often the first thing requested by insurers, auditors, and investigators after a significant incident. If they don’t exist, the organisation’s governance position is weak regardless of how good the systems are.

Key and credential management. Physical keys are one of the most consistently undermanaged elements of a security program. Is there a current key register? Are keys marked to prevent duplication? Is there a process for recovering keys when staff leave? Are master keys and restricted keys stored securely when not in use?

 

Natural Sightlines and User Experience — Does the Space Feel Safe to Use?

Security is not only about what systems you have. It’s about how the space feels to the people using it — and whether the design of the environment itself is working for or against safety outcomes.

This is where the most practical and often lowest-cost improvements are found. And it’s where a simple exercise most organisations never do produces the most useful insights: approach your own site as a first-time visitor and pay attention to what you actually notice.

Start in the carpark.

Carparks are where most incidents occur and where user experience is most often overlooked. Walk from the street entry to the lift or stairwell as if you’re visiting for the first time. Ask yourself:

  • Can you see where you’re going from the moment you enter, or do columns, walls, and level changes create blind corners before you reach the building?
  • Is the path to the lift or stairwell obvious and direct, or does it require navigating through areas that feel isolated?
  • Are the lifts and stairwells visible from the entry point, or are they tucked away in a corner with no passive surveillance?
  • Is the lighting adequate at ground level and in the stairwell approaches, or does the space feel darker than it should?
  • Are there concealment points — recessed areas, blind corners behind columns, spaces between parked vehicles and walls — where someone could wait without being visible?
  • Does the space feel occupied and active, or does it feel like somewhere you’d want to move through quickly?

The answers to these questions often identify improvements that have nothing to do with adding cameras or guards. Better wayfinding, improved lighting in specific spots, mirrors at blind corners, or simply removing overgrown planting that’s blocking sightlines can meaningfully change how a space feels — and how safe it actually is.

Natural surveillance — passive safety without the fortress feel.

Natural surveillance is the CPTED principle that spaces are safer when they can be seen by legitimate users going about their normal activity. It’s the opposite of relying on cameras and guards alone — it’s designing or managing a space so that people naturally overlook it.

The key is that natural surveillance should feel like good design, not like security theatre. Spaces that feel watched, exposed, or over-controlled create anxiety rather than safety. The goal is spaces that feel open, active, and well-managed — where legitimate users feel confident and comfortable, and where the opportunity for harmful behaviour is reduced because the space is naturally visible and well-used.

In practice this means:

Sightlines should be clear without being clinical. Landscaping, signage, fencing, and furniture should be positioned to maintain visibility across key areas — particularly movement paths, waiting areas, entry points, and transition zones — without creating an environment that feels sterile or institutional. Low-growing planting below 600mm and canopy trees above 2m maintain visibility while preserving amenity. Dense mid-height planting between 600mm and 2m creates concealment and should be avoided in areas where surveillance matters.

Active uses should face public areas. Ground-floor tenancies, reception desks, staff workstations, and café seating that face onto carparks, laneways, or public open space provide passive surveillance without any additional resource cost. A reception desk with a clear sightline to the carpark entry is a security measure. So is a ground-floor café that activates a previously quiet street edge.

Movement paths should be direct and visible. People naturally take the most direct route. If the most direct route goes through a well-lit, visible, activated area — that’s good design and good security. If the most direct route goes through a poorly lit, isolated corner because the formal path is inconvenient — people will use the shortcut and the formal path will remain underused and unobserved.

Transition points should be clear and legible. The moment a person moves from a public space to a semi-private or private one — from a carpark to a lobby, from a street to a communal courtyard, from a public corridor to a restricted area — that transition should be clearly signalled. Not through heavy-handed barriers or intimidating signage, but through changes in material, lighting, planting, and spatial character that communicate the shift in territory without making it feel hostile.

 

The balance between safety and welcome.

The most important principle in this section is also the simplest: security measures that make legitimate users feel unsafe have failed, regardless of their technical specification.

Excessive perimeter fencing, aggressive CCTV signage, heavy bollards at every entry, and over-specified access control create environments that feel controlled and unwelcoming. The people most affected by over-specified security are the legitimate users. The people least deterred by it are those with genuine intent to cause harm.

Good physical security makes legitimate users feel confident, welcome, and safe. It reduces opportunity for harmful behaviour through design and management rather than through restriction and surveillance. And it starts with the simplest possible exercise — walking through the space as a user, not as a security manager, and paying attention to what you actually experience.

 

What to Do With What You Find

A checklist like this will surface gaps — it’s designed to. The question is what to do with them.

Some gaps are straightforward to address without specialist input: updating the access control database, testing CCTV recording settings, reviewing patrol routes against current incident data, trimming planting that’s blocking sightlines, or implementing a key register. These are operational improvements that any facilities or security manager can action directly.

Others — particularly where the findings suggest systemic underperformance, where the gaps create genuine risk exposure, or where the organisation needs a defensible, documented basis for investment decisions — warrant an independent assessment. An independent security review applies structured risk methodology, produces a prioritised, evidence-based findings report, and gives the organisation a documented position that can be presented to boards, auditors, insurers, and elected members.

If this checklist has identified concerns that go beyond quick operational fixes, an independent physical security review is the right next step.

 

Engaging Smartsec for an Independent Physical Security Review in WA

Smartsec Security Solutions delivers independent physical security reviews for local government, commercial, healthcare, education, and community organisations across Perth and regional WA.

Our reviews are vendor-neutral — we don’t supply or install systems — and are aligned with ISO 31000:2018 and relevant Australian Standards including AS/NZS 1158, AS/NZS 62676, and AS 2201. Reports are structured to support governance, capital works planning, and procurement decisions.

Contact Smartsec Security Solutions to discuss what a review would involve for your site.

more insights

Call for a scope chat