It’s one of the first questions organisations ask when they’re considering a security risk assessment — and it’s a reasonable one. But it’s also one that’s rarely answered well online, because the honest answer requires context that a price list cannot provide.
This article explains what drives the cost of a security risk assessment in Australia, what a quality assessment should include for that fee, and why the organisations that treat an assessment as a long-term planning tool — rather than a one-off compliance exercise — consistently get far more value from the investment than those who don’t.
Why There’s No Standard Price
A security risk assessment is not a product. It’s a professional service, scoped to a specific site, a specific organisation, and a specific set of risks. The fee reflects the work involved — and that work varies considerably depending on what’s being assessed.
The most common factors that affect cost are:
Site size and complexity. A single-tenancy office building in Perth’s CBD is a different assessment to a multi-building university campus, a regional hospital with multiple clinical areas, or a council portfolio of 30 parks and community facilities. The larger and more complex the site, the more time the assessment requires — more areas to inspect, more data to gather, more findings to analyse and document.
Number of locations. Single-site assessments are simpler to scope and deliver. Multi-site assessments — where an organisation wants a consistent, comparable view of risk across several locations — require more time but often deliver better value per site, since methodology and context are established once and applied across the portfolio.
Scope of the assessment. A focused assessment of a specific high-risk area — a carpark, a reception zone, an after-hours access point — is narrower in scope than a comprehensive assessment covering the full threat profile, all physical controls, CCTV, access control, lighting, procedures, and patrol arrangements across an entire site. The scope should be driven by what the organisation actually needs, not by what’s easiest to deliver.
Report format and purpose. An assessment that produces a brief findings memo for internal use requires less documentation than one that produces a formal, structured report suitable for board presentation, council committee reporting, or regulatory compliance. For organisations with governance obligations — councils, government agencies, healthcare providers, listed companies — the report standard matters, and producing it properly takes time.
Site visit timing. Many assessments require both a daytime and after-hours inspection. After-hours conditions — lighting performance, access control behaviour, patrol coverage — often reveal vulnerabilities that are invisible during business hours. Assessing a site properly sometimes means visiting it at 10pm on a Tuesday, not just at 2pm on a Wednesday.
Independent vs vendor-provided. An assessment conducted by an independent consultant with no commercial relationship to security suppliers costs differently to a “free assessment” offered by a CCTV installer or guarding company. The latter isn’t really an assessment — it’s a site visit that ends in a quote for products and services. An independent assessment charges a professional fee precisely because it has no downstream revenue from what it recommends.
What a Quality Assessment Should Include
The cost question and the quality question are inseparable. A low-cost assessment that misses the significant risks or produces a generic report has a negative return — it costs money and creates false assurance. A well-scoped, properly conducted assessment has a positive return that can be measured in avoided incidents, avoided capital expenditure, and avoided liability.
Here is what a quality security risk assessment in Australia should include for the fee charged:
A scoping conversation before any work begins. A good consultant asks about the site, the organisation, the known concerns, the purpose of the assessment, and what the findings will be used for. This conversation shapes the scope, prevents duplication, and ensures the assessment addresses what actually matters rather than following a generic template.
A physical site inspection — including after-hours where relevant. There is no substitute for being on site. A desk-based assessment that relies on photographs and floor plans misses the things that photographs don’t capture: how the space actually feels to move through, where the blind corners are, how the lighting performs in rain, what the after-hours access behaviour looks like in practice. For most sites, a physical inspection is non-negotiable.
A structured threat identification process. Identifying the realistic threats relevant to your specific environment — not a generic list, but a considered assessment of what is actually credible given the site’s location, use, operating hours, occupant profile, and incident history. This is where the expertise of the assessor matters most. An assessor who knows the WA crime environment, the local council context, and the specific threat profiles of different facility types will produce a more accurate and more useful threat picture than one who applies a national template.
Vulnerability assessment against each threat. For each identified threat, what are the vulnerabilities — the gaps in current controls — that increase the likelihood or consequence of that threat materialising? This is the analytical core of the assessment. It evaluates physical controls (CCTV, access control, lighting, perimeter treatments), procedural controls (incident reporting, key management, after-hours response), and environmental factors (natural surveillance, sightlines, activation, maintenance).
A risk rating aligned with ISO 31000:2018. Likelihood and consequence rated against a consistent matrix, producing a risk register that tells the organisation not just what the risks are but how serious each one is. This prioritisation is what makes the assessment usable as a planning tool — it answers the question of where to focus first, which matters considerably when budgets are finite.
Practical, prioritised recommendations. Findings without recommendations are observations, not an assessment. A quality assessment produces specific, achievable recommendations that distinguish between immediate actions, medium-term improvements, and longer-term strategic investments. Recommendations should be vendor-neutral — specifying performance outcomes, not particular brands or suppliers — and should be realistic about cost and implementation complexity.
A written report that serves its purpose. The report is the deliverable. It should be structured clearly, written in plain language, supported by photographic evidence of key findings, and formatted to serve the governance or procurement purpose for which it was commissioned. A report that a facilities manager has to translate for their CEO, or that an auditor finds ambiguous, has not done its job.
The Planning Tool Question — Where Most Organisations Get It Wrong
The organisations that get the least value from a security risk assessment are the ones that treat it as a one-off compliance exercise. They commission it because an insurer asked, or because a council condition required it, or because something went wrong. The assessment happens, the report is filed, and three years later the same vulnerabilities exist — or new ones have emerged that nobody has assessed.
The organisations that get the most value treat the assessment as a planning document — something that informs decisions over a two to three year horizon, not just the week after it’s delivered.
This distinction matters considerably for cost-effectiveness. Here’s why.
Capital expenditure decisions. Security infrastructure is expensive. CCTV systems, access control upgrades, lighting replacements, perimeter treatments — these are capital investments that councils, property managers, and facility operators make on multi-year cycles. A security risk assessment that identifies which investments will meaningfully reduce risk — and which won’t — can prevent hundreds of thousands of dollars in wasted expenditure on technology that doesn’t address the actual threat.
The most common expensive mistake is investing in technology before defining the problem. A council that installs $200,000 of CCTV cameras across a park precinct because of recurring antisocial behaviour may find, post-installation, that the cameras haven’t changed the behaviour — because the behaviour was driven by design factors that CCTV doesn’t address. An assessment conducted before the capital decision would have identified this, redirected the investment, and produced better outcomes for less money.
Procurement decisions. Security service contracts — guarding, monitoring, response — are typically renewed annually. An assessment that evaluates whether the current contract is delivering value, whether patrol routes are still relevant, and whether the service specification still matches the risk profile gives the organisation a basis for procurement decisions that isn’t just “what we’ve always done.” Over a five-year contract cycle, a well-scoped assessment can identify significant savings or reallocation opportunities.
Grant and funding applications. For councils and community organisations, security upgrades are often funded through state or federal grants — community safety grants, crime prevention funding, infrastructure programs. These applications require evidence of the security need. A current, independent security risk assessment is the document that provides that evidence. Organisations without an assessment often miss funding rounds or submit weak applications. Organisations with one have a ready-made evidence base.
Insurance and liability management. Insurers are increasingly asking for evidence that security risk has been formally assessed and managed. An organisation that can produce a current, ISO 31000-aligned security risk assessment from an independent consultant is in a significantly stronger position at renewal, and in a significantly stronger position if a claim is made, than one that cannot. The cost of the assessment is a fraction of the potential cost of a contested claim or a premium increase.
Regulatory and governance compliance. Healthcare facilities under AS 4485:2021, councils under the Local Government Act, educational institutions under their duty of care obligations — all of these organisations have ongoing requirements to demonstrate that risk has been managed. A security risk assessment that is treated as a living document — reviewed and updated on a regular cycle — provides continuous governance evidence rather than a single point-in-time snapshot that becomes outdated.
So What Does It Actually Cost?
In Australia, a professionally conducted, independent security risk assessment for a single site typically ranges from approximately $1,500 to $6,000 or more, depending on the factors described above. Multi-site assessments and portfolio reviews are typically priced on a per-site basis, with the rate reflecting the efficiency gains from assessing multiple sites under a single methodology.
These figures reflect the work involved in a genuine assessment — site inspection, threat identification, vulnerability analysis, risk rating, and a properly structured written report. They do not reflect the “free assessment” model offered by security product vendors, which is a sales process, not a professional service.
For context: a $3,000 security risk assessment that prevents a single misguided CCTV investment of $50,000 has a return on investment of more than 1,500%. A $2,500 assessment that produces a grant application evidence base for a $200,000 community safety project has a similar profile. These are not hypothetical outcomes — they are the typical results of a well-used assessment for WA councils and facility managers.
The right question is not “how much does a security risk assessment cost?” It is “what will it cost if I make security decisions without one?”
Getting a Scoped Quote
Because every assessment is different, the right starting point is a brief conversation about your site, your known concerns, and what you need the assessment to achieve. From that conversation, a realistic scope and fee can be established quickly — usually within a day.
Smartsec Security Solutions provides independent security risk assessments for councils, commercial operators, healthcare facilities, developers, and government agencies across Perth and regional WA. Our assessments are aligned with ISO 31000:2018, vendor-neutral, and structured to serve as planning documents — not compliance paperwork.
Contact Smartsec Security Solutions to discuss your site and get a scoped quote.


