What factors affect the cost of a physical security assessment?

Cost depends on facility size (square footage and number of floors), the number of distinct zones or buildings, the sensitivity level of operations conducted on site, whether the assessment includes acoustic testing or TSCM elements, and the urgency of the engagement timeline.

How does a physical security assessment differ from a penetration test?

A penetration test attempts to actively breach specific controls to demonstrate exploitability. A physical security assessment is a systematic evaluation of the entire physical security posture, identifying vulnerabilities, gaps, and weaknesses across all physical layers without necessarily attempting active exploitation. The assessment provides a broader view of risk, while a penetration test validates specific attack paths.

Physical Security Assessments for Offices, Events and Corporate Facilities

Before you move into a new office, host a board meeting off-site, or open a facility to visitors, you need to understand the physical vulnerabilities in the space. SAPP Security conducts structured physical security assessments that identify weaknesses across access control, acoustic separation, surveillance coverage, and human behaviour, then classify every finding using our three-tier Proximity Threat Management model. The result is a clear, prioritised remediation plan grounded in operational reality rather than theoretical compliance checklists.

What We Assess

A SAPP Security physical security assessment is a systematic walkthrough of your facility examining every layer of your physical attack surface. We evaluate the elements that determine whether an adversary, whether an opportunistic thief, a corporate espionage operative, or an insider threat, could gain access, observe sensitive information, or plant a surveillance device without detection.

Our assessors examine access points (doors, windows, loading bays, emergency exits), sight lines into sensitive areas, acoustic leakage paths between meeting rooms and adjacent spaces, opportunities for covert device placement, tail-gating risk at controlled entry points, document exposure on desks and in print areas, screen visibility from corridors and public zones, visitor flow patterns, and the security of delivery and postal handling areas.

Three-Tier Proximity Threat Model

Every finding is classified against our three-tier proximity threat model, which separates physical security risks into behavioural vectors (social engineering, tail-gating, impersonation), technical vectors (device placement, signal interception, network access), and espionage vectors (targeted surveillance, acoustic collection, document exfiltration). This classification ensures that remediation priorities reflect the actual threat landscape your organisation faces, not a generic checklist. The model aligns directly with our broader Proximity Threat Management framework.

Pre-Occupancy and Relocation Assessments

Moving into a new office or building is one of the highest-risk moments in an organisation's physical security lifecycle. The space is unfamiliar, existing infrastructure may be inadequate or compromised, and security teams rarely get sufficient time to evaluate the environment before operations begin. SAPP Security conducts pre-occupancy assessments that identify vulnerabilities in a space before you bring sensitive operations into it.

We evaluate the existing infrastructure: locks and locking hardware, access control systems (or their absence), CCTV coverage and camera positioning, exposed network ports and cabling, acoustic separation between meeting rooms and adjacent tenant spaces, and the physical integrity of partition walls, ceiling voids, and raised floors. In multi-tenant buildings, we pay particular attention to shared risers, common areas, and the boundary between your demise and neighbouring occupants.

Landlord Infrastructure and Shared Services

Many vulnerabilities in leased offices originate from building infrastructure outside your direct control. Shared reception desks, communal lift lobbies, building-managed access control, and centralised HVAC systems all present potential exposure points. Our assessments document these shared-service risks and provide specific recommendations for mitigating them within the constraints of your lease agreement, whether through supplementary access control, acoustic treatment, or operational procedures.

Event and Conference Security Assessments

Board meetings held off-site, investor days at external venues, M&A negotiations in hotel conference suites, and industry conferences all create temporary environments where sensitive conversations happen in spaces you do not control. SAPP Security conducts pre-event site surveys that identify the specific physical security risks of a venue before your people arrive.

Our event assessments evaluate eavesdropping risks (acoustic leakage through partition walls, ceiling voids, and HVAC ducts), device placement opportunities in meeting rooms and breakout areas, crowd flow vulnerabilities that could enable unauthorised access, the adequacy of venue-provided access control and CCTV, line of sight from public areas into your event spaces, and the security of AV equipment, Wi-Fi networks, and power outlets that could be exploited for surveillance.

For high-sensitivity events, we coordinate with our TSCM counter-surveillance team to conduct electronic sweeps of meeting spaces, and with our executive event security team to implement physical protection measures during the event itself.

Assessment Deliverables

Every assessment produces a structured set of deliverables designed to give your security team, facilities management, and executive leadership a clear picture of your physical security posture and a practical path to improvement.

Photographic Evidence Portfolio

Every vulnerability identified during the assessment is documented with annotated photographs showing the exact location, nature of the risk, and the potential exploitation method. This visual evidence portfolio makes findings tangible for stakeholders who may not have a security background, and provides a baseline record for tracking remediation progress.

Three-Tier Threat Classification

Each finding is classified according to our proximity threat model: behavioural, technical, or espionage vector. This classification helps your team understand not just what the vulnerability is, but what type of adversary would exploit it and what the likely objective would be.

Remediation Priority Matrix

Findings are ranked in a priority matrix that balances risk severity against cost and complexity of remediation. Quick wins (low cost, high impact) are separated from strategic investments (higher cost, longer timeline), giving you a practical roadmap that respects budget and operational constraints.

Proximity Risk Maturity Score

Your facility receives a Proximity Risk Maturity Score that quantifies your current physical security posture across all three threat tiers. This score provides a measurable baseline that can be tracked over time as remediation measures are implemented, and benchmarked against similar facilities in your sector.

Frequently Asked Questions

What does a physical security assessment cover?

Our assessments examine access points, sight lines, acoustic leakage, device placement opportunities, tail-gating risk, document exposure, screen visibility, visitor flow, and delivery areas. Every finding is classified using our three-tier proximity threat model covering behavioural, technical, and espionage vectors.

How long does a typical assessment take?

A single-floor office assessment typically takes one to two days on site, with the full report delivered within five working days. Larger facilities or multi-building campuses may require three to five days. Event site surveys are usually completed in a single day, with findings delivered within 48 hours.

What deliverables do we receive after an assessment?

You receive a photographic evidence portfolio with risk annotations, a three-tier threat classification of every finding, a remediation priority matrix ranked by severity and remediation cost, and a Proximity Risk Maturity Score establishing your baseline security posture.

What factors affect the cost of an assessment?

Cost depends on facility size (square footage and number of floors), the number of distinct zones or buildings, the sensitivity level of on-site operations, whether acoustic testing or TSCM elements are included, and the urgency of the engagement timeline.

How does this differ from a penetration test?

A penetration test actively attempts to breach specific controls to demonstrate exploitability. A physical security assessment is a broader, systematic evaluation of the entire physical security posture, identifying vulnerabilities across all physical layers without necessarily attempting active exploitation. The assessment maps the full risk landscape, while a penetration test validates specific attack paths.

Is this the same as an ISO 27001 audit?

No. SAPP Security does not perform ISO 27001 certification audits. Our assessments address the physical security controls relevant to frameworks like ISO 27001 (particularly Annex A.7 and A.11), but the assessment is an independent, operationally focused evaluation of your facility rather than a certification compliance exercise.

GET STARTED

Ready to Assess Your Facility?

Contact SAPP Security to discuss your physical security assessment requirements. We will scope a tailored engagement based on your facility type, sensitivity level, and operational timeline.

Request an Assessment Learn About Proximity Threats