Is this checklist aligned to ASIS POL.GUIDE-2008?

Yes. Every line item maps to a domain in the ASIS International General Security Risk Assessment Guideline (POL.GUIDE-2008), and the workflow follows the ASIS asset-pairing and countermeasure-selection logic. The checklist references the corresponding POL.GUIDE step in each section so what you complete reads like a credentialed ASIS assessor walked the site, including the asset-criticality and threat-ranking inputs the guideline calls for.

Does it cover ANSI/API 780 SRA methodology?

Yes. ANSI/API Standard 780-2013 (Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries) is incorporated for sites that need critical-infrastructure-grade rigor, chemical, energy, water, transport, and manufacturing. The threat, vulnerability, and consequence scoring axes follow the API 780 model, and the countermeasure decision matrix mirrors the API 780 risk-reduction prioritization that DHS and CFATS expect on regulated sites.

Can I use it for multi-site rollup or portfolio assessment?

Yes. The PDF is structured so a Corporate Security Director or CSO can apply the same instrument identically across HQ, plants, DCs, and retail or branch sites, then aggregate scores by region, business unit, or risk tier. The platform takes that further, multi-site rollups, region/facility hierarchy, finding-to-task workflow, and underwriter-ready exports, but the PDF on its own gives you a defensible, comparable scoring sheet you can run across hundreds of locations.

Does it cover ORC and active-threat scenarios?

Yes. Domain 6 (Personnel + Operational Security) and Domain 8 (Emergency Preparedness) include organized retail crime indicators, the DHS run-hide-fight active-shooter sequence, ASIS WVPI-2020 workplace-violence prevention, OSHA General Duty Clause expectations, and the rally-point + auto-lockdown integration prompts that retail loss-prevention and corporate security programs need on a 2026 readiness review.

Will my insurance carrier accept this for a renewal?

It is built to be carrier-friendly. The TVRA scoring, ASIS POL.GUIDE structure, and the citation-backed control references (NFPA 101 egress, NFPA 72 alarm, UL 687 safes, UL 752 ballistic glazing, ANSI/BHMA hardware, TIA-942 server room, FEMA 426 stand-off) are the exact references property + casualty + crime underwriters expect in a loss-control file. Most carriers will accept the completed PDF as supporting evidence for a renewal; some will want a third-party assessor to sign the cover sheet, that is where graduating from the PDF to a documented, dated, evidence-attached assessment in the platform pays back fastest.

Free Download · Physical Security Assessment

The complete physical security risk assessment checklist

Every domain a security assessor walks on a real site survey, perimeter, surveillance, access control, building, asset, personnel, IT, emergency, and compliance, aligned to ASIS POL.GUIDE-2008, ANSI/API 780-2013 SRA, and the TVRA (Threat, Vulnerability, Risk Assessment) methodology used by Corporate Security Directors, CSOs, and insurance underwriters running multi-site portfolio reviews.

Download free See full physical security platform

No credit card · No call required · Instant link

Free

PDF · 28 pages · last updated 2026

Physical Security Risk Assessment Checklist

ASIS POL.GUIDE-2008 · ANSI/API 780 · TVRA aligned

Site hardening
Perimeter + Surveillance
6 controls
Entry + envelope
Access + Building
7 controls
Inside the building
Assets + Personnel + IT
9 controls
Response + audit
Emergency + Compliance
7 controls

What's inside

Nine site-survey domains, 29 line items, walked the way a real assessor walks them

The PDF follows the ASIS POL.GUIDE-2008 risk-assessment outline and the ANSI/API 780-2013 Security Risk Assessment workflow exactly the way a credentialed assessor walks a site, perimeter inward, with TVRA scoring at every layer. Every line is what a corporate security director, an insurance underwriter, or an OSHA workplace-violence reviewer asks to see during an in-person walk-through.

Perimeter Security

Domain 1 · Site approach + boundary

1.1 · Fencing + barriers (height, gauge, anti-climb topping, clear-zone, set-back, CPTED sightlines)
1.2 · Gates + entry control (vehicle gate hardening, pedestrian portals, guard posts, intercom + camera coverage)
1.3 · Vehicle barriers (bollards, wedges, K-rated barriers per DoS SD-STD-02.01, stand-off distance per FEMA 426)

Surveillance

Domain 2 · CCTV + lighting + monitoring

2.1 · CCTV coverage + retention (camera fields-of-view, blind-spot mapping, resolution, 30/60/90-day retention policy)
2.2 · Monitoring + analytics (SOC staffing, video-analytics rule sets, line-cross + loiter alarms, response SLA)
2.3 · Lighting (lux levels per IESNA G-1, perimeter, parking lot, dock + entry illumination, photometric uniformity)

Access Control

Domain 3 · Credentialing + entry

3.1 · Credentialing (badge issuance, photo, expiry, lost-card protocol, terminated-employee revocation SLA)
3.2 · Visitor management (pre-registration, ID capture, escort policy, badge color-coding, visitor log retention)
3.3 · Multi-factor doors (badge + PIN, badge + biometric on sensitive zones, anti-passback, anti-tailgate sensors)
3.4 · Mantrap + turnstile zones (sally-port at lobby + cash room, optical turnstiles, side-gate + ADA paths)

Building Security

Domain 4 · Envelope + hardware

4.1 · Door hardware (ANSI/BHMA grade, frame anchorage, hinge pinning, exit-device reverse-lever, door-prop alarms)
4.2 · Glazing + frangibility (UL 752 ballistic where required, security film on ground floor, blast-resistant per FEMA 426)
4.3 · Key control (master-key system audit, restricted keyway, lost-key reset trigger, key-issue + return logs)

Asset Protection

Domain 5 · High-value zones

5.1 · High-value asset zones (IP, R&D, prototype, narcotics, currency, controlled substances, segmentation + dual-control)
5.2 · Secure rooms + safes (UL 687 TL/TR rated safes, vault construction, time-delay locks, dual-custody opening)
5.3 · Evidence rooms (chain-of-custody, tamper-evident packaging, biometric entry, 24/7 video, audit log retention)

Personnel + Operational Security

Domain 6 · Officers + posts + response

6.1 · Security officer staffing (post coverage, rover routes, response time, contract vs. proprietary, license verification)
6.2 · Training + post orders (initial + annual, use-of-force, de-escalation, OSHA workplace violence, post-order currency)
6.3 · Incident response (escalation tree, dispatch SOP, after-action review, ASIS WVPI-2020 alignment, OSHA 1910.5(a)(1) coverage)

Information + IT Asset Security

Domain 7 · Server room + closets

7.1 · Server room (TIA-942 access tier, biometric entry, environmental sensors, fire suppression, UPS + generator)
7.2 · Network closet (locked, alarmed, badge-logged, no tailgate, no co-tenant access, cable-tray protection)
7.3 · Communications closets (MDF/IDF, telecom demarc, fiber vault, anti-tap conduit, cross-connect audit)

Emergency Preparedness

Domain 8 · Life safety + BCP + active threat

8.1 · Fire + life safety (NFPA 101 egress, NFPA 72 alarm, sprinkler test logs, AED + first-aid kit count + inspection)
8.2 · Emergency egress (illuminated signage, panic hardware, free egress under power loss, occupant load calc, drill cadence)
8.3 · BCP / DRP (NFPA 1600 + ISO 22301, RTO/RPO per site, alternate-site contracts, tabletop + functional exercise log)
8.4 · Active threat (DHS run-hide-fight, ALICE training, rally-point map, lockdown PA + auto-lockdown integration)

Compliance + Documentation

Domain 9 · Policies + audit + SLA

9.1 · Policies (security plan currency, board approval date, version control, distribution list, annual review evidence)
9.2 · Audit (internal walk cadence, third-party assessor cadence, finding-to-task workflow, closure SLA, repeat-finding tracking)
9.3 · Regulatory + SLA documentation (OSHA log, insurance loss-prevention rider, contract SLA, NDA register, BAA register)

Plus a TVRA scoring worksheet + multi-site rollup template

The PDF appendix includes the Threat × Vulnerability × Consequence scoring worksheet (ASIS POL.GUIDE + ANSI/API 780 aligned) and a portfolio rollup template so a CSO or insurance underwriter can compare HQ, plants, DCs, and retail or branch sites on one sheet. 28 pages total.

Why use this checklist

Built to ASIS + API + TVRA, what corporate security and underwriters actually score against

Aligned to ASIS POL.GUIDE-2008 + ANSI/API 780-2013. The checklist follows the structure of the ASIS International General Security Risk Assessment Guideline (POL.GUIDE-2008), the de-facto standard the Corporate Security profession has used since 2003. It also maps to ANSI/API Standard 780-2013, the Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, which has spread well beyond oil-and-gas as a pragmatic critical-infrastructure SRA framework. Both standards drive the asset-pairing, threat-ranking, vulnerability-scoring, and countermeasure-selection logic that an external assessor or insurance underwriter applies during a walk-through.

ASIS International · Standards + Guidelines API · ANSI/API 780 SRA Standard

TVRA methodology, not just a vulnerability sweep. A pure vulnerability checklist undercounts risk because it ignores threat likelihood and asset criticality. The TVRA (Threat, Vulnerability, Risk Assessment) workflow embedded in the PDF scores each finding on three axes, credible threat, exploitable vulnerability, and consequence to the asset, so what surfaces at the top of the report is risk-ranked, not finding-counted. That is the methodology Corporate Security Directors present to executive risk committees, the methodology insurance carriers expect to see in a loss-control file, and the methodology multi-national CSOs use for portfolio-level rollup across hundreds of sites. The line items reference DHS, FEMA 426, NFPA 730/1600, IESNA G-1, ANSI/BHMA, UL 687/752, and TIA-942 where the underlying engineering standard belongs.

FEMA · Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings (FEMA 426)

Tuned to ORC, active-threat, and workplace violence, not just terrorism. The vast majority of physical-security incidents in retail, corporate, and healthcare environments are organized retail crime (ORC), workplace violence, and active-shooter events, not state-sponsored attacks. The checklist incorporates DHS active-shooter readiness guidance, ASIS WVPI-2020 (Workplace Violence Prevention and Intervention), OSHA's General Duty Clause expectations for workplace violence, and the ORC scoring inputs (Cap Index, Security Gauge, FBI NIBRS) that loss-prevention teams pair with site walks. Use it as the readiness diagnostic that gates a full TVRA engagement, an insurance renewal, or a CSO portfolio rollup, the same control library powers the RiskWatch physical-security platform if you graduate from the PDF.

DHS / CISA · Active Shooter Resources

Who is it for

Three roles, one checklist

Enterprise security

Corporate Security Director / CSO

Owns the physical-security program across HQ, regional offices, plants, distribution centers, and retail or branch footprints. Reports to the executive risk committee, runs the assessor schedule, and rolls findings up to the board.

Outcome · Walk into a portfolio review with one survey instrument applied identically across every site, ranked by TVRA score, and traced to ASIS POL.GUIDE control families.

Site operations

Facilities + Site Security Manager

Responsible for the day-to-day security posture of one or a handful of facilities. Owns guard contracts, badge admin, CCTV health, door hardware, life-safety drills, and incident-response coordination with local law enforcement.

Outcome · Run a defensible self-assessment in a single shift and hand a finding-to-task remediation list, with vendor, owner, and due date, to the GM the next morning.

Risk + insurance

Risk Manager / Insurance Underwriter

Sets coverage, premiums, and loss-control terms for property + casualty + crime + workplace violence. Needs a consistent, evidence-backed survey across the schedule of locations to price risk and write loss-prevention riders.

Outcome · Receive a portfolio-grade physical-security file the underwriter can drop straight into the renewal binder, with TVRA scoring, ASIS + API + NFPA citations, and photos.

FAQ

Common questions, answered

ASIS POL.GUIDE alignment, ANSI/API 780 SRA coverage, multi-site portfolio rollup, ORC + active-threat scenarios, and what insurance underwriters expect to see in a renewal file.

Physical Security Assessment Software

Mobile TVRA · crime-data overlay (Cap Index, Security Gauge, World Aware) · site risk scoring · ASIS + API 780 + FEMA 426 templates · multi-site rollup.

Risk Management for Construction

Site safety, OSHA 1926, jobsite security, contractor + subcontractor risk, and physical-security rollup across active and dormant project sites.

Risk Management for Retail

ORC scoring, store-level walks, loss-prevention KPIs, and physical-security portfolio reviews for chains, franchises, and shopping-center anchors.

Beyond the checklist

Run physical + cyber + compliance on one platform?

The PDF is the readiness diagnostic. The platform runs continuous physical-security TVRA scoring across every site, plus 39 other framework libraries (ISO 27001, SOC 2, NIST 800-53, HIPAA, PCI DSS, NFPA 1600, ASIS PSC.1, FEMA 426 and the rest) on the same evidence trail, so portfolio rollup, underwriter-ready exports, and finding-to-task remediation all live in one place.

Book a 30-min walkthrough Talk to a security specialist

Or call US: +1 941-500-4525