Physical security assessments,
without the spreadsheets
Run ASIS-aligned TVRAs across every site, validate evidence with AI, and generate audit-ready reports in minutes instead of weeks. RiskWatch is the physical security assessment software trusted by multi-site enterprise security teams.
- G2
- 4.8 / 5
- Capterra
- 4.7 / 5
- Gartner Peer Insights
- 4.6 / 5
- Site 51 (Sub 14): perimeter breach attempts +24% week over weekNERC CIP-014 R5
- AI matched 6 sites to ASIS Facility level 3 profile, scoring readySaved 8 hours of setup
- Board pack regenerated for the 6-site east region, 0 open critical1 click export
Trusted by Fortune 100 security leaders
One platform, four measurable wins.
Less audit prep time
Findings closed on time (vs 41% manual)
More sites assessed per quarter
Average time to ROI
If this is how your security program runs today, you have company.
Most multi-site security teams are still running quarterly assessments out of spreadsheets, chasing evidence over email, and assembling board reports by hand the week before they are due. The work gets done, but it gets done at the cost of half the team's calendar and most of their goodwill.
Assessments live in spreadsheets that never quite agree with each other.
Evidence sits in shared drives, photos rarely tagged, often unverified.
Reminders go out by email. Some get answered. Most do not.
Audit logs are incomplete, and traceability falls apart under questioning.
Reporting takes days of manual work before every audit and board meeting.
The same control gets re-documented for SOC 2, then ISO 27001, then HIPAA.
One platform for every assessment, every site, every framework.
RiskWatch replaces the spreadsheet and email workflow with a single system of record for physical security assessments. AI validates evidence as it comes in, drafts remediation tasks for every gap, and summarises organisational risk into reports your CSO and board can actually read.
Clipboards and spreadsheets vs RiskWatch.
Same six tasks, two operating models. The right column is what your CSO is asked for at every board meeting.
Built end-to-end for physical security teams.
Every section below replaces a piece of the spreadsheet-and-email workflow. AI validates evidence as your team uploads it, the multi-site heatmap rolls up across every facility you operate, audit-ready reports export in two clicks, and remediation tasks push to Jira or ServiceNow the moment a gap surfaces.
Every module in the physical security program, one platform.
16 modules covering site dashboards, mobile assessments, the question library, crime-data overlay, control domains, threats catalog, mitigation tasks, recurring TVRAs, and custom reports. Buy once, retire half your toolchain.
Portfolio risk on one screen
Heat maps, top-N sites by score, control-domain scores, mitigation status, in widgets that read in 10 seconds.
TVRA on any device
Walk the site, capture findings, attach photos and signatures. Sync when you reconnect, no data lost in the field.
ASIS, FEMA, NIST PE built in
ASIS Facility Physical Security Control Standards, FEMA 426/452, NIST 800-53 Physical & Environmental, ship-ready.
1,000+ pre-built questions
Curated by physical-security practitioners. Every question maps to a control standard so reports trace to a framework.
Likelihood backed by data
Cap Index CRIMECAST, Security Gauge, and Crisis24 feeds populate per-site likelihood objectively.
Doors, locks, keys, audit
Track door schedules, lock types, master-key control, badge systems, visitor logs, and access reviews.
CCTV coverage and gaps
Camera placement, retention, monitored vs recorded, blind-spot tracking, integration with incident response.
Fence-to-foyer assessment
Fencing, lighting, vehicle barriers, gate guards, vegetation control, signage, every layer scored and tracked.
Intrusion · theft · sabotage · WPV
Pre-loaded catalog covering intrusion, theft, sabotage, workplace violence, vehicle ramming, and social engineering.
Site risks, rolled up
Each site has its own register; portfolio rollup gives you the enterprise view auditors and boards expect.
Findings that route themselves
Convert findings into tracked tasks for facilities, security ops, or IT, with owner, due date, and proof of close.
Best-practice fixes inline
Every non-compliant question carries pre-mapped remediation guidance from the ASIS standard.
Who changed this, answered instantly
Timestamped log of every score change, finding, attachment, and reassignment, admissible in a regulator review.
Set the cadence, stop reminding
Schedule recurring assessments per site type. Alerts when a site is due, overdue, or off the standard.
Onboard 200 sites in an Excel paste
Bulk import sites, contacts, regions, and prior findings. Customize fields without IT involvement.
Board-ready exports
Heat maps, executive summaries, control-by-control compliance, KRI breach trends. PDF, Word, or Excel.
From first walk to board-ready in five stages.
Most teams complete stages 1–3 within their first week. Stage 4 runs continuously. Stage 5 is on-demand the moment your CSO or auditor asks.
Pick the standard
ASIS Facility Physical Security Control Standards by default. Or FEMA 426/452, NIST 800-53 PE, NERC CIP-014, Martyn's Law, or your custom library.
Walk the site
Mobile TVRA on any browser-enabled device. Photos, signatures, comments, even offline. Auto-sync when reconnected.
Score with crime data
Likelihood populates from Cap Index, Security Gauge, and Crisis24. You score impact. The platform calculates risk.
Mitigate and monitor
Findings convert to tasks. Reassessments trigger on schedule. Site Risk Index trends across the portfolio.
Report and brief
Heat maps, executive summaries, control-by-control compliance, KRI breach trends, in two clicks.
The 47-site walk that stopped requiring a war room.
Real corporate security teams. Real before-and-after numbers. Real ASIS-aligned walks.
We did 47 sites in eight weeks. Our previous vendor took 14 weeks for 28. The mobile app and ASIS template alone paid for the year-one license.
“We did 47 sites in eight weeks. Our previous vendor took 14 weeks for 28. The mobile app and ASIS template alone paid for the year-one license.”
“Cap Index integration ended the how-do-you-know debate. Likelihood scoring stopped being subjective the day we turned the feed on.”
“Dashboards give us assessment status across every park and ride in real time. The same scoring model now pulls in incidents and ride downtime data, so risk lives in one place across physical security, EH&S, rides maintenance, and aquatics.”
One platform, four wins, one per stakeholder.
CSO walks into the board meeting with numbers. CFO sees payback inside two quarters. GRC ships an audit binder in hours. Operations runs site walks on a phone, offline. Pick a role to see the specific outcomes.
Why teams pick RiskWatch over generic GRC tools.
Generic GRC platforms wrap controls libraries around document management. They were not designed for site walks, offline evidence capture, or real-time threat-data overlays. RiskWatch was purpose-built for physical security workflows, with AI evidence validation, mobile offline mode, and native Cap Index plus Crisis24 integration shipped on day one.
AI across the workflow, not on top of it
Evidence validation, policy summarisation, remediation tasks, and report drafting are all AI-driven. The platform reduces manual work at every step, not just one.
Built for the field, not the conference room
Offline assessments, mobile-first evidence capture, and automatic sync keep field teams productive at sites where connectivity cannot be assumed.
External risk data, natively integrated
Cap Index crime data, Crisis24 geopolitical intelligence, and Security Gauge benchmarking feed directly into your risk picture. Generic GRC tools leave this work to you.
Cross-mapped to every framework, by default
One assessment supports ISO 27001 A.7, NIST 800-53 PE, ASIS, NERC CIP-014, CTPAT, TAPA, Martyn's Law, and HIPAA physical safeguards.
Lives where your team already works.
Push findings to your ticketing system, post updates to your team chat, feed risk data into your BI stack, or build your own integration with the open API.
Need something custom? Open API endpoints let you pipe assessment and risk data into any downstream system.
Built for industries where the door matters as much as the firewall.
Retail loss prevention, branch banking, hospital physical safeguards, multi-plant manufacturing, distribution-centre TAPA reviews, data-centre evidencing, and corporate-campus assessments all run on the same platform.
Retail and multi-store
200+ store chains use RiskWatch for store-level TVRA, crime-data scoring, and loss-prevention reporting.
Learn moreLogistics and supply chain
TAPA FSR, CTPAT, and AEO programmes across 40+ facility multi-site operators.
Learn moreManufacturing
Plant-level physical security plus OSHA plus EHS in one workflow.
Learn moreHealthcare and hospitals
Facility risk, HIPAA physical safeguards, and workplace-violence prevention.
Learn moreEnergy and utilities
NERC CIP-014 R1 to R6 with threat-data overlay and surveillance-audit prep.
Learn moreTake RiskWatch home before you sign anything.
Three downloads. Use them to evaluate, share with your team, or build the business case for replacing clipboard-and-spreadsheet TVRAs.
Physical Security Assessment Checklist
Forty pages built on ASIS Facility Physical Security Control Standards. Print, walk a site, tally compliance percentage and risk score, and assemble an executive summary using the included template.
- ASIS-aligned 4-domain structure
- Compliance % + risk-score tallies
- Executive summary template
TVRA Site Risk Register Template
Pre-built site register with threat catalog, vulnerability tracker, asset inventory, scoring formulas, and a 5×5 heat-map. Use standalone or as your migration source.
- Threat × vulnerability × asset linking
- Likelihood × impact heat-map
- Per-domain scoring tabs
Physical Security Platform Buyer's Guide
Vendor scorecard, mobile-app comparison, crime-data feed coverage, pricing benchmarks, and implementation timelines by site count. The shortlist tool for corporate-security RFPs.
- Feature matrix · 6 vendors
- Mobile-app side-by-side
- Pricing benchmarks
Frequently asked questions.
Physical security assessment software is a platform that helps security teams plan, conduct, score, and report on physical security risk assessments (TVRAs). It centralises question libraries (ASIS, FEMA, NIST 800-53 PE), captures findings via mobile, blends in third-party crime data, computes per-site risk scores, and generates board-ready reports. RiskWatch ships with the ASIS Facility Physical Security Control Standards library, mobile-first walks, and Cap Index plus Security Gauge plus Crisis24 feeds for objective likelihood scoring.
A physical security risk assessment follows five steps: (1) define scope, which sites, asset types, and threat categories are in-scope; (2) walk the site against a control library (ASIS, FEMA 426/452, or NIST 800-53 PE) capturing findings, photos, and gaps; (3) score likelihood (often from crime data) and impact; (4) prioritise mitigations using a heat map; (5) reassess on a defined cadence. RiskWatch automates steps 2 to 5 so the security team focuses on judgement calls, not data entry.
The most widely used standards are the ASIS Facility Physical Security Control Standards, FEMA 426/452, NIST SP 800-53 Physical and Environmental Protection (PE) controls, ISO 27001 Annex A.7 (Physical Controls), and ISO 28000 for supply-chain security. Industry-specific standards include NERC CIP-014 (bulk power), TSA SD-1580 (transportation), CFATS RBPS (chemical), HIPAA §164.310 (healthcare physical safeguards), and Martyn's Law (UK publicly accessible venues). RiskWatch ships with all of these as built-in libraries plus the ability to upload your own.
RiskWatch integrates with three third-party geospatial-risk feeds: Cap Index CRIMECAST (7-year crime trend per address, by crime category), Security Gauge (localised US threat-environment score with confidence intervals), and Crisis24 (global incident intelligence covering civil unrest, geopolitics, and travel risk). When you create a site, the platform pulls relevant data points and uses them to populate the likelihood half of the risk score automatically. Every score traces back to its source and last-updated timestamp.
Yes. The mobile assessment runs in any browser-enabled device, no app install needed. Surveyors capture findings, photos, signatures, and comments while offline (for example inside a server room or perimeter areas with poor cellular). The data queues locally and syncs automatically the moment a connection is detected. No findings are lost in the field, and surveyors don't double-enter data when they get back to a desk.
Most teams complete their first ASIS-based assessment within a week. Pre-built libraries, mobile-first walks, bulk site import, and configurable templates remove the typical 2 to 3 month setup. Enterprise multi-region deployments with custom mappings to additional frameworks (NERC CIP-014, CFATS, TSA SD-1580) and SSO typically complete in 60 days with white-glove implementation.
Generic GRC platforms are built around controls libraries and document management. RiskWatch is purpose-built for physical security assessment workflows, including field-friendly offline mode, AI evidence validation, multi-site heatmaps, and native integration with external risk data sources like Cap Index and Crisis24. Out of the box, RiskWatch ships with ASIS, FEMA, NIST PE, and NERC CIP-014 libraries that generic GRC tools expect you to build yourself.
Yes. The 30-day free trial requires no credit card and includes full access, every assessment template, the question library, mobile walks, suggested remediation, and analytics dashboards. You can run a real TVRA against your own sites and decide before purchasing. A free 40-page Physical Security Assessment Checklist (built on ASIS Facility Physical Security Control Standards) is also available as a download.
Run your first TVRA this week
Start a 30-day free trial, every standards library, mobile-first walks, crime-data overlay, suggested remediation, full Audit Trail. No credit card required.
No credit card required · 30-day free trial · Cancel anytime