Physical Security Assessment Report Template

📋 Template Usage Instructions

  • Replace all [PLACEHOLDER TEXT] placeholders with actual assessment data
  • Remove placeholder text sections and replace with your findings
  • Delete this instructions box before finalizing the report
  • Customize compliance framework references as needed for your engagement
  • Ensure all dates, locations, and client information are accurate
  • Review all boilerplate language to ensure it applies to your specific engagement

Placeholder Explanations

  • [Control/Requirement 1], [Control/Requirement 2], etc.: List the specific controls or requirements being assessed. Examples: "FedRAMP PE-2: Physical Access Authorizations", "HIPAA 164.310(a)(1): Facility Access Controls", "NIST SP 800-53 PE-3: Physical Access Control". Use the format: "[Framework] [Control ID]: [Control Name]".
  • [Control Number and Name]: The complete identifier and title of a specific control or requirement. Examples: "FedRAMP PE-2: Physical Access Authorizations", "HIPAA 164.310(a)(1): Facility Access Controls", "PCI DSS Requirement 9.2: Restrict Physical Access to Cardholder Data". Always include both the control number/ID and its full name.
  • [Control Number]: The control identifier only (without the name). Examples: "PE-2", "164.310(a)(1)", "9.2". Use this when the control name is already mentioned in context.

This template provides a standardized structure for physical security assessment reports based on the FORTRESS Framework methodology. The template is designed to be flexible and applicable to various compliance frameworks including FedRAMP, HIPAA, NIST SP 800-53, PCI DSS, ISO 27001, and others.

[CLASSIFICATION LEVEL] - FOR AUTHORIZED PERSONNEL ONLY

Physical Security Assessment Report

Client Organization: [Client Name]
Assessment Date: [Start Date] - [End Date], [Year]
Assessment Type: [Compliance Framework] [Control/Requirement] Assessment
Assessor: [Assessor Name/Organization]
Report ID: [Report Identifier]
Report Version: [Version Number]
Classification: [Confidential/Internal/Public]
Prepared By: [Author Name]
Reviewed By: [Reviewer Name]
Approved By: [Approver Name]
⚠️ Important Notice - Snapshot in Time Assessment This assessment represents a point-in-time evaluation of physical security controls as they existed during the assessment period from [Start Date] through [End Date], [Year]. Security postures are dynamic and may change over time. The findings, recommendations, and compliance status reflected in this report are based solely on conditions observed and tested during the specified assessment window. The organization's security posture may have changed since the completion of this assessment, and this report should not be considered a guarantee of current security status.

1. Executive Summary

Who: This physical security assessment was conducted for [Client Organization Name] by [Assessor Organization]. The assessment team consisted of [Number] qualified security professionals with expertise in physical penetration testing, access control systems, and compliance frameworks.

What: This assessment evaluated the effectiveness of physical security controls implemented at [Client Organization] facilities in accordance with [Compliance Framework Name] requirements, specifically addressing [Control/Requirement Number and Name] (e.g., "FedRAMP PE-2: Physical Access Authorizations" or "HIPAA 164.310(a)(1): Facility Access Controls"). The assessment scope included evaluation of:

  • [Control/Requirement 1] (e.g., "FedRAMP PE-2: Physical Access Authorizations")
  • [Control/Requirement 2] (e.g., "FedRAMP PE-3: Physical Access Control")
  • [Control/Requirement 3] (e.g., "HIPAA 164.310(a)(2): Access Control and Validation Procedures")
  • [Additional controls as applicable]

Why: This assessment was conducted to:

  • Evaluate compliance with [Compliance Framework] physical security requirements
  • Identify gaps and vulnerabilities in physical access controls
  • Provide actionable recommendations for remediation
  • [Additional assessment objectives]
  • [Regulatory/contractual requirements if applicable]

The assessment was performed over a [Number] day period from [Start Date] through [End Date], [Year]. Testing activities included physical walkthroughs, access control system reviews, documentation analysis, and controlled access attempts at [Number] facilities located in [Location(s)].

2. Scope and Methodology

2.1 Assessment Scope

The assessment scope included the following facilities and systems:

  • Primary Facilities: [List primary facilities]
  • Secondary Facilities: [List secondary facilities if applicable]
  • Remote Locations: [List remote locations if applicable]
  • Systems Evaluated: [List systems, e.g., PACS, CCTV, alarm systems]
  • Out of Scope: [List items explicitly excluded from assessment]
2.2 Compliance Framework Requirements

The assessment followed the FORTRESS Framework methodology, specifically addressing [Compliance Framework] control requirements:

  • [Control Number].1: [Control Description] (e.g., "PE-2.1: Authorize physical access to the facility" or "164.310(a)(1).1: Implement procedures to allow facility access")
  • [Control Number].2: [Control Description] (e.g., "PE-2.2: Maintain access authorization records")
  • [Control Number].3: [Control Description] (e.g., "PE-2.3: Review and update access authorizations")
  • [Additional controls as applicable]

Note: [Control Number] refers to the base control identifier (e.g., "PE-2", "164.310(a)(1)", "9.2"). The ".1", ".2", ".3" represent sub-controls or specific requirements within that control. Include the full control name in the description portion.

2.3 Testing Methodologies

The following testing methodologies were employed during this assessment:

  • Review of physical access authorization policies and procedures
  • Examination of access control system configurations and user databases
  • Verification of authorization issuance and revocation processes
  • Physical penetration testing of access control systems
  • Testing of visitor management procedures
  • Review of access logs and audit trails
  • Evaluation of physical barriers and environmental controls
  • Testing of emergency access procedures
  • [Additional methodologies as applicable]
2.4 Limitations and Constraints

The following limitations and constraints applied to this assessment:

  • [Time constraints, if applicable]
  • [Access limitations, if applicable]
  • [Technical constraints, if applicable]
  • [Environmental factors, if applicable]
  • [Other constraints as applicable]

3. Key Findings

The following table summarizes the key findings identified during this assessment. Each finding includes a unique identifier, description, severity rating, and mapping to applicable compliance requirements.

Finding ID Description Severity Compliance Control
[FINDING-ID-001] [Detailed description of finding, including what was observed, where it was observed, and why it represents a security concern] HIGH [Control Number]
[FINDING-ID-002] [Detailed description of finding] MEDIUM [Control Number]
[FINDING-ID-003] [Detailed description of finding] LOW [Control Number]
[Add additional findings as rows in this table. Use severity classifications: HIGH, MEDIUM, LOW, or INFO]
3.1 Severity Classifications

Findings are classified according to the following severity levels:

  • HIGH: Critical security gaps that directly violate compliance requirements or pose immediate risk of unauthorized access. Requires immediate remediation.
  • MEDIUM: Significant security weaknesses that may lead to compliance violations or security incidents. Should be addressed within a reasonable timeframe.
  • LOW: Minor security gaps or best practice deviations that do not directly violate requirements but should be addressed to improve overall security posture.
  • INFO: Informational observations or recommendations for security enhancements that do not represent current compliance gaps.

4. Detailed Findings

This section provides detailed information for each finding identified during the assessment.

4.1 Finding: [FINDING-ID-001]

Title: [Brief descriptive title of the finding]

Severity: HIGH

Compliance Control: [Control Number and Name] (e.g., "FedRAMP PE-2: Physical Access Authorizations" or "HIPAA 164.310(a)(1): Facility Access Controls")

Location: [Where the finding was observed]

Description:

[Provide detailed description of the finding, including what was observed, how it was discovered, and why it represents a security concern. Include specific details such as system names, locations, dates/times of observation, and any relevant technical details.]

Impact:

[Describe the potential impact of this finding, including security risks, compliance implications, and business impact if applicable.]

Recommendation:

[Provide specific, actionable recommendations for remediating this finding. Include technical guidance, implementation steps, and any relevant best practices.]

Remediation Priority: [Immediate/High/Medium/Low]

Estimated Remediation Effort: [Time/cost estimate if applicable]

[Repeat section 4.1 for each finding, incrementing the finding number. Ensure all findings from the findings table are detailed in this section.]

5. Recommendations

Based on the assessment findings, the following recommendations are provided to achieve full compliance with [Compliance Framework] requirements and improve overall physical security posture:

5.1 Immediate Actions (High Priority)
  • [Specific recommendation addressing high-severity findings]
  • [Specific recommendation addressing high-severity findings]
  • [Additional immediate actions as applicable]
5.2 Short-Term Actions (30-90 Days)
  • [Specific recommendation for medium-severity findings]
  • [Specific recommendation for medium-severity findings]
  • [Additional short-term actions as applicable]
5.3 Long-Term Actions (90+ Days)
  • [Specific recommendation for strategic improvements]
  • [Specific recommendation for strategic improvements]
  • [Additional long-term actions as applicable]
5.4 Ongoing Maintenance and Monitoring
  • [Recommendations for ongoing security practices]
  • [Recommendations for monitoring and review processes]
  • [Recommendations for training and awareness]

6. Compliance Status Summary

The following table provides a summary of compliance status for each assessed control:

Control/Requirement Status Findings Notes
[Control Number and Name] (e.g., "FedRAMP PE-2: Physical Access Authorizations") [Compliant/Non-Compliant/Partially Compliant] [Number of findings] [Brief notes on compliance status]
[Add rows for each control/requirement assessed. Use format: "[Framework] [Control ID]: [Control Name]"]

7. Conclusion

This assessment evaluated the physical security controls implemented at [Client Organization] in accordance with [Compliance Framework] requirements. [Summary statement about overall compliance status and security posture].

[Number] findings were identified during this assessment, including [Number] high-severity, [Number] medium-severity, and [Number] low-severity findings. The organization should prioritize remediation of high-severity findings to maintain compliance and reduce security risk.

With implementation of the recommended controls, [Client Organization] should achieve full compliance with [Compliance Framework] requirements within [Estimated timeframe]. It is recommended that a follow-up assessment be conducted [Timeframe, e.g., "within 90 days" or "annually"] to verify remediation efforts and ensure ongoing compliance.

📋 Standard Boilerplate Language

Assessment Limitations: This assessment was conducted in accordance with the FORTRESS Framework methodology and represents a point-in-time evaluation of physical security controls. Security postures are dynamic and may change over time. The findings and recommendations in this report are based on conditions observed during the assessment period and may not reflect the current state of security controls.

Scope Limitations: This assessment was limited to the facilities, systems, and controls specified in the assessment scope. Areas, systems, or controls explicitly excluded from scope were not evaluated and are not addressed in this report.

Confidentiality: This report contains confidential and proprietary information. Distribution is restricted to authorized personnel only. Unauthorized disclosure may result in legal action.

Methodology: This assessment was conducted in accordance with FORTRESS Framework v9.0 and industry best practices for physical security testing. Testing methodologies were designed to identify security gaps while minimizing disruption to normal business operations.

Assessor Qualifications: This assessment was conducted by qualified security professionals with relevant certifications and experience in physical security testing, penetration testing, and compliance assessments. Assessors maintain appropriate security clearances and adhere to professional codes of conduct.

Client Responsibilities: The client organization is responsible for implementing recommended remediation activities and maintaining security controls on an ongoing basis. The assessor is not responsible for implementing remediation or maintaining security controls after the completion of this assessment.

No Warranty: This report is provided "as is" without warranty of any kind. The assessor makes no representations or warranties regarding the completeness, accuracy, or applicability of the findings and recommendations contained herein.

This report contains confidential and proprietary information. Distribution is restricted to authorized personnel only. Unauthorized disclosure may result in legal action. Report prepared in accordance with FORTRESS Framework v9.0.

Report Prepared By: [Author Name]
Date: [Report Date]
Report Reviewed By: [Reviewer Name]
Review Date: [Review Date]
Report Approved By: [Approver Name]
Approval Date: [Approval Date]

About This Template

This template is designed for offensive security professionals conducting physical security assessments across various compliance frameworks. The template provides a standardized structure that ensures comprehensive coverage of assessment requirements while maintaining flexibility for different compliance contexts.

Key Features:

  • Structured sections covering who, what, and why of the assessment
  • Standardized findings format with severity classifications
  • Comprehensive recommendations section with prioritization
  • Compliance status summary for easy reference
  • Standard boilerplate language for legal and professional protection
  • Snapshot-in-time assessment language to manage expectations

For more information about the FORTRESS Framework methodology, visit the Framework Navigator or review sample use cases.