RiskWatch
Physical security · facility risk · multi-site

The facility audit your insurance carrier just scheduled.

Most physical security programs aren’t owned by Security — they’re owned by an over-stretched facilities team running multi-site assessments by spreadsheet. RiskWatch ships the facility hierarchy, the assessment library, and the multi-site rollup auditors and insurance carriers actually ask for.

  • ASIS PS · FEMA 426 · NFPA 1600 · Workplace Violence libraries
  • Region / facility hierarchy with multi-site rollups
  • Mobile TVRA · offline-capable · crime-data overlay built in
  • For ops directors: facility-level dashboards + finding-to-task workflow
Start 30-day free trialWatch 4-min platform tour
No credit card · Mobile-ready · ASIS template ships day 1
app.riskwatch.com / physical-security
Live · 47 sites
Site Risk Index · Portfolio
0/100
0 vs Q3
Inherent87
Residual68
Target50
Sites OK38/47
Access Control
0/100
Surveillance
0/100
Perimeter
0/100
Crime Index
0 CAP
Top 5 sites · by risk score
Distribution center · Newark
0
Data center · Ashburn DC2
0
HQ · 22nd-floor exec wing
0
Branch · Phoenix West
0
Cold storage · Memphis
0
Trusted by corporate security teams across regulated industries
FirstEnergy
Hawaiian Electric
Consumers Energy
Port of Montreal
TVA
Avery Dennison
Mosaic
Bose
FirstEnergy
Hawaiian Electric
Consumers Energy
Port of Montreal
TVA
Avery Dennison
Mosaic
Bose
FirstEnergy
Hawaiian Electric
Consumers Energy
Port of Montreal
TVA
Avery Dennison
Mosaic
Bose
What it is

What is physical security assessment software?

Surveyors capture findings on mobile at the site. The board report rolls up the same evening — no PDF reformatting at midnight. One question library — usually the ASIS Facility Physical Security Control Standards — drives every site walk, with findings mapped to NIST 800-53 PE controls and blended with third-party crime data for per-site risk scores. Also called physical security risk assessment software, facility security assessment software, or TVRA software.

Why teams move to RiskWatch

Clipboards don't scale. And the board still asks “how risky is each site?”

CSOs we talk to manage 20 to 500 sites. Most are still running TVRAs with paper checklists and email-attached spreadsheets. Here's what that actually costs.

Pain #1

Site walks live in PDFs and clipboards.

Surveyors collect findings on paper, then re-enter them at a desktop. Photos sit in phone galleries. Mobile assessments capture findings, photos, and signatures on-site — even offline.

Pain #2

Likelihood is a guess until you add crime data.

Most physical security programs score likelihood from gut feel. That doesn't survive a board challenge. We blend Cap Index, Security Gauge, and World Aware data into every site's risk score.

Pain #3

47 sites. 47 spreadsheets. One board update.

Ranking sites by risk requires a rollup nobody has time to produce. Auto-prioritized site risk index — top-N, trended, exportable to PDF or Word in two clicks.

80%
Time saved per assessment
vs paper-based ASIS walks
3
Crime-data feeds, one score
Cap Index · Security Gauge · World Aware
16h
Saved per board report
Templated heat-maps · one-click export
The platform

Every module a corporate security team needs — in one platform.

Sixteen flagship modules sharing data, permissions, and audit trail. Built around the per-site Risk Register so your portfolio rolls up cleanly across regions, facility types, and business units.

Site Dashboard

Portfolio risk on one screen

Heat maps, top-N sites by score, control-domain scores, mitigation status — in widgets that read in 10 seconds.

Mobile Assessment

TVRA on any device

Walk the site, capture findings, attach photos and signatures. Sync when you reconnect — no data lost in the field.

Assessment Templates

ASIS, FEMA, NIST PE built in

ASIS Facility Physical Security Control Standards, FEMA 426/452, NIST 800-53 Physical & Environmental — ship-ready.

Question Library

1,000+ pre-built questions

Curated by physical-security practitioners. Map every question to a control standard so reports trace to a framework.

Crime-Data Overlay

Likelihood backed by data

Cap Index CRIMECAST, Security Gauge, and World Aware feeds populate per-site likelihood objectively.

Access Control Domain

Doors, locks, keys, audit

Track door schedules, lock types, master-key control, badge systems, visitor logs, and access reviews.

Surveillance Domain

CCTV coverage and gaps

Camera placement, retention, monitored vs recorded, blind-spot tracking, and integration with incident response.

Perimeter Domain

Fence-to-foyer assessment

Fencing, lighting, vehicle barriers, gate guards, vegetation control, signage — every layer scored and tracked.

Threats Catalog

Intrusion · theft · sabotage · WPV

Pre-loaded threat catalog covering intrusion, theft, sabotage, workplace violence, vehicle ramming, and social engineering.

Risk Register

Site risks, rolled up

Each site has its own register; portfolio rollup gives you the enterprise view auditors and boards expect.

Mitigation Tasks

Findings that route themselves

Convert findings into tracked tasks for facilities, security ops, or IT — with owner, due date, and proof of close.

Suggested Remediation

Best-practice fixes inline

Every non-compliant question carries pre-mapped remediation guidance from the ASIS standard.

Audit Trail

"Who changed this?" answered instantly

Timestamped log of every score change, finding, attachment, and reassignment — admissible in a regulator review.

Recurring TVRAs

Set the cadence, stop reminding

Schedule recurring assessments per site type. Alerts when a site is due, overdue, or off the standard.

Bulk Tools

Onboard 200 sites in an Excel paste

Bulk import sites, contacts, regions, and prior findings. Customize fields without IT involvement.

Custom Reports

Board-ready exports

Heat maps, executive summaries, control-by-control compliance, KRI breach trends. PDF, Word, or Excel.

The TVRA model

Threats × Vulnerabilities × Assets = Site Risk Score.

Each site risk in the register links to the threats that could trigger it, the vulnerabilities that make it possible, and the assets it would harm. Three connected modules — Threats, Vulnerabilities, Assets — feed into the Site Risk Score so you can trace any number on the heat-map back to the door, lock, or perimeter gap that drove it.

  • Threats catalog intrusion, theft, sabotage, workplace violence, vehicle ramming, social engineering
  • Vulnerability tracking unmonitored doors, blind spots, perimeter gaps, key turnover, weak processes
  • Asset register people, facilities, server rooms, inventory, cash, equipment, sensitive documents
  • Per-site risk score objective, defensible, trended — not vibes-based
See TVRA scoring in action
TVRA · Threat-Vulnerability-Risk Assessment
Threats

Intrusion · theft · sabotage · workplace violence · vehicle ramming · social engineering at reception.

Vulnerabilities

Unmonitored doors · weak access control · CCTV blind spots · perimeter gaps · keyholder turnover.

Assets

People · facilities · server rooms · inventory · cash · proprietary equipment · sensitive documents.

Site Risk
SCORE
TVRA Lifecycle
Stage 1
Walk
Mobile assessment, photos, offline-capable
Stage 2
Score
Likelihood × impact + crime-data overlay
Stage 3
Mitigate
Tasks routed to facilities, security ops, IT
Stage 4
Reassess
Schedule recurring TVRAs · trend the score
The TVRA lifecycle

Walk · Score · Mitigate · Reassess.

Aligned to ASIS Facility Physical Security Control Standards and ISO 31000. Walk the site on a phone or tablet, score with crime-data overlay, route findings to facilities or security ops as tracked tasks, and schedule the next assessment per site type. Every step lives in the audit trail.

  • Walk mobile, offline-capable, photos and signatures captured on-site
  • Score crime-data overlay populates likelihood; you score impact
  • Mitigate findings convert to assigned tasks with due dates and proof
  • Reassess schedule recurring TVRAs per site type; trend the score
Crime-data overlay

Likelihood, finally defensible.

RiskWatch ingests three commercial geospatial-risk feeds — Cap Index CRIMECAST, Security Gauge, and World Aware — and blends them into the likelihood half of every site's risk score. When the board asks “why does Phoenix West rank ahead of Newark?” you answer with a 7-year crime trend, a localized threat-environment score, and a confidence interval. Not a guess.

  • Cap Index CRIMECAST 7-year crime trend per address, per crime category
  • Security Gauge U.S. localized threat-environment score with confidence interval
  • World Aware Global incident intelligence — civil unrest, geopolitics, travel risk
  • Auto-populated likelihood no more guesswork; auditors and boards see the source
  • Confidence-flagged scoring every score traces to its data source and last-updated date
Third-party data → Per-site risk score
Geospatial-Risk Sources
CAP INDEX
CRIMECAST · 7-year crime trend
Crimes per 1,000 residents
SECURITY GAUGE
Threat-environment score
Localized U.S. threat data
WORLD AWARE
Global incident intelligence
Civil unrest, geopolitics, travel
RiskWatch outputs
Output
Site Risk Score
Likelihood × Impact
Output
Auto-prioritized mitigation
Top-N sites by score
Output
Board-ready exports
Heat map · trend · cost
Objective likelihood →Crime data + your assessment = defensible scoring
Four control domains

Every TVRA covers four domains. We score each one separately.

Domain 1
Access Control

Doors, locks, keys, badge systems, visitor logs, exit devices, master-key control

Domain 2
Surveillance

CCTV placement, retention, monitored vs recorded, blind-spot tracking, integration

Domain 3
Perimeter

Fencing, lighting, vehicle barriers, gate guards, signage, vegetation control

Domain 4
Operations

Guard force, post orders, response procedures, incident reporting, after-action review

How it works

From first walk to board-ready in five stages.

Most teams complete stages 1–3 within their first week. Stage 4 runs continuously. Stage 5 is on-demand the moment your CSO or auditor asks.

1
Stage 01·Day 1

Pick the standard

ASIS Facility Physical Security Control Standards by default. Or FEMA 426/452, NIST 800-53 PE, or your custom library.

2
Stage 02·Day 2–5

Walk the site

Mobile TVRA on any browser-enabled device. Photos, signatures, comments — even offline. Auto-sync when reconnected.

3
Stage 03·Week 1

Score with crime data

Likelihood populates from Cap Index/Security Gauge/World Aware. You score impact. The platform calculates risk.

4
Stage 04·Continuous

Mitigate and monitor

Findings convert to tasks. Reassessments trigger on schedule. Site Risk Index trends across the portfolio.

Stage 05·On-demand

Report and brief

Heat maps, executive summaries, control-by-control compliance, KRI breach trends — in two clicks.

Customer stories

The 47-site walk that stopped requiring a war room.

Real corporate security teams. Real before-and-after numbers. Real ASIS-aligned walks.

We did 47 sites in eight weeks. Our previous vendor took 14 weeks for 28. The mobile app and ASIS template alone paid for the year-one license.
DC
Daniel C.
Director of Corporate Security · Logistics · 12,000 employees
Sites assessed
47
↑ from 28 in prior cycle
Time per site
↓ 80%
vs paper-based walks
Time-to-deploy
1 week
first ASIS walk live

We did 47 sites in eight weeks. Our previous vendor took 14 weeks for 28. The mobile app and ASIS template alone paid for the year-one license.

DC
Daniel C.
Director of Corporate Security · Logistics · 12,000 employees

Cap Index integration ended the 'how do you know?' debate. Likelihood scoring stopped being subjective the day we turned the feed on.

RK
Rita K.
VP Physical Security · Banking · 4,200 employees

The board update used to take three weeks of spreadsheet work. Now it's a saved report. Quarterly review went from 'fire drill' to 'thirty-minute walkthrough.'

MH
Marcus H.
Head of Global Security · SaaS · 9,500 employees
Standards supported

If your physical-security program references it, we ship the library.

ASIS Facility Physical Security Control Standards as the default. FEMA 426/452, NIST 800-53 PE, ISO 27001 A.7, plus industry-specific standards for power, transportation, chemical, healthcare, and finance.

ASIS FPSCS
Facility Physical Security
FEMA 426
Buildings against terrorism
FEMA 452
Risk assessment how-to
NIST 800-53 PE
Physical & Environmental
ISO 27001 A.7
Physical security controls
ISO 28000
Supply-chain security
RIMS-CRO
Risk officer guidance
DHS RAM-D
Dam Risk Assessment
NERC CIP-006
Bulk power physical
TSA SD-1580
Surface transportation
CFATS RBPS
Chemical facility
HIPAA Phys.
§164.310 safeguards
PCI DSS Req. 9
Physical access
SOC 2 CC6.4
Physical access trust
+20 more
Custom on request
Free resources

Take RiskWatch home before you sign anything.

Three downloads. Use them to evaluate, share with your team, or build the business case for replacing clipboard-and-spreadsheet TVRAs.

Most popular
ASIS Checklist · 40 pages
Physical Security
ASIS Facility Physical Security Checklist
ACC
SUR
PER
OPS
VIS
PDF · 40 pages · Print-ready

Physical Security Assessment Checklist

Forty pages built on ASIS Facility Physical Security Control Standards. Print, walk a site, tally compliance percentage and risk score, and assemble an executive summary using the included template.

  • ASIS-aligned 4-domain structure
  • Compliance % + risk-score tallies
  • Executive summary template
Get the checklist
Free Template · 2026
TVRA Template
Site Risk Register
RISKWATCH 2026
Excel · 8-tab template

TVRA Site Risk Register Template

Pre-built site register with threat catalog, vulnerability tracker, asset inventory, scoring formulas, and a 5×5 heat-map. Use standalone or as your migration source.

  • Threat × vulnerability × asset linking
  • Likelihood × impact heat-map
  • Per-domain scoring tabs
Get the template
Buyer's Guide
Buyer's Guide
Physical Security Platform
2026 Vendor Comparison
Vendor matrix
Crime-data feed comparison
Implementation timelines
22-page PDF

Physical Security Platform Buyer's Guide

Vendor scorecard, mobile-app comparison, crime-data feed coverage, pricing benchmarks, and implementation timelines by site count. The shortlist tool for corporate-security RFPs.

  • Feature matrix · 6 vendors
  • Mobile-app side-by-side
  • Pricing benchmarks
Get the guide
FAQ

Common questions, answered up front.

About TVRAs, ASIS, FEMA, NIST 800-53 PE, crime-data feeds, and how RiskWatch handles all of them.

What is physical security assessment software?
Physical security assessment software is a platform that helps security teams plan, conduct, score, and report on physical security risk assessments (sometimes called TVRAs — Threat, Vulnerability, and Risk Assessments). It centralizes question libraries (ASIS, FEMA, NIST 800-53 PE), captures findings via mobile, blends in third-party crime data, computes per-site risk scores, and generates board-ready reports. RiskWatch ships with the ASIS Facility Physical Security Control Standards library, mobile-first walks, and Cap Index / Security Gauge / World Aware feeds for objective likelihood scoring.
How do you conduct a physical security assessment?
A physical security risk assessment follows five steps: (1) define scope — which sites, asset types, and threat categories are in-scope; (2) walk the site against a control library (ASIS, FEMA 426/452, or NIST 800-53 PE) capturing findings, photos, and gaps; (3) score likelihood (often from crime data) and impact; (4) prioritize mitigations using a heat map; (5) reassess on a defined cadence. RiskWatch automates steps 2–5 so the security team focuses on judgement calls, not data entry.
What standards do physical security assessments use?
The most widely used standards are the ASIS Facility Physical Security Control Standards, FEMA 426/452, NIST SP 800-53 Physical and Environmental Protection (PE) controls, ISO 27001 Annex A.7 (Physical Controls), and ISO 28000 for supply-chain security. Industry-specific standards include NERC CIP-006 (bulk power), TSA SD-1580 (transportation), CFATS RBPS (chemical), and HIPAA §164.310 (healthcare physical safeguards). RiskWatch ships with all of these as built-in libraries plus the ability to upload your own.
How does crime-data integration work?
RiskWatch integrates with three third-party geospatial-risk feeds: Cap Index CRIMECAST (7-year crime trend per address, by crime category), Security Gauge (localized U.S. threat-environment score with confidence intervals), and World Aware (global incident intelligence covering civil unrest, geopolitics, and travel risk). When you create a site, the platform pulls relevant data points and uses them to populate the likelihood half of the risk score automatically. Every score traces back to its source and last-updated timestamp so an auditor or board member can see exactly where it came from.
What's the difference between physical security and cyber security assessments?
Cyber security assessments evaluate digital controls — access management, encryption, vulnerability management, secure configuration. Physical security assessments evaluate physical controls — door hardware, lock-and-key control, CCTV coverage, perimeter integrity, guard force, visitor management. Both are required by frameworks like ISO 27001 (where Annex A.5 covers organizational, A.6 people, A.7 physical, A.8 technological). RiskWatch supports both — the same platform runs your cyber assessment and your physical assessment, with shared site, asset, and findings tables so cross-domain risks roll up correctly.
Does the mobile app work offline?
Yes. The mobile assessment runs in any browser-enabled device — no app install needed. Surveyors capture findings, photos, signatures, and comments while offline (e.g., inside a server room or perimeter areas with poor cellular). The data queues locally and syncs automatically the moment a connection is detected. No findings are lost in the field, and surveyors don't double-enter data when they get back to a desk.
How long does implementation take?
Most teams complete their first ASIS-based assessment within a week. Pre-built libraries, mobile-first walks, bulk site import, and configurable templates remove the typical 2–3 month setup. Enterprise multi-region deployments with custom mappings to additional frameworks (NERC CIP, CFATS, TSA SD-1580) and SSO typically complete in 60 days with white-glove implementation.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access — every assessment template, the question library, mobile walks, suggested remediation, and analytics dashboards. You can run a real TVRA against your own sites and decide before purchasing. A free 40-page Physical Security Assessment Checklist (built on ASIS Facility Physical Security Control Standards) is also available as a download — useful as a paper backup or as a way to evaluate the methodology before signing up.
Ready to retire the clipboard?

Walk your first site this week.

Start a 30-day free trial — every assessment template, mobile walks, crime-data overlay, and four-domain scoring. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime