Physical security usually sits with facilities, runs on a different budget, and rarely lands in the enterprise risk register. That split is an artifact of org charts, not of risk. Someone who can tailgate into a data center has walked past every firewall, EDR agent, and access policy you have ever paid for. A badge that still opens the door three weeks after a termination is standing access for someone you no longer trust.
The indicators below are the ones an auditor, a regulator, an insurer, and yes the board too will ask about, because they map directly to SOC 2 physical access controls, ISO 27001 Annex A requirements, and PCI DSS requirement 9. Each one covers what to measure, why it matters, where the data lives, how to calculate it, and the green, amber, and red thresholds. If you are standing up measurement from scratch, start with the guide to building a KRI program and the consolidated KRI reference library, which maps thresholds to CIS Controls.
Why physical security belongs in the risk register
Physical security KRIs measure whether your physical controls are keeping unauthorized people away from the facilities and equipment that underpin your digital operations, and whether the processes wrapped around those controls actually run. A single physical access event in the right location can do more damage than a sophisticated remote intrusion, because it bypasses the logical stack entirely: hardware implants, direct console access, drives walked out the door.
That is why these signals belong next to your identity and endpoint indicators, not in a separate facilities spreadsheet. The deprovisioning gap below is the physical twin of the dormant-account problem covered in the identity and access management KRIs, and the screen lock signal lives in the same endpoint tooling behind the enterprise security KRIs. Reception staff, contractors, and visitors are the human surface tracked in the human security KRIs. Read together, they describe one attack surface, not three.
KRI inventory
1. Physical access control failure rate
What to measure. The rate of detected unauthorized physical access attempts to sensitive areas (data centers, server rooms, network closets, executive areas). This includes tailgating events, badge cloning attempts, forced-entry attempts, and access granted to badges that should already be revoked.
Why it matters. Unauthorized physical access to a server room or network closet enables hardware implants, direct data access, and a route around every logical control you run. A rising failure rate is the leading signal that the barriers you built are no longer holding in daily practice, even when the policy on paper looks fine.
- Physical access control system (Lenel, Software House, Honeywell ProWatch, Genetec, Brivo): access event logs for denied attempts,
DOOR_FORCEDalarms, door-held-open events, and access outside authorized hours. - Tailgating detection (tailgating cameras, people counters, mantrap sensors): tailgating events per entry point per period.
- Badge system: active badges held by terminated employees, which is a direct control failure.
- Security operations center or guard tour system: reported incidents and alarm events.
How to calculate. Unauthorized access attempt rate = (access events flagged unauthorized or suspicious) ÷ (total access events) × 10,000, expressed per 10K events. Track deprovisioned-badge access as a separate count that should always be zero, and count forced-door and door-held events per month by facility zone.
| Status | Criteria |
|---|---|
| Green | Unauthorized attempt rate < 0.01% of events; zero deprovisioned-badge events; forced-door events < 2 per month per facility with same-day investigation. |
| Amber | Unauthorized attempt rate 0.01–0.1%; or deprovisioned-badge events under investigation; or forced-door events trending upward. |
| Red | Any confirmed unauthorized access to a sensitive area; a deprovisioned badge used; or zero physical access monitoring in sensitive areas. |
2. Badge provisioning and deprovisioning latency
What to measure. Average hours from the HR hire date to badge provisioning, and average hours from the HR termination event to badge revocation, measured across the whole population.
Why it matters. A terminated employee whose badge still works is a direct insider threat, and in high-trust environments where that person knows the layout and knows what to target, it can be more dangerous than a remote attacker. Deprovisioning latency is the risk that hurts you; provisioning latency is a lesser concern but still a read on process discipline.
- HR system (Workday, ADP, BambooHR): hire dates and termination dates.
- Physical access control system: badge creation timestamps and badge revocation or disable timestamps.
- Integration log: where HR and physical access are integrated, the event stream shows the latency directly.
- Manual process records: security operations logs for badge provisioning requests, where the process is manual.
How to calculate. Provisioning latency = badge_created_date − hr_hire_date, averaged across new hires in the trailing 90 days. Revocation latency = badge_disabled_date − hr_termination_date, averaged across terminations. Track the count of active badges for employees with a termination date in HR as a critical gap that should be zero.
| Status | Criteria |
|---|---|
| Green | Provisioning within 1 business day; revocation within 2 hours of the HR termination trigger; zero active badges for terminated employees; automated HR-to-physical integration. |
| Amber | Revocation within 2–24 hours; or a manual process without HR system integration. |
| Red | Any active badge for a terminated employee; or revocation taking > 24 hours; or no HR-to-physical integration. |
3. Visitor management and escort compliance
What to measure. The percentage of visitors to sensitive areas who were properly pre-registered, checked in with identity verification, issued a visitor badge distinct from employee badges, and escorted throughout the visit. Measure it through audit of visitor logs and camera review.
Why it matters. Unescorted visitors in sensitive areas are a physical penetration risk and a recurring assessment finding, because visitor processes break down under operational pressure. A vendor who “knows where they are going” and walks unescorted to a server room is a threat actor who can do the same.
- Visitor management system (Envoy, Traction Guest, Proxyclick, Honeywell Forge Visitor Management): the visitor log with pre-registration, check-in, badge issuance, and escort assignment fields.
- Access control logs: visitor-badge access events, cross-referenced against escort records to catch unescorted sensitive-area access.
- Security camera review: periodic audit of footage in sensitive areas for unescorted visitor presence.
- Guard tour records: escort compliance observations.
How to calculate. Escort compliance % = (visitors to sensitive areas with a complete record: pre-registration, check-in, distinct badge, and escort throughout) ÷ (total visitors to sensitive areas) × 100.
| Status | Criteria |
|---|---|
| Green | > 99% compliance; visitor-badge access to sensitive areas without an escort generates an immediate alert; audit review quarterly. |
| Amber | 95–98% compliance; or escort tracking that is manual and imperfect. |
| Red | < 95%; or visitors reaching server rooms or data centers without an escort; or no visitor management system. |
4. CCTV coverage completeness and health
What to measure. The percentage of critical physical locations (data center entries, server room entries, perimeter entry points, badge access control points) with functioning CCTV coverage, and the percentage of cameras confirmed operational: online, not obstructed, and recording to a healthy recorder.
Why it matters. A camera that you believe is recording but is not gives false assurance and no footage when you need it. Physical incidents are investigated through camera footage, so discovering the camera was dark at the time of an incident is the physical equivalent of finding your SIEM logging was down during a breach.
- Video management system (Milestone XProtect, Genetec Security Center, Avigilon): camera health status, offline-camera alerts, recording health.
- Physical security audit records: periodic camera coverage review against the critical-location inventory.
- Facility management: camera installation records compared with the current critical-location inventory.
- Recorder health monitoring: NVR, DVR, or cloud storage health and recording retention status.
How to calculate. Coverage = (critical locations with functioning CCTV) ÷ (total critical locations) × 100. Camera health = (cameras confirmed operational and recording) ÷ (total cameras deployed) × 100. Retention compliance = (camera systems retaining footage for the defined period) ÷ (total camera systems) × 100.
| Status | Criteria |
|---|---|
| Green | 100% critical-location coverage; > 98% of cameras operational; health monitored with same-day alerting on failures; retention policy met. |
| Amber | 95–99% coverage or health; or camera failures detected within 24–48 hours. |
| Red | < 95% critical coverage; or a camera failure discovered only during incident investigation; or retention periods not met. |
5. Physical security incident rate and response time
What to measure. The monthly rate of physical security incidents (confirmed tailgating, confirmed unauthorized access, equipment theft, suspicious package, threat report) relative to employee or facility size, paired with the mean time from incident detection to security response.
Why it matters. Incident rate is the lagging read on physical control effectiveness; response time is the operational read on whether detection actually triggers action. A team that takes 45 minutes to respond to a confirmed unauthorized access event in a data center is not providing meaningful protection regardless of how many cameras are deployed. A low incident count with slow response is usually a sign that incidents are going unrecorded, not that they are not happening.
- Incident management system: the physical security incident log with detection and response timestamps.
- Guard dispatch records: response time per incident type.
- Access control system: alarm event to guard response correlation.
- After-action reports: confirmed incidents with root cause analysis.
How to calculate. Incident rate = (physical security incidents per month) ÷ (employee headcount) × 1,000. Mean time to respond = (response arrival time) − (incident alert time), averaged by severity. Track confirmed unauthorized-access count per quarter, which should be near zero for sensitive areas.
| Status | Criteria |
|---|---|
| Green | Incident rate stable or declining; critical-incident response < 5 minutes (staffed security) or < 15 minutes (remote response); zero confirmed unauthorized sensitive-area access. |
| Amber | Incident rate trending up; or response time 15–30 minutes for critical incidents. |
| Red | Confirmed unauthorized access to a sensitive area; or response time > 30 minutes for critical incidents; or no defined response SLA. |
6. Clean desk and screen lock compliance rate
What to measure. The percentage of unattended workstations observed with the screen locked, and the percentage of workspaces compliant with the clean desk policy (no sensitive documents or credentials visible). Measure clean desk through periodic spot audits and screen lock through automated policy-enforcement reports.
Why it matters. Clean desk and screen lock violations are the most common physical security policy finding and among the easiest to exploit. A visitor, contractor, or colleague who passes an unlocked screen showing sensitive data, or finds credentials written on a notepad, has physical access to information that logical controls were supposed to protect. Screen lock is the half you can automate; clean desk still needs a human walk-through.
- Endpoint management (Intune, Jamf, Group Policy): screen lock timeout policy enforcement, as the percentage of endpoints with a policy-compliant lock setting.
- IT helpdesk: screen-locked laptop unlock requests, a byproduct of enforcement that signals the policy is active.
- Physical security audit: periodic walk-through counts of unlocked screens and exposed sensitive documents.
- Clean desk audit records: scheduled audit results by department.
How to calculate. Screen lock compliance % = (endpoints enforcing screen lock at the defined timeout) ÷ (total managed endpoints) × 100, from management tooling. Clean desk compliance % = (workstations passing the spot audit) ÷ (total workstations audited) × 100, from the physical audit. Report the two together so a strong screen lock number does not hide a recurring clean desk problem.
| Status | Criteria |
|---|---|
| Green | > 99% screen lock policy enforced via endpoint management; > 90% clean desk audit compliance; audits quarterly. |
| Amber | 95–98% screen lock; or clean desk compliance 75–89%; or audits less than twice per year. |
| Red | < 95% screen lock; or clean desk compliance < 75%; or no clean desk audit program. |
7. Physical security assessment recency
What to measure. The number of days since the last formal physical penetration test or physical security assessment by a qualified third party, covering all critical facilities, alongside the share of findings from that assessment that have been remediated.
Why it matters. Physical controls are easy to assume are working without testing them. Physical penetration tests routinely show that tailgating, social engineering of reception staff, and access to server rooms through unlocked auxiliary doors are achievable at organizations confident in their controls. Annual physical pen testing is the validation that assumptions match reality, and pairing recency with remediation status stops a site from passing an assessment and then ignoring what it found.
- Physical security assessment reports: the most recent report date and scope.
- Red team exercise records: the physical component of red team engagements.
- Penetration test vendor records: the last engagement date and facilities in scope.
- Insurance broker: cyber and property insurers increasingly ask about physical security assessments.
How to calculate. Assessment recency = today − last_assessment_date per site. Remediation % = closed findings ÷ total findings. Treat the recency clock and the remediation rate as a pair when scoring a site.
| Status | Criteria |
|---|---|
| Green | Physical penetration test within 18 months; all critical facilities in scope; findings tracked and remediated. |
| Amber | 18–36 months; or partial scope with some facilities excluded. |
| Red | > 36 months; or no physical pen testing; or findings from the last assessment unresolved. |
The failure mode that catches everyone: the green light with no footage
The most common physical security miss is treating “the camera has power” or “the badge was revoked in the UI” as the end of the check. A camera can be online and silently fail to record for days. A badge can be marked revoked but still log an entry in the gap before the change propagated. Verify recording state and retention, not just power, and confirm a terminated badge recorded no entries after its owner’s termination time. The status only goes green when the evidence does.
Deriving these KRIs by source type
From physical access control systems (Lenel, Software House, Genetec, Honeywell)
Export events flagged ACCESS_DENIED, DOOR_FORCED, and DOOR_HELD_OPEN per zone per time period for the failure-rate signal. Cross-reference the active badge list against HR termination records: any badge active post-termination is a critical gap. Filter access events by zone and time to surface after-hours access to sensitive areas by non-approved personnel. Where integrated tailgating detection exists, export tailgating alerts by entry point. Trends on these signals are early warning, so watch them with the velocity lens from reading the signal in drifting KRIs.
From HR systems
Join HR hire_date to the physical access badge_created_date on employee ID and calculate the days delta for provisioning latency. Join HR termination_date to badge_disabled_date and calculate the hours delta, flagging any gap over 24 hours. Export the HR active roster and cross-reference it against the active badge list to find orphaned badges. This is the same termination-feed reconciliation that drives the dormant-account signals in the identity and access management KRIs.
From video management systems (Milestone, Genetec, Avigilon)
The VMS exposes a camera offline or online status dashboard: export the offline-camera count and duration. Pull recording status per camera and run gap detection against recorded footage so a camera that lost recording is flagged separately from one that lost power. Export camera installation locations and map them to the critical-location inventory to identify uncovered points.
From endpoint management (Intune, Jamf, SCCM)
For the screen lock half of signal 6, use the Intune device compliance report filtered for screen_lock_timeout policy status, or the Jamf compliance report for screen saver and lock policy. The timeout setting is available through GET /deviceManagement/managedDevices on the Intune Graph API with a deviceComplianceStatus filter. For laptops with location services in the MDM, verify that sensitive endpoints report from their expected locations. This is the same endpoint surface behind the enterprise security KRIs.
From visitor management platforms (Envoy, Proxyclick, Traction Guest)
Export visitor records with the pre-registration, check-in, badge issuance, and escort assignment fields and calculate the compliance rate. Identify visitor-badge access events in the physical access control system that occurred without a matching escort record in the VMS. Trend visitor traffic to sensitive zones, since unusual spikes warrant investigation.
See physical risk in the same view as the rest of your stack
Draxis reads your access control, visitor management, video, and endpoint systems and turns them into live key risk indicators, with thresholds, trends, and the evidence behind every number. Physical access failures land next to your identity and endpoint gaps, mapped to SOC 2, ISO 27001, and the questions your insurer asks.
Request access →