Skip to content
S.G. Technologies
All insights
Assessment · 6 min read

How a baseline security assessment changes the decisions that follow

Most security spending goes wrong before a single camera is bought — at the point a decision is made without evidence. A baseline assessment is what turns guesswork into a defensible plan.

Ask most organisations why they bought the security systems they have, and the honest answer is rarely “because the evidence pointed there.” It’s more often a reaction — to an incident, to an auditor’s comment, to a competitor’s new gate, or to a persuasive vendor. The equipment may be good. The decision behind it usually isn’t.

A baseline security assessment exists to fix the decision, not the equipment. It establishes, in evidence, where you actually stand today — so that everything you spend afterwards is justified rather than guessed.

What a baseline actually is

A baseline is a structured snapshot of your current security and safety posture: your assets and what they’re worth to you, the threats that realistically apply, the vulnerabilities that connect the two, and the controls you already have in place. Done properly, it produces three things you didn’t have before:

  • A prioritised vulnerability register — not a list of everything wrong, but the gaps ranked by likelihood and impact.
  • A gap analysis against the standards that apply to you — for us, that usually means ISO 31000 for risk and relevant ASIS International guidance.
  • A compliance status — where you sit against regulatory and insurer expectations, and what closing each gap requires.

None of this is about buying anything yet. That’s the point.

Why the order matters

When you skip the baseline, three predictable things happen.

You over-invest in the visible and under-invest in the likely. Cameras are easy to point at. The real exposure is often a procedural one — keys that are never returned, access rights that are never revoked, an alarm no one is actually monitoring. A baseline surfaces the unglamorous risks that incidents are actually made of.

You can’t defend the spend. Boards, regulators and insurers increasingly ask “why this, and why now?” A recommendation tied to a specific, documented finding answers that question. A recommendation tied to a brochure does not.

You can’t measure improvement. Without a baseline, you have nothing to measure against. With one, every later re-assessment shows movement — which gaps closed, which remain, where new risk has appeared.

A worked example

Consider a branch network — a bank, an insurer, a retailer with sites across several regions. The instinct is to standardise: same cameras, same access control, everywhere. A baseline almost always complicates that instinct in a useful way. One site sits next to a high-risk neighbour and carries cash; another is low-footfall and low-value but stores sensitive records. Identical kit serves neither well. The assessment lets you spend where the risk is, not where the map is symmetrical.

That’s not a theoretical point. Across more than 200 assessments, the pattern repeats: the most expensive mistakes are uniform responses to non-uniform risk.

What good looks like

A baseline you can act on has a few hallmarks:

  1. It’s evidence-led. Every finding traces back to something observed, measured or verified — not asserted.
  2. It’s prioritised. It tells you what to do first, not just what’s wrong.
  3. It’s standards-anchored. It benchmarks you against a recognised framework, so the conclusions hold up to outside scrutiny.
  4. It’s independent of what’s being sold. If the people assessing you only ever recommend the systems they resell, the baseline isn’t really a baseline.

Where to start

You don’t need a consultant to begin thinking this way. A structured self-check will surface the obvious gaps in an afternoon — our self-assessment checklist is built for exactly that first pass. What a self-check can’t do is weigh the gaps against each other for your specific operations, or produce something a board or insurer will accept as evidence. That’s the line between a head start and a defensible plan.

If you’re at the point of making real decisions about your security and safety, start with the baseline. Everything downstream — the design, the budget, the systems, the training — gets better when it does.

Want a baseline for your sites? Request a risk assessment and we’ll scope it within one business day.

Start with a risk assessment

Every SGT engagement starts with a structured, evidence-led assessment. Tell us about your sites and we'll scope it within one business day.

Request an assessment Free templates