A complete walkthrough of the SSAE 18 Physical Security Assessment Tool — from first login through to an auditor-ready CSV report, aligned to the 2026 AICPA Trust Services Criteria.
Start on the Organization Info tab. Enter your organization name, facility location, assessor name, assessment date, and scope. This metadata appears in every CSV export and helps identify assessments in your history.
Navigate the 7 categories in the left sidebar. For each control, set a maturity rating (0–5) across 5 criteria: Implementation, Effectiveness, Documentation, Testing, and Maturity. Add notes for context and paste or type evidence references in the Evidence field.
The Dashboard tab shows live KPIs — overall completion %, controls assessed, critical findings, and high-priority items. Category compliance bars let you spot weak domains instantly.
The Remediation Plan tab auto-generates a prioritized list from your ratings. Critical items (avg < 2.0) need 30-day fixes. High priority (2.0–3.4) should be addressed within 60 days. Medium priority (3.5–4.4) within 90 days.
Click "Save Assessment" to commit the current state to history. Each save records completion %, critical count, and the full data payload. The Dashboard's trend charts are built from these real snapshots — save after each significant work session to build a meaningful trend.
Click "Export CSV" to download a spreadsheet containing every control, all 5 criteria ratings, averages, your notes, and evidence references — one row per control, labelled with org name and date. Share this with your auditor or use it to build your evidence package.
Each domain maps to one or more AICPA Trust Services Criteria controls.
Covers all entry and exit points: perimeter barriers, badge/biometric systems, mantrap controls, visitor management, and emergency exit alarm monitoring.
Data centers, server rooms, and media storage areas — multi-factor authentication at entry, access log review, rack locking, authorized-personnel list certification, and equipment removal procedures.
Hardware asset tracking from arrival to disposal: RFID/barcode tagging, off-site equipment controls, third-party maintenance authorization, cabling protection and port blocking.
Power resilience, fire protection, and climate control: UPS and generator testing, clean-agent suppression, continuous temperature/humidity monitoring, water leak detection.
CCTV coverage, intrusion detection, and 24/7 monitoring: minimum 90-day retention, blind-spot elimination, alarm escalation SLAs, and false-alarm management.
Policy framework and control documentation: annual policy review, access authorization procedures, auditor-ready evidence packages, and change management records.
New in 2026 — GPU/TPU clusters, colocation/PoP security, and physical supply chain controls: hardware provenance verification, SBOM alignment, and third-party colo attestation review.
Every control is rated 0–5 across five evaluation criteria. The tool calculates an average score per control and per domain to determine compliance status.
The control does not exist or has never been defined.
Ad-hoc, reactive controls with no formal process.
Control exists but is inconsistently applied and lacks full documentation.
Formally documented, consistently applied, and understood by responsible staff.
Actively monitored, measured, and improved with regular testing cycles.
Continuously improved, fully automated where possible, and aligned to best-practice benchmarks.
Compliance thresholds (based on domain average)
Everything stays in your browser's localStorage. Nothing is sent to a server. Your data persists across sessions on the same device and browser, but will not transfer to a different device or private/incognito window.
Export CSV to share. The file contains your full assessment including all ratings, notes, and evidence. For ongoing collaboration on one assessment, both users would need to import/merge manually — a shared backend is not part of this tool.
No. This tool helps you self-assess and identify gaps, but compliance is determined by a qualified CPA firm performing an SSAE 18 attest engagement. Always work with your auditor to confirm your control environment meets their testing standards.
The most material additions are: (1) AI & Cloud Infrastructure as an explicit physical security domain, (2) hardware supply chain controls aligned to NIST 800-161r1, (3) colocation/third-party attestation now explicitly required, and (4) 90-day minimum CCTV retention.
Work through all 7 domains and rate every control. Address all critical and high-priority items in your remediation plan. Use the CSV export to build an evidence package aligned to auditor requests. Keep at least 3 saved snapshots to demonstrate trend improvement over time.
If you exported a CSV before clearing, you can reference those ratings to manually restore. Going forward, save assessments regularly — the saved snapshots are also stored in localStorage, so export CSV often as an off-device backup.
Your progress auto-saves as you work. No account required — just open the tool and begin.