Question 1

What qualifies as a physical security incident that requires a report?

Accepted Answer

A physical security incident is any event that compromises, threatens, or has the potential to compromise the physical safety of people, property, or assets within a facility or on premises under the organization's control. Reportable events include: unauthorized access or entry (tailgating through secured doors, badge cloning, lock picking, forced entry); theft of equipment, inventory, intellectual property, or personal belongings; trespassing by individuals who have no legitimate reason to be on the property; vandalism and intentional property damage; workplace violence including threats, intimidation, and physical assaults; suspicious activity or surveillance by unknown individuals (potential pre-operational reconnaissance); lost or stolen access credentials (badges, keys, key cards, security codes); alarm system activations (intrusion, duress, panic buttons); fire or environmental hazards that could affect facility security; and vehicle incidents in parking structures or secured areas. The reporting threshold should be low — if a security officer or employee observes something that does not look right, it should be documented even if the threat does not materialize, because these observations form the intelligence base for identifying patterns and preventing future incidents.

Question 2

How should surveillance footage be documented in a security incident report?

Accepted Answer

Surveillance footage is often the most critical evidence in a security incident, and the report must document it with enough precision to support retrieval, preservation, and potential use in legal proceedings. The report should record: which cameras captured relevant footage (by camera number, location, and view angle); the date and time range of relevant footage (noting whether the system uses local time or UTC); a description of what the footage shows (the actions captured, individuals visible, vehicles observed); the resolution and quality of the footage; whether the footage was exported and in what format (AVI, MP4, proprietary codec); who exported the footage and when (establishing the chain of custody); where the exported footage is stored (evidence locker, secure server, cloud storage); and the retention status — confirming that the relevant footage has been flagged for preservation beyond the normal automatic overwrite cycle. Many surveillance systems overwrite footage on a rolling basis (30-90 days is common), so the report must trigger immediate preservation of relevant segments. If the footage will be shared with law enforcement, the report should note when it was provided and to whom.

Question 3

What is the role of access control logs in security incident reporting?

Accepted Answer

Access control logs provide an objective, timestamped record of who entered and exited secured areas, making them invaluable for security incident investigations. Modern electronic access control systems (EACS) record each badge swipe, biometric scan, or PIN entry — including the credential holder's identity, the door or reader used, the date and time, and whether access was granted or denied. In a security incident report, access control data should be used to: establish who was present in the area at the time of the incident; identify unauthorized access attempts (denied entries, attempts outside normal working hours, attempts at doors the credential holder is not authorized to use); detect anomalies such as tailgating (a door held open for an extended period), anti-passback violations (someone entering without having exited), or credential sharing; correlate badge activity with surveillance footage to identify individuals; and establish a timeline of events leading up to and following the incident. The report should reference specific access control log entries by timestamp and reader location, and the raw log data should be preserved as part of the incident file. For incidents involving access control system failures (readers malfunctioning, doors not latching, software glitches), the logs may reveal the technical root cause.

Question 4

When should a security incident be escalated to law enforcement?

Accepted Answer

Security incidents should be escalated to law enforcement whenever criminal activity is suspected or confirmed, when there is an imminent threat to life or safety, or when the organization's policies or legal obligations require it. Specific triggers include: theft or burglary (particularly of high-value items, controlled substances, or sensitive data); assault, battery, or workplace violence; trespassing after a verbal or written trespass warning has been issued; vandalism or property damage above a threshold value; weapons on the premises; threats of violence (including bomb threats, active shooter threats, and terroristic threats); discovery of illegal substances; arson or suspected arson; and any incident where evidence preservation requires forensic expertise the security team does not possess. The decision to escalate should not be delayed by internal investigation — if the incident appears criminal, contact law enforcement immediately and continue the internal investigation in parallel. The security incident report should document the time law enforcement was contacted, the agency and officer responding, what information was shared, and the police case number assigned. Some jurisdictions require businesses to report certain types of incidents (e.g., drug offenses, environmental hazards) regardless of the organization's preference.

Question 5

How do security incident reports support loss prevention programs?

Accepted Answer

Security incident reports are the primary data source for loss prevention analysis and strategy. Every reported incident — theft, shrinkage, fraud, damage, access violation — contributes to a dataset that reveals patterns, vulnerabilities, and trends. Loss prevention teams use this data to: calculate loss rates by department, location, time period, and category; identify high-risk areas that need additional physical security measures (cameras, access control, lighting, staffing); detect internal theft patterns (unusual access patterns, inventory discrepancies correlated with specific employees or shifts); evaluate the effectiveness of existing security measures (if theft continues despite cameras, the camera placement or coverage may be inadequate); justify capital expenditures for security upgrades by documenting the cost of losses prevented versus security investment; and benchmark performance against industry standards (the National Retail Federation's annual survey, for example, reports average shrinkage rates by retail sector). Without consistent, detailed incident reporting, loss prevention operates on intuition rather than data. Organizations that implement rigorous reporting programs and analyze the data systematically show measurably lower loss rates than those that rely on ad hoc reporting.

Question 6

What privacy considerations apply to security surveillance and incident documentation?

Accepted Answer

Security surveillance and incident documentation intersect with multiple privacy frameworks that vary by jurisdiction. At the federal level, there is no comprehensive surveillance privacy law, but sector-specific rules apply: HIPAA restricts surveillance in healthcare settings where patient information could be captured; the Electronic Communications Privacy Act (ECPA) restricts interception of electronic communications; and the Fourth Amendment applies to government-operated facilities. State laws create a patchwork of requirements: most states allow video surveillance in public areas and workplaces with notice but prohibit audio recording without consent (varying between one-party and all-party consent states); some states require posted signage notifying individuals of surveillance; several states (including Illinois with BIPA, Texas, and Washington) have biometric privacy laws restricting the use of facial recognition and biometric access control data; and state wiretapping laws may apply to audio-enabled surveillance cameras. The security incident report should note what surveillance evidence was reviewed and preserved, but should not include gratuitous personal information about uninvolved individuals captured on camera. Organizations should have a written surveillance policy that addresses retention periods, access controls, and data subject rights — the incident report should be consistent with that policy.

Question 7

How long should security incident reports be retained?

Accepted Answer

Retention periods for security incident reports depend on the type of incident, applicable regulations, insurance requirements, and the organization's risk tolerance. There is no single federal retention standard, but practical guidelines include: incidents involving personal injury (assault, slip-and-fall) should be retained for at least the duration of the applicable statute of limitations for personal injury claims, which ranges from 1 to 6 years depending on the state, plus additional time for claims involving minors (which may not begin running until the minor reaches age 18); theft and property crime reports should be retained for at least 7 years to align with tax and insurance record retention; incidents involving hazardous materials or environmental exposure may require retention for 30+ years under OSHA regulations (29 CFR 1910.1020); incidents involving litigation holds must be retained indefinitely until the hold is released; and routine incidents with no injury, loss, or legal exposure can generally be retained for 3-5 years. Many organizations default to a 7-year retention period for all security incident reports as a practical compromise. Surveillance footage associated with incidents should be preserved for the same period as the report — standard footage not associated with incidents can follow the system's normal overwrite cycle (typically 30-90 days).

Question 8

What training should security personnel receive on incident report writing?

Accepted Answer

Security officers are frequently the first responders to physical security incidents, and their ability to write clear, accurate, detailed reports directly affects the organization's ability to investigate, prosecute, and prevent future incidents. Training should cover: factual versus opinion-based writing (teach officers to describe what they observed — 'the individual was unsteady on their feet and had an odor of alcohol' — rather than drawing conclusions — 'the individual was drunk'); chronological narrative structure (events in time-order sequence); specificity (exact times, measurements, descriptions, and locations rather than vague terms); proper use of force documentation (for armed or unarmed security with authority to detain); evidence preservation and chain of custody procedures; witness interview techniques; report form completion (every field filled, N/A where not applicable); digital evidence handling (surveillance exports, access log extraction, photograph metadata); legal awareness (what to include and what to avoid to protect the report from being used against the organization); and proofreading and quality review. Many security industry certifications (CPP, PSP, PCI from ASIS International) include report writing components. Organizations should conduct periodic quality audits of completed reports and provide feedback to officers to maintain reporting standards.

Free Security Incident Report Forms

What Is a Security Incident Report?

Surveillance Evidence

Access Control Analysis

Loss Prevention

Security Incident Report Form Preview

SECURITY INCIDENT REPORT

Key Components of a Security Incident Report

Incident Classification & Severity

Security Officer Narrative

Surveillance & Electronic Evidence

Property & Loss Documentation

Security Control Assessment

Corrective Actions & Recommendations

How to Write a Security Incident Report

Secure the scene and ensure safety

Preserve all electronic evidence immediately

Document the scene with photographs and notes

Collect witness statements

Write the report narrative and complete all sections

Notify management and coordinate with law enforcement

Frequently Asked Questions

Official Resources

Create your Security Incident Report in under 10 minutes.