Page 1 of 14
Crowded Places Security Audit
Crowded places are sites and events open to use by large numbers of people on a predictable basis. They
can be buildings or open spaces. A crowded place will not necessarily be crowded at all times as crowd
densities may vary between day and night and may be temporary. Crowded places are potentially
attractive to terrorists for reasons of location, symbolism, iconic stature, usage, crowd capacity or density
of people.
Crowded places encompass a significant range of different locations, venues and businesses. They differ
substantially in size and have different levels of risk to confront. For example, a large and complex shopping
centre will have different security requirements than an occasional small street market or a large music
concert. For this reason, the Crowded Places Security Audit does not attempt to provide a definitive list of
all security matters that you must address for your location. It is important to remember that protective
security measures should be proportionate to the level and type of threat.
This Audit document primarily aims to:
Present a menu of security issues, some of which may be relevant to the type, size and risk profile
of your crowded place; and
Provide an impetus for you to address any security gaps in a proportionate manner.
It is important to remember that just because a security question has been asked in the Audit, and you
have answered in the negative, this does not necessarily mean that your present security arrangements
around that particular issue are defective.
Ideally, this Audit should be undertaken by those that have already completed the Crowded Place Self-
Assessment. Owners and operators of crowded places with substantial protective security measures
already in place will probably find that they have already considered the issues outlined in this Audit, along
with additional issues specific to their location.
When selecting mitigations for security vulnerabilities, consider the results of the Crowded Place Self-
Assessment you completed for your location. The self-assessment forms part of Australia’s Strategy to
Protect Crowded Places from Terrorism, located at www.nationalsecurity.gov.au
/CrowdedPlaces. It is
important the selection of mitigations is informed by the degree of attractiveness as a terrorist target that
attaches to your crowded place. You should avoid investing in unnecessary protective security measures
and ensure the functionality of your location are preserved as far as reasonably possible, while reducing
vulnerability and increasing safety.
Professional security consultants are able to provide useful advice about protective security measures that
you may require for your specific location. Selecting the right security consultant is very important and the
things you need to consider before engaging a consultant are outlined on page 16 of Australia’s Strategy for
Protecting Crowded Places from Terrorism.
The Audit is not designed to fully address cybersecurity issues. If you have concerns with the security of
your information and communication technology then the Commonwealth Government’s CERT Australia
(www.cert.gov.au) and the Australian Cyber Security Centre (www.acsc.gov.au
) are best able to assist.
Page 2 of 14
Similarly, the Audit does not fully address issues and mitigation strategies in regards to improvised
explosive devices, active armed offenders and hostile vehicle attacks. Further information on these issues
can be found in the Crowded Places section at www.nationalsecurity.gov.au
/CrowdedPlaces.
Disclaimer:
The information provided in this Guide is intended to be used as general guidance material only and is not
provided for any other purpose. In particular, it is not intended to provide comprehensive advice.
Organisations or individuals using or relying upon the information contained in this document are deemed
to do so in conjunction with their own judgement and assessment of the information in light of their
particular needs and circumstances.
PLEASE NOTETHIS DOCUMENT IS UNCLASSIFIED WHEN BLANK. HOWEVER, IT
MUST BE TREATED AS SENSITIVE ONCE COMPLETED AS THE RESULTS OF THE AUDIT
COULD REVEAL SIGNIFICANT SECURITY VULNERABILITIES FOR A PARTICULAR SITE.
Page 3 of 14
Security Governance
Plans, Policies and Procedures
Do you have a Risk Management Plan for your site or event? Yes No N/A
If you hold several events, is your Risk Management Plan reviewed for each
event?
Yes No N/A
Do you have a specific site or event Emergency Response Plan?
Do you practice or exercise your Plan?
Yes
Yes
No
No
N/A
N/A
Do you have a person responsible for security at your site or event?
Are they aware of the current security environment?
Yes
Yes
No
No
N/A
N/A
Do you have nominated evacuation and lockdown officials? Yes No N/A
Do you have a Security Policy for your site or event that covers physical,
information and personnel security?
Yes No N/A
Does your Security Policy include screening of bags, mail and vehicles? Yes No N/A
Do you have Evacuation and Lockdown procedures, including a protected
space/s, factored into your planning?
If so, are they practiced or exercised?
Yes
Yes
No
No
N/A
N/A
Are crowd control arrangements factored into relevant plans for your site or
event?
Yes No N/A
If your site or event is located within a precinct of similar businesses, are there
precinct-wide plans?
Yes No N/A
If you have a moving event (e.g. a Fun Run, March or Parade), do your plans
cover the entire route?
Yes No N/A
Have you created secure incident assembly areas distinct from fire assembly
areas in your planning?
Yes No N/A
Do you regularly review and update your plans? Yes No N/A
Are plans reviewed when National Terrorism Threat Levels change and when
the security threat changes?
Yes No N/A
Are you registered with ASIO’s Business and Government Liaison Unit to
receive security information and advice?
Yes No N/A
Are staff, including casuals and volunteers, trained in activation and operation
of relevant plans?
Yes No N/A
Do you have a Business Continuity plan in the event of disruption to power,
telecommunications, water or key equipment?
Yes No N/A
Page 4 of 14
Plans, Policies and Procedures
Do you regularly meet with staff, including casuals and volunteers, and discuss
security issues?
Yes No N/A
Do you maintain regular liaison with local police, emergency services and
neighbouring businesses as part of the planning process?
Yes No N/A
Do your plans address active armed offender, hostile vehicles, trusted insider
and improvised explosive device threats?
Yes No N/A
Do you encourage all staff to raise their concerns about security and incidents?
If so, do you have a formal mechanism to support these concerns and report
incidents?
Yes
Yes
No
No
N/A
N/A
Do staff and tenant security-awareness training include the risk of terrorism-
related and other security-related threats and hoaxes?
Are staff and tenants aware of what to do should a threat be received?
Yes
Yes
No
No
N/A
N/A
Do you consider security penetration testing at your site or event? (e.g. how
long can someone stay on your site undetected? How far can they penetrate?)
Yes No N/A
Do your staff, particularly in the education and health sectors, understand
coded messaging to alert them of serious incidents and response
requirements?
Yes No N/A
Are your reception staff and supervisors trained and competent in managing
telephone bomb threats?
Do you have a bomb threat checklist?
Yes
Yes
No
No
N/A
N/A
Actions Arising from this Section
Page 5 of 14
Physical Security
General
Do you regularly keep external areas, entrances, exits, stairs, reception areas
and toilets clean and tidy?
Yes No N/A
Do you keep furniture to a minimum to provide little opportunity to hide
devices?
Yes No N/A
Can items/equipment at your site or event be used as weapons? Yes No N/A
Are unused offices, rooms and function suites locked? Yes No N/A
Do you have reliable, tested communications in the event of an incident at
your site or event?
Yes No N/A
Does your public communication messaging for evacuations in response to a
serious incident include a direction to disperse rather than congregate?
Yes No N/A
Do you have pre-existing communication arrangements in place with
neighbouring businesses or crowded places in the event of a serious
incident?
Yes No N/A
If you have a police, or other emergency response presence, are they familiar
with the site’s or event’s emergency response plans?
Do they have direct communications with your security guards?
Yes
Yes
No
No
N/A
N/A
In any advertising of your site or event, do you include security messaging
and prohibited items?
Yes No N/A
If you use social media, do you provide security messaging and emergency
advice?
Yes No N/A
Do you monitor social media in advance of an event for possible threats? Yes No N/A
Do you provide advice to patrons about the safest or preferred transport
route to attend and leave the event?
Yes No N/A
Is your site or event located near similar sites or events with identical closing
times?
Are the security arrangements comparable at these sites/events?
Yes
Yes
No
No
N/A
N/A
Do you have easily identifiable security officers? Yes No N/A
Are staff (including casual staff and volunteers) and tenants aware of the
National Terrorism Threat Level and the importance of vigilance for
suspicious activity?
Yes No N/A
Do you have a procedure in place to handle and store unattended baggage at
your site or event?
Yes No N/A
Does your site or event provide opportunity for food or waterways to be
contaminated?
Yes No N/A
Page 6 of 14
General
Are air conditioning inlet ducts and other access points to your building
appropriately secure from both persons and foreign objects/substances?
Yes No N/A
If your site or event relies on localised or temporary mobile phone towers
and/or generators, do they have the appropriate security?
Yes No N/A
Do you carry out a systematic and thorough search of your site or location as
a part of routine housekeeping and in response to a specific incident?
Yes No N/A
When you conduct your search does it include toilets, lifts, restricted areas,
car parks, service areas and performance areas?
Yes No N/A
Do you have sufficient staff, including casuals and volunteers, to perform
search functions effectively?
Yes No N/A
Do you have first aid trained staff and equipment readily available at your
site or event?
Yes No N/A
Are your fire detection and suppression systems properly maintained and
tested?
Yes No N/A
If a large temporary event, have you made arrangements for the on-site
provision of fire services personnel and equipment?
Yes No N/A
Access Control
Do you have visible (and advertised) signs of bag searching and person
screening?
Yes No N/A
Do you have expedited entry processes to avoid choke points and
congestion?
Yes No N/A
At a major event, do you commence initial security screening of patrons at a
distance from the actual access points?
Yes No N/A
Can you identify people through any online ticketing process? Yes No N/A
Is there clear demarcation identifying the public and private areas of your site
or event?
Yes No N/A
Do you keep the same level of security for immediately after the event? Yes No N/A
Can members of the public get access to your site or event when it is closing
and large numbers of people are leaving?
Yes No N/A
Does the direct route to the main reception provide access to large groups of
people?
Yes No N/A
Do you discourage congregation of large groups near entrances and/or roads
in high volume times?
Yes No N/A
Page 7 of 14
Access Control
Do you ensure that all vehicles kept at your site or event are secure and keys
not readily accessible?
Yes No N/A
Are visitors’ badges designed to look different from staff badges? Yes No N/A
Are all visitors’ badges collected from visitors when they leave your site or
event?
Yes No N/A
Does a member of staff accompany visitors at all times while in the private or
restricted area?
Yes No N/A
Are all electronic security passes and keys accounted for and current? Yes No N/A
Do you adopt a ‘challenge culture’ to anybody not wearing a pass in your
restricted areas?
Yes No N/A
Do you require driver and vehicle details of waste collection services in
advance?
Yes No N/A
How many access and egress points does your site or event have?
Are all of these points controlled and/or have CCTV coverage?
Yes
Yes
No
No
N/A
N/A
Do you screen people for metal objects at access control points? Yes No N/A
Is screening equipment calibrated and set to the required sensitivity settings? Yes No N/A
Have you considered a visitor search regime that is flexible and can be
tailored to a change in threat or response level?
Yes No N/A
Are your staff trained and properly briefed on their powers and what they are
searching for? (for example knives, firearms and components of homemade
explosives)
Yes No N/A
Do you screen all your mail and do you cancel all normal mail and parcel
deliveries on high profile days at your site or event?
Yes No N/A
On high profile days, is there a capability for the assessment of suspicious
items at a separate location?
Yes No N/A
Page 8 of 14
Perimeter Security
Do you have appropriate external lighting? Yes No N/A
Is security and trespass warning signage visible and suitably placed around
your site or event?
Yes No N/A
Are incoming goods routinely checked?
Could an explosive device or weapon be easily smuggled into the location via
a delivery?
Yes
Yes
No
No
N/A
N/A
For a moving event (e.g. Fun Run), is there protection for the whole route?
Do roads remain closed for a safe period after the moving event has passed?
Yes
Yes
No
No
N/A
N/A
Are alterations to traffic flow monitored during a moving event?
Is this creating an unexpected hazard?
Yes
Yes
No
No
N/A
N/A
Do you have a procedure in place to identify and investigate suspicious
vehicles?
Yes No N/A
Are security patrols conducted prior to opening, during and after the site or
event in order to detect suspicious items or activity?
Yes No N/A
If your location can be secured, is perimeter security adequate?
Could the security perimeter be extended if required?
Yes
Yes
No
No
N/A
N/A
Do you operate Automatic Number Plate Recognition Cameras at your
location and relevant information shared with police?
Yes No N/A
Are there any climbing point vulnerabilities that offer access over the security
fence?
Yes No N/A
Is visibility from your site or event enhanced by removing or trimming excess
vegetation and relocating non-essential items (waste bins, furniture)?
Yes No N/A
Hostile Vehicle Mitigation
Do you have in place vehicle safety barriers to keep all but authorised
vehicles at a safe distance and to mitigate against a hostile vehicle attack?
Yes No N/A
Have you prioritised the placement of your vehicle safety barriers (permanent
and temporary) based on risk?
Yes No N/A
Have barriers been appropriately spaced, crash tested and rated against a
recognised standard?
Yes No N/A
Do you prevent all vehicles entering goods or services areas without
authorisation where they are above, next to or below areas where there will
be large groups of people?
Yes No N/A
Page 9 of 14
Hostile Vehicle Mitigation
With moving events, do you conduct last minute checks to ensure safety
barriers are in the correct place and have not been tampered with?
Yes No N/A
Are stall holders, patron seating and entertainment a safe distance behind
vehicle safety barriers?
Yes No N/A
If barriers are not available, are you utilising trucks or large vehicles to assist
with defending against a vehicle attack?
Yes No N/A
Are there any alternative paths of travel that will bypass barriers to your site
or event?
Yes No N/A
Are unauthorised vehicles allowed access past the vehicle security barriers? Yes No N/A
Are parked patron vehicles at festivals and open-air events capable of being
used in a hostile vehicle attack?
Yes No N/A
Do you have a policy to refuse entry to any vehicle whose driver refuses a
search request?
Yes No N/A
CCTV
Do you constantly monitor your CCTV images or playback overnight
recordings for evidence of suspicious activity?
Do you have procedures in place to report suspicious activity to police?
Yes
Yes
No
No
N/A
N/A
Are your CCTV cameras regularly maintained? Yes No N/A
Do the CCTV cameras cover the entrances and exits to your location? Yes No N/A
Do you have CCTV cameras covering critical areas, such as IT equipment, back-
up generators, cash offices and restricted areas?
Yes No N/A
Do you store the CCTV images in accordance with the evidential needs of the
police?
If required, can police access CCTV coverage? (Both stored and in real time)
Yes
Yes
No
No
N/A
N/A
Could you reasonably identify an individual from your CCTV and monitor the
system in real-time?
Could they be recognised even in a very congested area? (e.g. a mosh pit at a
festival)
Yes
Yes
No
No
N/A
N/A
Are the date and time stamps of the system accurate and updated? Yes No N/A
Does the lighting system complement the CCTV system during daytime and
darkness hours?
Yes No N/A
Have you implemented operating procedures, codes of practice and audit
trails for your CCTV?
Yes No N/A
Page 10 of 14
CCTV
Is each CCTV camera doing what it was installed to do? Yes No N/A
Can surveillance of your site or event be conducted from points outside your
location?
Are these points monitored by your CCTV?
Yes
Yes
No
No
N/A
N/A
Could an offender get to access points before being noticed by your CCTV? Yes No N/A
Are car park or drop-off points (including loading docks) controlled or
monitored?
Yes No N/A
If your CCTV system is web-based, are usernames and passwords ‘secure’?
Are usernames and passwords regularly changed?
Yes
Yes
No
No
N/A
N/A
Do you provide regular training for staff in the use of your CCTV systems? Yes No N/A
Do you have staff that can competently track a person on CCTV through your
location?
Yes No N/A
Improvised Explosive Devices Blast Mitigation
Does the design and layout of your site or event (including surrounds) enable
easy concealment of explosive devices?
Yes No N/A
Have you reviewed the use and location of all waste receptacles in and
around your location?
Yes No N/A
Could an explosive device be easily smuggled onto your site or event? Yes No N/A
Do you screen people for traces of explosive materials at access control
points?
Yes No N/A
Do you house flammable materials and are they appropriately secured? Yes No N/A
Does your location have fixtures or fittings that could become shrapnel? Yes No N/A
Have structural engineering assessments of the site’s expected response to a
blast event been obtained?
Yes No N/A
Have fragment mitigation measures been installed on windows and other
glass?
Yes No N/A
Have ballistic/blast treatments been installed at visitor and reception points? Yes No N/A
Hostile Reconnaissance Detection (Detecting Suspicious Behaviour)
Have you identified locations where an offender may surveil your site or
event to assist in planning an attack?
Yes No N/A
Page 11 of 14
Hostile Reconnaissance Detection (Detecting Suspicious Behaviour)
Do you place signs that alert patrons to the existence of hostile surveillance or
encourages the reporting of suspicious behaviour?
Yes No N/A
Are your security personnel and other staff trained in detecting suspicious
behaviour?
Yes No N/A
Is your staff aware of the potential use of drones for hostile reconnaissance? Yes No N/A
Could a person conceal themselves in your site or event to observe how you
operate?
Can surveillance be conducted of your site or event from a point outside the
area monitored by your security arrangements?
Yes
Yes
No
No
N/A
N/A
Could someone get to access points before being noticed by your security
arrangements?
Yes No N/A
Do you conduct random and overt searches of vehicles and people as a visual
deterrent?
Yes No N/A
Do you make use of your website/publications to inform contractors, and
patrons, of your inspection policies as well as crime prevention and counter-
terrorism messages?
Yes No N/A
Is there any information in the public domain that could assist in hostile
surveillance? (e.g. plans, policies, CCTV details)
Yes No N/A
Actions Arising from this Section
Page 12 of 14
Information Security
Do you have Information Security plans and procedures?
If yes, do they cover such things as:
Security classification?
Copying, storage, transfer, handling and disposal of information?
Yes
Yes
Yes
No
No
No
N/A
N/A
N/A
Does your site or event have a website or otherwise release information,
which might assist terrorists or other offenders in planning an attack?
Yes No N/A
Do you lock away all business documents at the close of the business day? Yes No N/A
Do you have a clear-desk policy out of business or operational hours? Yes No N/A
Do you log off and close down all computers at the close of the business day? Yes No N/A
Are all your computers password protected? Yes No N/A
Do you have computer firewall and antivirus software on your computer
systems?
Do you regularly update this protection?
Yes
Yes
No
No
N/A
N/A
Do you identify and put in place strategies for mitigating cyber intrusions? Yes No N/A
Have you considered an encryption package for sensitive information you wish
to protect?
Yes No N/A
Is information discussed and distributed on a need-to-know’ basis? Yes No N/A
Do monitors, screens, whiteboards face away from windows in order to
prevent oversight?
Yes No N/A
Do you destroy sensitive data properly when no longer required? Yes No N/A
Do you have a back-up of critical information contained securely at a different
location from where you operate your business?
Yes No N/A
Actions Arising from this Section
Page 13 of 14
Personnel Security
Do you have Personnel Security policies and procedures?
If yes, do they cover such things as:
Code of Conduct
Information and personal privacy
Notification of personal overseas travel
Workplace prohibited items
Security awareness and training
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
N/A
N/A
N/A
N/A
N/A
N/A
Are staff, including casuals and volunteers, pre-employment checks
conducted?
If you have tenants or contractors, do they conduct such checks of their own
staff?
Yes
Yes
No
No
N/A
N/A
If you have external security and/or screening staff, have they had similar pre-
employment checks?
Yes No N/A
Do staff pre-employment checks include (where lawful):
identity checks?
qualification checks?
employment checks?
criminal history checks?
financial background checks?
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
N/A
N/A
N/A
N/A
N/A
Is ongoing suitability for employment managed, e.g. staff to report changes in
personal circumstances?
Yes No N/A
Are security breaches reported by staff and investigated by appropriately
trained personnel?
Yes No N/A
Are exit interviews conducted? Yes No N/A
Is there a checklist for staff leaving that includes:
return of all keys?
return of uniforms and official identification?
return of official information (for example documents and files)?
return and deactivate access passes and all systems access?
Yes
Yes
Yes
Yes
No
No
No
No
N/A
N/A
N/A
N/A
Actions Arising from this Section
Page 14 of 14
PLEASE NOTETHIS DOCUMENT IS UNCLASSIFIED WHEN LEFT BLANK. HOWEVER, IT
MUST BE TREATED AS SENSITIVE ONCE COMPLETED AS IT COULD REVEAL
SIGNIFICANT SECURITY VULNERABILITIES FOR A PARTICULAR SITE.