Conducting a security assessment or risk assessment is very important for any organization that plans to protect its assets and personnel. If the company is just starting out, an assessment should be done prior to opening the doors for business, it should actually be ongoing during pre-building plans and post-building completion, as well as reviewed regularly. If I was a new manager coming into an organization, I would certainly be looking at all aspects of security ranging from information security through the various forms of physical security, this would hopefully allow any flaws to be presented and corrected. I think implementation and followups are the most important aspects of an assessment, anyone can point out things that need to be put into place, but everything needs to be followed up on to make sure it is an effective solution for protecting the organizations assets.
how is this best accomplished in your opinion? Should this be an internal or external assessment; who should perform, etc.?