Basics to consider when looking at physical security for risk assessment plan

You have actually half way answered you own question here. The rule of thumb when reviewing risk assessment recommendations is to compare what is being recommended with the likelihood of the event occurring. This is called Risk Frequency or the likelihood of the identified risk or vulnerability occurring. A consultant performing a risk assessment is retained to identify ALL potential risks and then measure the likelihood of the risk occurring, how much damage will be incurred, what that damage will do to your company, will you be able to recover, what will happen to your company's reputation after the event and how much will the damage cost you both at onset and after repairs are made. This is called Risk Cost. This is what you pay the consultant to identify.

The trick is to balance the likelihood of an event happening with the cost of the recommended solution. If the frequency of occurrence is low or non-existent, then you may elect to eliminate the recommendation. If the likelihood that the identified risk will occur is high, then you need to either spend the budget dollars on the recommended solution or avoid the cost in lieu of accepting the risk by increasing your insurance coverage/premium for the identified risk. If the consultant you have hired is not providing you with this type of risk versus likelihood comparison and is expecting you to decide merely on his/her expertise, then I would say it is time to reconsider your business relationship with your consultant.

Regarding my recommendations as to what you should use or be looking at surrounding data center security design, I would say that it is hard for me to say. Without knowing the answers to the below questions, among others, I really would not be in a position to make any recommendations on what you should or should not have. But answering the following questions should help in determining your data center security needs.

1. The organization or company (who you are and what role your company plays in global markets).
2. What your risk or vulnerability factor is.
3. What the make up of your corporate culture is.
4. What the criticality of the information being stored/housed in the data center is.
5. Where your particular data center is located.
6. Who your company does business with, etc.

Without knowing the answers to the above questions, among others, I really would not be in a position to make any recommendations on what you should or should not have.