A.7.4 ISO 27001

ISO 27001 A.7.4: Physical security monitoring

What This Control Requires

Premises shall be continuously monitored for unauthorized physical access.

In Plain Language

Locks and badge readers are only half the picture. You also need eyes on the premises - cameras, sensors, alarms - so that if someone gets in who should not be there, you actually know about it and can respond.

This is a new control added in ISO 27001:2022, making explicit what was previously just implied. Continuous monitoring means CCTV, intrusion detection systems, guard patrols, and automated alerts working together to cover the building around the clock, including outside business hours when the building is empty and most vulnerable.

The critical part that auditors focus on is not just detection but response. A camera recording footage that nobody watches and an alarm that nobody responds to are almost useless. You need a clear chain from detection to alert to human response, with defined timescales and escalation paths.

How to Implement

Start with a risk assessment of your premises. Identify the most valuable assets, the highest-threat areas, and any regulatory requirements. Design your monitoring system to provide complete coverage of all critical areas.

Place CCTV cameras at every entry and exit point, along building perimeters, in corridors leading to restricted areas, inside restricted areas like server rooms, in parking areas, and at loading docks. Choose cameras with the right specs for each location - decent resolution, night vision for exterior or low-light areas, weather resistance for outdoor positions.

Deploy intrusion detection for areas that need protection outside business hours. Use a mix of door contacts, passive infrared motion detectors, glass break sensors, and vibration sensors as appropriate. Tune the system carefully - too sensitive and you drown in false alarms, too lax and you miss real events.

Set up a monitoring and response capability. If you run 24/7 operations, have a security operations centre or monitoring station watching feeds and responding to alarms in real time. If you do not have round-the-clock staff, outsource to a professional security monitoring company with agreed response times and escalation procedures.

Write clear response procedures for different alert types. An intrusion alarm at the server room is a very different situation from a motion alert in a general office at 3am. Document who gets called, how quickly, and what happens if the first responder does not pick up. Test these procedures regularly with drills.

Retain CCTV recordings for an appropriate period - typically 30 to 90 days depending on legal requirements and storage capacity. Store recordings securely with access limited to authorised personnel. Comply with data protection requirements: put up signage, run a DPIA if you have not already, and be ready to handle subject access requests for footage.

Test and maintain everything on a schedule. Check that cameras are working and coverage has no gaps. Test sensors. Verify that alarms actually reach the monitoring station and trigger a response. Replace broken components immediately. Update the system whenever the premises change.

Evidence Your Auditor Will Request

Physical security monitoring system design and coverage documentation
CCTV camera locations, specifications, and coverage maps
Intrusion detection system configuration and zone documentation
Monitoring response procedures and escalation contacts
System testing and maintenance records

Common Mistakes

CCTV system has blind spots in critical areas or cameras are non-functional
Intrusion alarms are triggered but no timely response is initiated
Monitoring is not conducted outside business hours when premises are most vulnerable
CCTV recordings are not retained for a sufficient period
No regular testing or maintenance of monitoring systems

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC6.4	Related
NIS2	Art.21(2)(a)	Partial overlap

Frequently Asked Questions

Is this a new control in ISO 27001:2022?

Yes, it is one of the 11 new controls introduced in the 2022 edition. Physical monitoring was always considered good practice, but now it is an explicit requirement with its own control number. If you are transitioning from the 2013 version, make sure you have formal, documented monitoring in place - not just a few cameras that were installed years ago and never reviewed.

What are the privacy implications of CCTV monitoring?

CCTV captures images of people, which makes it personal data processing under GDPR. You need a lawful basis (usually legitimate interest), clear signage telling people they are being filmed, a DPIA for any systematic monitoring, defined retention periods that you actually enforce, and a process for handling subject access requests if someone asks to see footage of themselves. Get your CCTV policy written and reviewed by someone who understands data protection law - it is one of those areas where data protection and physical security intersect and both sides need to be satisfied.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment