Auditing ISO 27001 Annex A 7.4 Physical Security Monitoring is the systematic verification of continuous surveillance integrity and alerting responsiveness. The Primary Implementation Requirement demands 24/7 monitoring and real-time incident linkage, providing the Business Benefit of rapid detection and deterrence against unauthorized physical access to critical organisational assets.
ISO 27001 Annex A 7.4 Physical Security Monitoring Audit Checklist
This technical verification tool is designed for lead auditors to establish the continuous integrity of an organisation’s physical perimeters and secure zones. Use this checklist to validate compliance with ISO 27001 Annex A 7.4.
1. Physical Surveillance Coverage Alignment Verified
Verification Criteria: Surveillance systems (CCTV, PIR sensors) are positioned to monitor all identified entry and exit points, as well as high-risk internal areas identified in the risk assessment.
Required Evidence: Camera placement map and live feed verification confirming no significant “blind spots” at primary perimeters.
Pass/Fail Test: If a primary entry point or a high-risk server room entrance is not covered by active surveillance, mark as Non-Compliant.
2. Continuous Monitoring and Alerting Functionality Confirmed
Verification Criteria: Physical security monitoring systems are active 24/7 and integrated with a real-time alerting mechanism for unauthorised access attempts.
Required Evidence: Alarm system configuration reports and notification logs showing alerts sent to security personnel or a Monitoring Centre.
Pass/Fail Test: If the surveillance system records locally but lacks a real-time alerting mechanism for out-of-hours breaches, mark as Non-Compliant.
3. Video Footage Retention and Integrity Validated
Verification Criteria: Surveillance recordings are retained for a period defined by the organisation’s legal and business requirements and are protected from unauthorised deletion.
Required Evidence: Storage server settings showing retention period (e.g., 30, 60, or 90 days) and restricted Access Control Lists (ACLs) for the footage repository.
Pass/Fail Test: If footage can be accessed or deleted by general staff or if the retention period is less than the organisation’s stated policy, mark as Non-Compliant.
4. Intruder Detection System (IDS) Integration Verified
Verification Criteria: Motion sensors, glass-break detectors, and door contacts are operational and integrated into a central security dashboard or panel.
Required Evidence: IDS maintenance certificates and recent alarm test logs showing successful “Trip” events.
Pass/Fail Test: If sensors in secure zones (e.g., archive rooms) are found to be bypassed or disconnected during the physical walkthrough, mark as Non-Compliant.
5. Night-Vision and Low-Light Capability Confirmed
Verification Criteria: External surveillance cameras possess Infrared (IR) or low-light technical capabilities to ensure visible monitoring during hours of darkness.
Required Evidence: Sighting of IR LEDs on hardware and review of “Night Mode” footage from the previous 24-hour cycle.
Pass/Fail Test: If night-time footage is too grainy or dark to identify a human face or vehicle license plate, mark as Non-Compliant.
6. Monitoring System Power Redundancy Verified
Verification Criteria: Security monitoring systems are supported by Uninterruptible Power Supplies (UPS) or backup generators to maintain surveillance during power outages.
Required Evidence: Physical sighting of UPS connected to the DVR/NVR and security switch; load test logs for the backup power source.
Pass/Fail Test: If the security monitoring system shuts down immediately upon a simulated or recorded mains power failure, mark as Non-Compliant.
7. Secure Storage of Monitoring Hardware Confirmed
Verification Criteria: The physical recording devices (DVRs, NVRs) and security network switches are housed within a locked, secure enclosure or room.
Required Evidence: Sighting of locked server racks or a dedicated security comms room with restricted badge access.
Pass/Fail Test: If a DVR or security switch is found in an open-access area (e.g., under a reception desk), mark as Non-Compliant.
8. Periodic Monitoring System Maintenance Records Present
Verification Criteria: Technical maintenance is performed regularly to ensure camera lenses are clean, sensors are calibrated, and firmware is updated.
Required Evidence: Preventive Maintenance (PM) logs or service reports from the security contractor for the current audit year.
Pass/Fail Test: If there is no evidence of a technical health check or lens cleaning in the last 12 months, mark as Non-Compliant.
9. Incident Response Linkage Validated
Verification Criteria: Physical security events detected by the monitoring system are formally logged as incidents within the organisation’s incident management framework.
Required Evidence: Cross-reference of a “Door Forced” alarm in the security log with a corresponding entry in the Information Security Incident Log.
Pass/Fail Test: If physical security alarms are cleared locally by guards without being recorded in the central ISMS incident tracker, mark as Non-Compliant.
10. Monitoring Staff Competency and Vetting Verified
Verification Criteria: Personnel responsible for monitoring surveillance feeds are appropriately trained and have undergone background checks.
Required Evidence: Training records for the security team and evidence of valid security industry licenses (e.g., SIA in the UK).
Pass/Fail Test: If monitoring is performed by unvetted or untrained third-party staff without a formal contract mandating screening, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Surveillance Coverage | Tool records “CCTV Policy.pdf” as uploaded. | Policy is not coverage. Auditor must verify live feeds for blind spots that allow undetected entry. |
| 24/7 Alerting | GRC dashboard shows “System Active” status. | Verify the destination. Does an alarm at 2 AM trigger a phone call to a responder or just an unread email? |
| Footage Integrity | Platform assumes cloud-synced footage is secure. | Check local access. Can a local administrator delete footage from the NVR before it syncs to the GRC-linked cloud? |
| Technical Hygiene | Tool sets a task for “Annual Maintenance Check.” | Verify Action. Review repair logs for broken cameras. A “Task” marked done in a GRC tool doesn’t fix a blurry lens. |
| Environmental Resilience | Tool marks “Power Redundancy” as a ‘Yes/No’ field. | Verify Runtime. GRC tools don’t calculate if the UPS can actually hold the load for the required duration. |
| Physical Protection | GRC tool identifies the “Server Room” as the storage location. | Check the rack. If the security NVR is in an unlocked cabinet, an intruder can simply take the evidence with them. |
| Integration | SaaS tool lists “Physical Monitoring” as a standalone control. | Verify the ISMS Loop. If physical breaches aren’t reviewed in the same pipeline as cyber events, the ISMS is siloed. |
About the author
