4. Intruder Detection System (IDS) Integration Verified

Verification Criteria: Motion sensors, glass-break detectors, and door contacts are operational and integrated into a central security dashboard or panel. Required Evidence: IDS maintenance certificates and recent alarm test logs showing successful "Trip" events.

5. Night-Vision and Low-Light Capability Confirmed

Verification Criteria: External surveillance cameras possess Infrared (IR) or low-light technical capabilities to ensure visible monitoring during hours of darkness. Required Evidence: Sighting of IR LEDs on hardware and review of "Night Mode" footage from the previous 24-hour cycle.

6. Monitoring System Power Redundancy Verified

Verification Criteria: Security monitoring systems are supported by Uninterruptible Power Supplies (UPS) or backup generators to maintain surveillance during power outages. Required Evidence: Physical sighting of UPS connected to the DVR/NVR and security switch; load test logs for the backup power source.

7. Secure Storage of Monitoring Hardware Confirmed

Verification Criteria: The physical recording devices (DVRs, NVRs) and security network switches are housed within a locked, secure enclosure or room. Required Evidence: Sighting of locked server racks or a dedicated security comms room with restricted badge access.

8. Periodic Monitoring System Maintenance Records Present

Verification Criteria: Technical maintenance is performed regularly to ensure camera lenses are clean, sensors are calibrated, and firmware is updated. Required Evidence: Preventive Maintenance (PM) logs or service reports from the security contractor for the current audit year.

9. Incident Response Linkage Validated

Verification Criteria: Physical security events detected by the monitoring system are formally logged as incidents within the organisation's incident management framework. Required Evidence: Cross-reference of a "Door Forced" alarm in the security log with a corresponding entry in the Information Security Incident Log.

10. Monitoring Staff Competency and Vetting Verified

Verification Criteria: Personnel responsible for monitoring surveillance feeds are appropriately trained and have undergone background checks. Required Evidence: Training records for the security team and evidence of valid security industry licenses (e.g., SIA in the UK).

ISO 27001 Annex A 7.4 Audit Checklist [+ Templates]

Q: 1. Physical Surveillance Coverage Alignment Verified

Verification Criteria: Surveillance systems (CCTV, PIR sensors) are positioned to monitor all identified entry and exit points, as well as high-risk internal areas identified in the risk assessment. Required Evidence: Camera placement map and live feed verification confirming no significant "blind spots" at primary perimeters.

Q: 2. Continuous Monitoring and Alerting Functionality Confirmed

Verification Criteria: Physical security monitoring systems are active 24/7 and integrated with a real-time alerting mechanism for unauthorised access attempts. Required Evidence: Alarm system configuration reports and notification logs showing alerts sent to security personnel or a Monitoring Centre.

Q: 3. Video Footage Retention and Integrity Validated

Verification Criteria: Surveillance recordings are retained for a period defined by the organisation's legal and business requirements and are protected from unauthorised deletion. Required Evidence: Storage server settings showing retention period (e.g., 30, 60, or 90 days) and restricted Access Control Lists (ACLs) for the footage repository.

In this ultimate how to audit guide to ISO 27001 Annex A 7.4 Physical Security Monitoring, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 7.4 Physical Security Monitoring Audit Checklist

ISO 27001 Annex A 7.4 Physical Security Monitoring Audit Checklist

Auditing ISO 27001 Annex A 7.4 Physical Security Monitoring is the systematic verification of continuous surveillance integrity and alerting responsiveness. The Primary Implementation Requirement demands 24/7 monitoring and real-time incident linkage, providing the Business Benefit of rapid detection and deterrence against unauthorized physical access to critical organisational assets.

This technical verification tool is designed for lead auditors to establish the continuous integrity of an organisation’s physical perimeters and secure zones. Use this checklist to validate compliance with ISO 27001 Annex A 7.4.

1. Physical Surveillance Coverage Alignment Verified

Verification Criteria: Surveillance systems (CCTV, PIR sensors) are positioned to monitor all identified entry and exit points, as well as high-risk internal areas identified in the risk assessment.

Required Evidence: Camera placement map and live feed verification confirming no significant “blind spots” at primary perimeters.

Pass/Fail Test: If a primary entry point or a high-risk server room entrance is not covered by active surveillance, mark as Non-Compliant.

2. Continuous Monitoring and Alerting Functionality Confirmed

Verification Criteria: Physical security monitoring systems are active 24/7 and integrated with a real-time alerting mechanism for unauthorised access attempts.

Required Evidence: Alarm system configuration reports and notification logs showing alerts sent to security personnel or a Monitoring Centre.

Pass/Fail Test: If the surveillance system records locally but lacks a real-time alerting mechanism for out-of-hours breaches, mark as Non-Compliant.

3. Video Footage Retention and Integrity Validated

Verification Criteria: Surveillance recordings are retained for a period defined by the organisation’s legal and business requirements and are protected from unauthorised deletion.

Required Evidence: Storage server settings showing retention period (e.g., 30, 60, or 90 days) and restricted Access Control Lists (ACLs) for the footage repository.

Pass/Fail Test: If footage can be accessed or deleted by general staff or if the retention period is less than the organisation’s stated policy, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

ISO 27001 Annex A 7.4 Physical Security Monitoring Audit Checklist

1. Physical Surveillance Coverage Alignment Verified

2. Continuous Monitoring and Alerting Functionality Confirmed

3. Video Footage Retention and Integrity Validated