In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.4 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.4 Physical Security Monitoring
ISO 27001 Annex A 7.4 requires organizations to continuously monitor their premises for unauthorized physical access. While other controls focus on preventing entry, this control focuses on detecting it. Whether through human guards, CCTV, or automated alarm systems, the goal is to ensure that if a physical breach occurs, the organization is alerted immediately and can respond effectively. This is a critical “detective” control that protects your high-value assets (like server rooms) and processing facilities.
Core requirements for compliance include:
- Continuous Surveillance: Monitoring must be continuous (24/7), not just during business hours. This can be achieved through automated systems like motion sensors or active CCTV monitoring.
- Intruder Response Process: It is not enough to have an alarm; you must have a documented process for what happens when it goes off. Who is called at 2 AM? What is their authorized response?
- Maintenance & Testing: You must be able to prove that your monitoring systems actually work. This requires periodic testing (e.g., monthly alarm tests) and documented maintenance records.
- Legal Compliance (GDPR/Privacy): If using CCTV, you must comply with local privacy laws. This includes displaying signage, restricting who can view footage, and having a clear data retention policy for recordings.
- Integrated Perimeters: Monitoring should be layered. It should cover the building exterior, the internal office space, and specialized “sub-zones” like comms rooms or archive stores.
Audit Focus: Auditors will look for “The Active Detective”:
- System Verification: They may ask to see your CCTV dashboard to verify that all cameras are “live” and that the date/time stamps are accurate.
- The “Live” Test: An auditor might try to open a locked door or enter a restricted area to see if your monitoring system triggers an alert.
- Record Keeping: “Show me the log of your last alarm system test. Did all the sensors fire correctly?”
Monitoring Strategy Matrix (Audit Prep):
| Monitoring Method | Technical Definition | Primary Use Case | ISO 27001 Audit Evidence | 2022 Control |
|---|---|---|---|---|
| Active Monitoring | Human guards watching live feeds in real-time. | High-risk sites / Data Centres. | Guard logs & shift patterns. | 7.4 |
| Passive Monitoring | Recording footage for later review or forensic analysis. | Standard Office environments. | Recorded footage samples. | 7.4 |
| Automated Alerting | Motion/Contact sensors triggering SMS or Email alerts. | Weekend & Night-time security. | System alert logs. | 7.4 |
| Periodic Review | Manually testing alarms, sensors, and camera feeds. | Mandatory for all sites. | Test records & maintenance certificates. | 7.4 |
Table of contents
- What is ISO 27001 Annex A 7.4?
- ISO 27001 Annex A 7.4 Free Training Video
- ISO 27001 Annex A 7.4 Explainer Video
- ISO 27001 Annex A 7.4 Podcast
- ISO 27001 Annex A 7.4 Implementation Guidance
- How to implement ISO 27001 Annex A 7.4
- Monitoring Strategy Matrix
- How to pass the audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 7.4 mistakes and how to avoid them
- Applicability of ISO 27001 Annex A 7.4 across different business models.
- Fast Track ISO 27001 Annex A 7.4 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 7.4 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Annex A 7.4 Attribute Table
What is ISO 27001 Annex A 7.4?
The focus for this ISO 27001 Control is monitoring for unauthorised physical access. As one of the ISO 27001 controls this is about catching people that you don’t want to gain entry when and if they gain entry.
ISO 27001 Annex A 7.4 Physical Security Monitoring is an ISO 27001 control that requires an organisation to have a physical security perimeter to protect offices and processing facilities.
ISO 27001 Annex A 7.4 Purpose
ISO 27001 Annex A 7.4 is a preventive control and a detective control that ensures you detect and deter unauthorised physical access.
ISO 27001 Annex A 7.4 Definition
ISO 27001 defines ISO 27001 Annex A 7.4 as:
Premises should be continuously monitored for unauthorised physical access.
ISO27001:2022 Annex A 7.4 Physical Security Monitoring
ISO 27001 Annex A 7.4 Free Training Video
In the video ISO 27001 Physical Security Monitoring Explained – ISO27001:2022 Annex A 7.4 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.4 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.4 Physical Security Monitoring, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.4 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.4 Physical Security Monitoring. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 7.4 Implementation Guidance
You are going to have to
- define your physical security requirements based on business need and risk
- implement a topic specific Physical and Environmental Security Policy
- have a physical security perimeter for any physical location that processes information
- have alarms and monitors
- have an intruder response process
- meet all laws and regulations including those for fire and health and safety
ISO 27001 Physical Security Policy
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.
Health and Safety
Your number one priority is to meet the requirements of law and regulation. Be sure to engage with a legal professional to understand what you can and cannot do and to check that you are not breaking any laws. The most significant laws are those around health and safety as the protection of human life and wellbeing is always our number priority. There are common things that should be considered such as fire suppression, fire doors, fire alarms, doors that fail open. Whilst we want to protect buildings and information our absolute priority is to protect people.
Alarms and Monitors
When looking at alarms and monitors you are looking at a preventive control to alert you when something has occurred. We all know what alarms are and getting alarms fitted is a very good idea. You want to define your response process and make sure that contacts of who is informed is up to date. Who is getting that call at 2am in the morning and what are they going to do when they get it?
CCTV
You can consider the use of CCTV but be aware that comes with some additional overheads with laws on data protection and the likes of GDPR. You should seek some legal advice before installing CCTV and be sure to do it in a way that is compliant if it is something that you do want to do. There are considerations such as how, how long, where, in what format you store the recordings. Then how do you get access to it, who can get access to it and how do you destroy it. It is not as simple as just banging up a Ring camera.
How to implement ISO 27001 Annex A 7.4
Implementing ISO 27001 Annex A 7.4 (updated to 7.14 in the 2022 revision) requires a proactive surveillance strategy to detect and respond to physical security breaches. This technical guide outlines the action-result workflow for deploying continuous monitoring systems that provide verifiable evidence of the integrity of your secure areas.
1. Define Secure Area Monitoring Requirements
Perform a site-specific risk assessment to identify the zones requiring continuous surveillance and the technical specifications needed for detection.
- Identify high-value assets and information processing facilities that necessitate 24/7 monitoring.
- Specify the required field of view and resolution for cameras to ensure forensic clarity for every entry point.
- Determine the sensitivity levels for motion, vibration, and infrared sensors to minimise false positive alerts.
- Document these requirements in a formal Physical Security Monitoring Policy.
2. Provision Technical Surveillance Systems
Deploy a combination of detective and deterrent hardware to ensure that any unauthorised physical access is immediately captured and logged.
- Install a Video Surveillance System (VSS/CCTV) with motion-triggered recording and encrypted storage.
- Provision an Intrusion Detection System (IDS) that is linked to a central alarm receiving centre.
- Ensure all surveillance hardware is protected from physical tampering and environmental interference.
- Configure automated health checks to alert the IT Operations team if a camera or sensor goes offline.
3. Formalise Monitoring Logs and Retention Protocols
Establish a rigorous data management process for surveillance footage and access logs to maintain an audit trail that complies with legal and regulatory standards.
- Set a mandatory retention period for CCTV footage, typically between 30 and 90 days, in accordance with local data protection laws such as GDPR.
- Implement Write-Once-Read-Many (WORM) storage for logs to prevent unauthorised deletion or modification.
- Encrypt all monitoring data at rest to prevent the exfiltration of sensitive site information.
- Revoke logical access to monitoring dashboards for any personnel who no longer require it for their role.
4. Execute Regular Monitoring Log Reviews
Conduct periodic audits of surveillance data to identify anomalous patterns and verify that the monitoring systems are functioning as intended.
- Perform a weekly review of physical access logs against CCTV footage on a sample basis.
- Document the findings of every review in a formal report signed by the CISO or Facilities Manager.
- Investigate any discrepancies between badge-in events and visual confirmations immediately.
- Maintain these review records as primary evidence for external ISO 27001 certification audits.
5. Integrate Monitoring with Incident Response Protocols
Link physical monitoring alerts to your organisation’s broader incident management framework to ensure a rapid and co-ordinated response to breaches.
- Define automated escalation paths for different alarm types, such as forced entry versus door-held-open alerts.
- Provision Multi-Factor Authentication (MFA) for remote access to security dashboards by response teams.
- Establish a Register of Entrants (ROE) for any emergency maintenance personnel attending a physical breach.
- Perform quarterly drills to test the speed and effectiveness of the response to a physical monitoring alert.
Monitoring Strategy Matrix
| Method | Definition | ISO Requirement? | Use Case |
| Active Monitoring | A guard watches screens 24/7. | No (Usually) | High-Risk Sites (Data Centers). |
| Passive Monitoring | Recording to disk for later review. | Yes | Standard Offices (for incident investigation). |
| Automated Alerting | Motion detection sends an email. | Recommended | Weekend/Night-time security. |
| Periodic Review | Testing alarms once a month. | Mandatory | Ensuring the system actually works. |
How to pass the audit
To implement ISO 27001 Annex A 7.4 you are going to:
- Define your external physical perimeter requirements
- Define your monitoring requirements
- Define your internal sub zone physical perimeter requirements
- Consult with a legal professional to ensure you are meeting legal and regulatory requirements
- Implement your physical security perimeters
- Implement your monitors
- Write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy
- Write, sign off, implement and communicate your perimeter incident response procedures
- Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. That you have a physical security perimeter
One of the easier things for an auditor to check is the physical security perimeter as it is usually the first thing they will encounter when they come to audit you if you have a physical location. For all the physical locations in scope they are going to visit and check.
2. The physical security monitors that you have in place
They have been doing this a long time and done many audits so they know what to look for. They will test the controls and see what happens. They will try to open doors, open cupboards, gain access to areas they should not. Your monitors should be such that they can respond to this. They will also look to see that you have tested the monitors in the last 12 months.
3. Documentation
They are going to look at audit trails and all your documentation. They will look at appropriate access reviews, logs of monitors and reports, incidents and how you managed them.
Top 3 ISO 27001 Annex A 7.4 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 7.4 are
1. Your physical security monitoring is turned off
What do I mean by turned off? In simple terms it means that you have a camera that works on a battery and the battery is dead. Or you have just turned the camera off. Perhaps someone has disconnected an alarm because it goes off all the time and annoys them.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Have you tested the security monitoring? Who gets informed about the alarm and do they still work here?
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 7.4 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Applies to ensuring basic office security, focusing on deterrents and simple detection. The goal is to ensure that unauthorized physical access is noticed quickly without the need for expensive 24/7 security staff. |
|
| Tech Startups | Critical for startups with physical server rooms or development labs. For remote-first startups, it applies to the security of home offices or co-working spaces where high-value equipment is stored. |
|
| AI Companies | Vital for protecting specialized GPU clusters and high-value research hardware. Focus is on high-security zones that require real-time monitoring and rapid incident response. |
|
Fast Track ISO 27001 Annex A 7.4 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.4 (Physical security monitoring), the requirement is to continuously monitor premises for unauthorised physical access. This is a mix of preventive (deterring) and detective (catching) controls that focus on the real world rather than the digital one.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Strategy Ownership | Rents access to your monitoring rules; if you cancel the subscription, your documented alarm testing cycles and history vanish. | Permanent Assets: Fully editable Word/Excel Physical and Environmental Security Policies that you own forever. | A localized “Physical Monitoring Strategy” defining CCTV retention periods and alarm response protocols. |
| Hardware Governance | Attempts to “automate” site security via dashboards that cannot check for dead camera batteries or employ alarm responders. | Governance-First: Formalizes facility management and real-world surveillance into an auditor-ready framework. | A completed “Monitoring Strategy Matrix” proving that cameras and motion sensors are tested and functional. |
| Cost Efficiency | Charges a “Physical Facility Tax” based on the number of locations, cameras, or sensors tracked. | One-Off Fee: A single payment covers your governance documentation for one office or a global network. | Allocating budget to actual security hardware (e.g., motion detectors or contact sensors) rather than monthly software fees. |
| Operational Freedom | Mandates rigid reporting structures that may not align with unique office setups or specialized industrial environments. | 100% Agnostic: Procedures adapt to any environment—high-tech biometrics or simple passive recording—without limits. | The ability to evolve your surveillance tech stack without reconfiguring a rigid SaaS compliance module. |
Summary: For Annex A 7.4, the auditor wants to see that you have a formal policy for physical monitoring and proof that you follow it (e.g., alarm test logs and site walkthroughs). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 7.4 FAQ
What is ISO 27001 Annex A 7.4?
ISO 27001 Annex A 7.14 (formerly 7.4) is a physical security control that requires organisations to monitor secure areas for unauthorised access or security breaches.
- Detects physical intrusions or anomalous activities in real-time.
- Provides a verifiable audit trail for physical security incidents.
- Encompasses technical controls like CCTV, alarms, and motion sensors.
- Requires periodic review of monitoring logs to ensure system effectiveness.
Is CCTV mandatory for ISO 27001 compliance?
No, CCTV is not strictly mandatory under ISO 27001, but it is the industry-standard technical control for satisfying the requirement for continuous physical monitoring.
- Organisations must use a risk assessment to justify the choice of monitoring tools.
- Alternative controls include physical security guards, vibration sensors, or infrared beams.
- If implemented, CCTV systems must be protected from tampering and unauthorised viewing.
- Privacy regulations like GDPR must be documented within the monitoring policy.
How long should physical security monitoring logs be retained?
Retention periods for physical security logs and CCTV footage should be defined by your organisation’s risk assessment while remaining compliant with local data protection laws.
- A common industry standard for retention is between 30 and 90 days.
- Logs must be stored securely to prevent unauthorised deletion or modification.
- Footage used as evidence in an incident must be preserved until the investigation closes.
- Retention policies must include a formal process for the secure disposal of old data.
What systems are used for physical security monitoring?
Organisations typically deploy a combination of detective and deterrent systems to maintain the integrity of their physical perimeters.
- Video surveillance systems (CCTV) with motion-triggered recording.
- Intrusion Detection Systems (IDS) linked to an alarm receiving centre.
- Physical Access Control Systems (PACS) that log every badge-in/badge-out event.
- Environmental sensors for detecting fire, heat, or water leaks in server rooms.
Who is responsible for physical security monitoring?
Responsibility usually resides with the Facilities Management or IT Operations team, with overall oversight provided by the Chief Information Security Officer (CISO).
- Internal staff or third-party security contractors may perform live monitoring.
- Roles and responsibilities must be clearly defined in the Physical Security Policy.
- Monitoring personnel must receive specific training on incident escalation procedures.
- Regular audits verify that the assigned personnel are performing required log reviews.
Does Annex A 7.4 apply to remote and home offices?
Yes, if a risk assessment determines that sensitive assets are processed in remote locations, appropriate physical monitoring or procedural controls must be implemented.
- Focuses on the “secure zone” within the home where work is performed.
- Controls usually favour procedural habits over invasive technical monitoring.
- May include use of lockable cabinets or basic home alarm systems.
- Remote monitoring is often supplemented by logical access logs on company devices.
What does an auditor look for regarding physical monitoring?
Auditors seek verifiable evidence that monitoring systems are operational, tested, and that alerts are being investigated according to a formal process.
- Proof of live camera feeds and functional alarm panels during a site walk-through.
- Records of periodic monitoring log reviews signed by authorised personnel.
- Maintenance logs showing that sensors and cameras are serviced regularly.
- Incident reports that show a direct link between a monitoring alert and a response action.
Related ISO 27001 Controls
ISO 27001 Annex A 7.1 Physical Security Perimeters
ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats
Further Reading
ISO 27001 Physical Asset Register Beginner’s Guide
ISO 27001 Physical and Virtual Asset Register Template
ISO 27001 Annex A 7.4 Attribute Table
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical_security | Protection |
| Detective | Integrity | Detect | Defence | |
| Availability |
