1. Framework FAQs

ISO 27001: 2022 A.7.4 Physical security monitoring

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.7.4 Physical security monitoring.

ISO 27001: 2022 Control Description

Premises shall be continuously monitored for unauthorized physical  access.

Purpose

To detect and deter unauthorised physical access.

Guidance on implementation

Physical premises should be monitored by surveillance systems, which can include guards, intruder alarms, video monitoring systems such as closed-circuit television (CCTV), and physical security information management software, either managed internally or by a monitoring service provider.

Access to buildings housing critical systems should be continuously monitored to detect unauthorised access or suspicious behaviour by:

a) Installing video monitoring systems such as CCTV to view and record access to sensitive areas within and outside an organisation’s premises;

b) Installing, according to relevant applicable standards, and periodically testing contact, sound, or motion detectors to trigger an intruder alarm, such as:

  1. Installing contact detectors that trigger an alarm when a contact is made or broken in any place where a contact can be made or broken (e.g. windows, doors, and underneath objects) to be used as a panic alarm;
  2. Motion detectors based on infra-red technology, which trigger an alarm when an object passes through their field of view;
  3. Installing sensors sensitive to the sound of breaking glass, which can be used to trigger an alarm to alert security personnel;

c) Using those alarms to cover all external doors and accessible windows. Unoccupied areas should be alarmed at all times; cover should also be provided for other areas (e.g. computer or communications rooms).

The design of monitoring systems should be kept confidential, as disclosure can facilitate undetected break-ins.

Monitoring systems should be protected from unauthorised access to prevent surveillance information, such as video feeds, from being accessed by unauthorised persons or systems being disabled remotely.

The alarm system control panel should be placed in an alarmed zone and, for safety alarms, in a location that allows an easy exit route for the person setting the alarm. The control panel and the detectors should have tamper-proof mechanisms. The system should be regularly tested to ensure it is working as intended, particularly if its components are battery-powered.

Any monitoring and recording mechanism should be used considering local laws and regulations, including data protection and PII protection legislation, especially regarding the monitoring of personnel and recorded video retention periods.