Physical Security Monitoring

ISO 27001:2022 Annex A control A.7.4 (Physical security monitoring) is a physical control requiring that an organization's premises be continuously monitored to detect and deter unauthorized physical access to facilities and information assets.

It means there must be 24/7 oversight of physical boundaries and secure areas, either through automated technology like alarms and cameras or via personnel like security guards, ensuring that unauthorized entry is detected at all hours.

You implement it by conducting a risk assessment of the facility, installing appropriate monitoring tools like CCTV and motion sensors, maintaining visitor logs, and establishing clear procedures for investigating physical security alerts. WatchDog Security Risk Register can help document physical threats and link them to mitigation actions, while WatchDog Security Compliance Center can track owners, evidence collection, and review cadences tied to A.7.4.

Acceptable methods include continuous CCTV recording, physical intruder alarms, 24/7 security guard patrols, and the automated review of electronic badge reader access logs.

ISO 27001 audit evidence for physical security monitoring includes a documented Physical Security Policy, office visitor logs from the last 30 days, alarm maintenance records, and valid ISO 27001/SOC 2 certifications from third-party data centers. WatchDog Security Compliance Center can help organize these evidence items against A.7.4 and maintain an audit trail showing when reviews and tests occurred and who performed them.

While 24/7 recording is strongly recommended for high-risk areas, active human monitoring of CCTV live feeds is not strictly mandated if you utilize automated physical security alarms monitoring and incident response ISO 27001 procedures that alert on-call personnel.

ISO 27001 security camera footage retention requirements dictate that recordings should be stored securely, protected from tampering, retained for a period aligned with legal requirements (typically 30-90 days), and only accessible to authorized security personnel. WatchDog Security Policy Management can help define and govern retention and access rules, including approvals and periodic reviews, so teams can show the policy is controlled and consistently applied.

Response procedures should be outlined in the Incident Response Plan or Physical Security Policy, and tested regularly through tabletop exercises or simulated alarm triggers to ensure monitoring services and staff respond effectively.

Common findings include blind spots in CCTV coverage, broken or untested door alarms, failing to review physical access logs for anomalies, and lacking physical monitoring evidence for outsourced cloud data centers.

An ISO 27001 CCTV monitoring policy example must account for local privacy laws by placing clear signage indicating surveillance is active, limiting recording in private areas (e.g., restrooms), and restricting internal access to the footage to prevent misuse.