Requirement
Requirement lens
This control requires continuous monitoring for unauthorized physical access to premises.
“Premises shall be continuously monitored for unauthorized physical access.”
Plain-language meaning
The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of both.
The organization should know what is monitored, how alerts are generated, who is notified, what response is expected, how false alarms are handled, and when information security roles become involved.
Why this matters
Physical intrusion can lead to theft, tampering, damage, unauthorized disclosure, service disruption, evidence loss, or safety issues. If physical monitoring is disconnected from incident management, information theft or damage may not be handled as an information security incident.
False alarms also matter. Too many false alarms can cause slow response, ignored alerts, or monitoring-service penalties.
Implementation guidance
Implementer focus
Treat physical monitoring alerts as part of the incident ecosystem, not only facilities operations.
1. Define what is monitored
Monitoring may cover:
- building entrances;
- secure rooms;
- server/network rooms;
- records archives;
- loading/delivery areas;
- out-of-hours movement;
- intrusion alarms;
- CCTV or video analytics;
- door forced-open alerts;
- access control exceptions;
- security guard patrols;
- monitoring service alerts.
Monitoring should be risk-based and proportionate to the premises and assets.
2. Define how monitoring operates
Procedures should state:
- what is monitored;
- monitoring method;
- monitoring hours;
- alert thresholds;
- who receives alerts;
- response times;
- escalation chain;
- false alarm verification;
- evidence retention;
- when security, facilities, IT, legal, privacy, or management are notified.
3. Connect alarms to information security response
If an alarm indicates possible theft, tampering, unauthorized access, or damage to information/assets, it may need to trigger information security event/incident handling.
This links to:
- A.6.8 Information Security Event Reporting;
- A.5.25 Assessment and Decision on Information Security Events;
- A.5.26 Response to Information Security Incidents;
- A.5.28 Collection of Evidence.
4. Test monitoring effectiveness
Monitoring systems and services should be tested periodically, like other safety/security systems.
Tests should check:
- alert generation;
- notification chain;
- response time;
- responder knowledge;
- escalation to information security where needed;
- false alarm handling;
- record completeness.
5. Manage false alarms
Repeated false alarms reduce response quality. The process should track root causes and corrective actions for false alarms.
Examples:
- faulty sensor;
- poor door closure;
- cleaning staff process gap;
- incorrect alarm schedule;
- poor user training;
- environmental trigger.
Audit guidance
Auditor focus
Check not only that alarms exist, but that people know what to do and information security gets involved when information or assets may be affected.
Auditors should verify that monitoring systems, personnel, or services are documented, tested, and linked to response procedures.
Audit testing should include:
- physical monitoring procedures;
- alarm/CCTV/access monitoring scope;
- monitoring service contracts or responsibilities;
- test records;
- alarm logs and response records;
- false alarm records and corrective actions;
- notification and escalation chain;
- interviews with monitoring staff, facilities, security, and information security roles;
- linkage to incident management procedures.
The auditor should ask responders how they verify a false positive, how quickly they escalate, who is notified, and what happens if information assets may be affected.
Evidence examples
Evidence quality
Strong evidence shows monitoring scope, alert handling, test results, escalation, false-alarm management, and incident linkage.
| Evidence | What it proves |
|---|---|
| Physical monitoring procedure | Monitoring process is defined |
| Monitoring scope/register | What is monitored is documented |
| Alarm response procedure | Response and escalation are defined |
| Monitoring service agreement | External service responsibilities are documented |
| Alarm test records | Monitoring is periodically tested |
| Alarm logs | Alerts and responses are recorded |
| False alarm register | False positives are tracked and reduced |
| Incident linkage record | Security events are escalated correctly |
| Interview evidence | Responders know what to do |
Strong evidence
- Monitoring scope is documented and risk-based.
- Alerts have defined owners, response times, and escalation paths.
- Physical alarm tests are performed and recorded.
- Monitoring staff know how to respond and escalate.
- Information security is involved when information/assets may be affected.
- False alarms are tracked, analyzed, and reduced.
- Alarm records link to incident or corrective-action records where applicable.
Weak evidence
- Alarm system exists but no documented response process.
- Monitoring service is contracted but responsibilities are unclear.
- Tests are not performed or recorded.
- Staff do not know who to notify.
- Information security is not included in physical breach response.
- False alarms are frequent and not analyzed.
- Alarm logs are reviewed only after major issues.
Common failures
Implementation watchouts
Monitoring fails when it produces signals that no one owns, tests, escalates, or learns from.
| Failure | Why it matters |
|---|---|
| Alarm-only thinking | Alerts do not protect anything unless response works |
| No escalation chain | Physical breaches may not reach incident responders |
| No testing | Monitoring failure is discovered during a real incident |
| False alarms ignored | Real alarms receive slow or weak response |
| Facilities-only response | Information theft or damage may not be managed as security incident |
| No evidence retention | Investigation and audit evidence are weak |
| Monitoring scope undocumented | Critical areas may be omitted |
Exam traps
Exam focus
A.7.4 is continuous monitoring for unauthorized physical access. It is not just installing CCTV.
| Trap | Correct interpretation |
|---|---|
| CCTV alone satisfies the control | Monitoring needs procedures, response, escalation, testing, and records |
| Physical alarms are facilities-only | Information security may need involvement when information/assets are affected |
| False alarms are just nuisance | They can weaken response and should be managed |
| Monitoring need not be tested | Effectiveness should be checked with periodic tests |
| Alarm response is separate from incident management | Physical breaches can become information security events or incidents |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.1 Physical Security Perimeters
- A.7.2 Physical Entry
- A.7.3 Securing Offices Rooms and Facilities
- A.6.8 Information Security Event Reporting
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- A.5.28 Collection of Evidence
- Physical Security Monitoring Procedure
- Physical Security Alarm Test Record
- Physical Security False Alarm Register
- A.7.4 Audit Evidence Pack
- A.7.4 Audit Checklist
KB-ready summary
- A.7.4 requires continuous monitoring for unauthorized physical access.
- Monitoring can be manual, automated, or hybrid.
- Procedures should define scope, alerting, response, escalation, evidence, and false-alarm handling.
- Monitoring should be tested periodically.
- Physical breach response should connect to information security event/incident management where information or assets may be affected.
- False alarms should be tracked and reduced.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Monitoring
- Alarms
- Audit
Note Metadata
Aliases: A.7.4, Physical Security Monitoring
Source: 04 Annex A Physical Controls/A.7.4 Physical Security Monitoring.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- ISO 27001 A.6.8 - Information Security Event Reporting
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- A.7 Physical Controls MOC
- A.7.4 Audit Evidence Pack
- AQ-ISO27001-A.7.4 Physical Security Monitoring
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.4 Physical Security Monitoring
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-021 - Room Security and Physical Monitoring
- ISO 27002 Annex A Control Interpretation Map
- A.7.4 Audit Checklist
- Physical Security Alarm Test Record
- Physical Security False Alarm Register
- Physical Security Monitoring Procedure
- Annex A Controls MOC