Annex A 7.4: Physical Security Monitoring

Annex a 7.4: physical security monitoring requirement expects you to monitor physical security events (for example, unauthorized entry attempts, alarms, and CCTV coverage where appropriate), respond to them, and keep evidence that monitoring and response actually happened. To operationalize it fast, define monitored areas, assign monitoring ownership, set event handling rules, test detection and response, and retain logs, reviews, and incident records. ¹

Key takeaways:

• Treat physical monitoring as a control with defined scope, alerting, response, and review, not just “cameras exist.”
• Your audit win condition is repeatable evidence: monitoring coverage, event logs, reviews, and corrective actions.
• Align monitoring depth to risk: data center and network rooms get tighter monitoring than general office areas.

Physical security monitoring is the difference between “we have doors and cameras” and “we detect and respond when physical controls fail.” Annex A 7.4 sits in the physical control family in ISO/IEC 27001:2022 and is assessed the same way as any other control: scope, design, operation, and evidence. ¹

For most service organizations, the operational challenge is not buying equipment; it’s making monitoring reliable and provable. Auditors typically look for clear boundaries (which sites and rooms are monitored), defined triggers (what constitutes a security event), response procedures (who acts, how fast, how you escalate), and records (logs, reviews, investigations, and follow-up actions). If you cannot show that alerts are reviewed and acted on, you will struggle to demonstrate effective operation even if the technology is present.

This page translates annex a 7.4: physical security monitoring requirement into a practical implementation playbook: who it applies to, what to implement, what to retain, how audits test it, and how to execute in phased steps without stalling on perfect tooling.

Regulatory text

Control reference: ISO/IEC 27001:2022 Annex A 7.4 (Physical Security Monitoring). ¹

Provided excerpt (summary-level): “ISO/IEC 27001:2022 Annex A control 7.4 implementation expectation (Physical Security Monitoring).” ¹

Operator interpretation (what you must do): You must implement monitoring for physical security-relevant events in the environments that matter to your ISMS (sites, rooms, and areas that store or process information assets), and you must be able to show that monitoring outputs are reviewed and that events are handled. Evidence matters as much as the mechanism. ¹

Plain-English interpretation

Physical controls fail in predictable ways: a door is propped open, a visitor slips in behind an employee, a badge reader is bypassed, a server room is entered outside approved hours, or a camera is offline. Annex A 7.4 expects you to detect those failures, investigate them, and correct the cause. If you only rely on “trust” and after-the-fact discovery, you are not monitoring.

Who it applies to

Entity scope: Service organizations implementing or certifying an ISO/IEC 27001:2022 ISMS. ²

Operational context where it becomes material:

• Corporate offices where sensitive data is handled (HR, finance, executive areas).
• Server rooms, network closets, labs, records rooms, and storage for assets with sensitive data.
• Third-party colocation/data center footprints you access (monitoring may be shared, but accountability remains with you).
• Sites with high visitor throughput (reception, shared coworking floors).
• Any location storing backup media, laptops, or prototypes.

Key scoping decision you must document: which facilities/areas are “in scope” for the ISMS and what monitoring is required in each area. This scoping should tie back to your asset inventory and risk assessment approach under ISO 27001. ²

What you actually need to do (step-by-step)

1) Define monitoring scope and objectives

• Create a list of physical locations and security zones (public, office, restricted, high-restriction).
• For each zone, define the monitoring objective: deter, detect, investigate, or all three.
• Record zone-to-control mapping: “This zone is monitored by X; events are reviewed by Y; records retained in Z.”

Deliverable: Physical Security Monitoring Standard (or procedure) with a zone table.

2) Establish what counts as a “physical security event”

Write explicit event definitions so staff do not improvise:

• Unauthorized access attempt (failed badge events at restricted doors).
• Door forced open or held open beyond policy.
• Access outside approved hours.
• Tailgating reported by staff or detected by guard/CCTV review.
• Alarm events (intrusion, motion, panic, glass break, if present).
• Monitoring outage (camera offline, recorder storage full, access control system down).

Deliverable: Event taxonomy with severity levels and response expectations.

3) Implement monitoring mechanisms (people + process + technology)

Select mechanisms that match your environment:

• Access control monitoring: badge logs, denied entry alerts, door-held-open alerts.
• CCTV (where appropriate): coverage of entrances, restricted area doors, and critical interior corridors; health monitoring for camera uptime.
• On-site security/guards (if applicable): patrol logs, incident reports, visitor screening.
• Environmental awareness: tamper alarms for cabinets/rooms, where relevant to your risk.

Avoid over-rotating on tech. A small office can meet intent with controlled entry plus routine review of access logs and visitor records; a data hall likely needs stronger continuous monitoring and faster response paths.

4) Define alert handling, escalation, and investigation

Write a runbook that answers:

• Who receives alerts (named role or on-call rotation), and who is the backup?
• What is the triage flow (dismiss, investigate, escalate)?
• When do you open a security incident, and how does it connect to your ISMS incident process?
• What evidence is captured during investigation (video clips, door logs, visitor logs, statements)?
• What corrective actions are required (badge deactivation, door repair, policy reminder, vendor ticket)?

Deliverable: Physical Security Event Response Runbook + escalation matrix.

5) Put review and oversight on a calendar (and prove it happened)

Auditors commonly find that alerts exist but no one reviews them consistently. Build a lightweight governance loop:

• Operational review: confirm monitoring systems are functioning, confirm any events were handled, and document outcomes.
• Exception tracking: recurring false alarms, camera blind spots, doors that routinely fail, contractors bypassing procedures.
• Corrective actions: track to closure with an owner and due date.

Deliverable: Review checklist + completed review records + corrective action log.

6) Test the control (detection + response)

Run controlled tests to prove operation:

• Attempt an after-hours access request with an expired badge (authorized test).
• Simulate a door-held-open condition (with facilities support).
• Simulate a monitoring outage and verify ticketing/notification.

Deliverable: Test plan, test results, and remediation items.

Required evidence and artifacts to retain

Keep evidence in an auditor-ready folder by site and period. Recommended artifacts:

• Physical security monitoring policy/standard (scope, zones, monitoring methods).
• Site/zone map (diagram or written description of restricted areas and monitored points).
• System configuration evidence (screenshots/exported settings for alerts, camera health, access control rules).
• Monitoring logs (access logs, alarm logs, CCTV system health logs, guard logs if used).
• Review records (completed checklists, sign-offs, meeting notes).
• Incident records (tickets, investigations, evidence collected, outcomes).
• Corrective action records (repairs, badge changes, retraining, vendor follow-up).
• Third-party assurance for shared facilities (for example, colocation SOC reports or contractual commitments) where monitoring is performed by a third party.

Practical tip: store “representative samples” for routine logs and “complete records” for actual incidents, but define your retention approach internally and apply it consistently.

Common exam/audit questions and hangups

Auditors tend to probe these areas:

1. Scope clarity: “Which sites are in scope, and which doors/areas are monitored?”
2. Operational ownership: “Who reviews alerts and logs? Show me evidence.”
3. Effectiveness: “Show an event and walk me through response and closure.”
4. System health: “How do you know cameras/logging were working during the period?”
5. Third-party reliance: “If the building or data center monitors, how do you validate it and get records?”

Hangup to plan for: “We have CCTV, but we don’t review footage unless something happens.” If you only use CCTV for after-the-fact investigation, you still need some form of monitoring, such as alarm-based review, health checks, or periodic checks tied to risk.

Frequent implementation mistakes (and how to avoid them)

• Mistake: No written scope. Fix: a zone table per site with monitored points and responsible roles.
• Mistake: Monitoring without response. Fix: a runbook with triage steps and escalation paths; link to incident management.
• Mistake: Relying on a landlord/colocation provider without evidence. Fix: contract language, assurance reports, and an internal review record that confirms you received and reviewed what you need.
• Mistake: Camera “coverage” that misses critical doors. Fix: validate camera placement against your restricted-area definition and access paths.
• Mistake: No monitoring for outages. Fix: alerts/tickets for camera offline, storage full, access control downtime; document follow-up.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page focuses on audit and risk outcomes rather than regulator actions.

Risk-wise, physical monitoring failures often show up as: undetected unauthorized access, inability to reconstruct events during an incident, stolen assets, or loss of confidence in chain-of-custody for sensitive systems. The ISO 27001 assessment impact is usually a control operating effectiveness gap: “implemented but not operating” or “not evidenced.”

Practical 30/60/90-day execution plan

First 30 days (stabilize scope + ownership)

• Confirm in-scope sites and restricted areas with Facilities, IT, and Security.
• Assign an owner for physical monitoring per site (role-based).
• Draft the monitoring standard and event taxonomy.
• Inventory existing systems (access control, CCTV, alarms) and identify evidence export paths.

By 60 days (runbook + evidence loop)

• Publish the response runbook and escalation matrix.
• Turn on or tune key alerts (forced door, held open, denied access patterns, system health where available).
• Start the recurring review process and capture the first completed review records.
• Establish how you will obtain monitoring assurances from third parties (colocation, managed offices).

By 90 days (prove operation + close gaps)

• Run at least one controlled test per in-scope site and document results.
• Close the highest-risk gaps (unmonitored restricted doors, chronic outages, missing logs).
• Produce an audit packet per site: scope, configs, sample logs, review records, and any incidents with corrective actions.
• If you use Daydream for compliance operations, map annex a 7.4: physical security monitoring requirement to a control owner, a recurring evidence request, and a standard review checklist so evidence collection becomes routine rather than a scramble at audit time.

Frequently Asked Questions

Do we need CCTV to meet annex a 7.4: physical security monitoring requirement?

ISO 27001 Annex A 7.4 is outcome-focused: monitoring and response. CCTV can support that, but access control monitoring, alarms, guard procedures, and documented reviews can also satisfy the intent if they fit your risk and scope. ¹

How do we handle monitoring when we’re in a shared office or coworking space?

Treat the coworking operator as a third party supporting your physical controls. Define what monitoring you require (entry logs, reception controls, incident notifications) and retain whatever assurance and records you can obtain, plus your internal review of that assurance.

What evidence do auditors actually ask for most often?

They usually ask for (1) the documented procedure, (2) proof of monitoring configuration, and (3) proof of operation, such as alert/log reviews and at least one example event or test with follow-up. ²

If we only have one small office, what’s a reasonable monitoring approach?

Start with controlled entry, a visitor process, and periodic review of access records or receptionist logs. Add monitoring for failures that matter in your space, such as door-held-open conditions to restricted areas.

Can we outsource monitoring to a third-party security company?

Yes, but you still need governance: define responsibilities, confirm they monitor as agreed, and retain records (incident reports, patrol logs, or alert summaries) plus your internal review and follow-up actions.

How should we connect physical monitoring to our incident management process?

Define clear triggers for when a physical event becomes an information security incident (for example, unauthorized access to a restricted area). Ensure the runbook instructs staff to open an incident ticket and preserve evidence (logs, video clips, witness notes) in a consistent way.

Footnotes

1. ISO/IEC 27001 overview; ISMS.online Annex A control index

2. ISO/IEC 27001 overview