The basics
ISO 27001 control A.7.4 Physical security monitoring requires companies to monitor access to secure areas in order to prevent unauthorized access. This is a completely new control in the 2022 revision of the standard.
Documentation
ISO 27001 control A.7.4 Physical security monitoring can be documented:
- for smaller and mid-sized companies – by defining monitoring as part of the Procedure for Working in Secure Areas
- for larger companies by writing a Policy for Managing Physical Security
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.7.4 Physical security monitoring, you might implement the following:
- Technology — the technology to enable physical security monitoring may vary from alarm systems or video monitoring to simply placing a person observing sensitive areas. Companies of all sizes need to plan their physical security monitoring based on risk assessment and the sensitivity of the information stored and/or processed in the area.
- Organization/processes — you should set up a process for defining who is in charge of the monitoring of sensitive areas, and what communication channels to use to report an incident. You can document those processes through a Procedure for Working in Secure Areas or a Policy for Managing Physical Security.
- People — make employees aware of the risks of unauthorized physical entry into sensitive areas, and train them on how to use the monitoring technology.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.4 Physical security monitoring: if activities in secure areas are being monitored, e.g., via CCTV.
