When physical security monitoring fails, unauthorized access goes undetected for days or weeks — enabling data theft, hardware tampering, and regulatory violations that compound long before anyone notices. Surveillance gaps remain among the most common physical security audit findings, and addressing them starts with understanding what ISO 27001 control 7.4 actually requires.
What 7.4 Requires
ISO 27001 Annex A 7.4 requires organizations to continuously monitor physical premises using surveillance systems and alarm mechanisms. The objective is to detect, deter, and record unauthorized physical access or suspicious behavior in real time.
In practice, this means deploying a combination of monitoring technologies — CCTV cameras, intruder alarms, motion sensors, electronic access logs, and where appropriate, security guards — across all areas where sensitive assets are stored or processed. Monitoring must cover perimeter boundaries, entry and exit points, and high-value areas such as server rooms, communications rooms, and archive storage.
The control goes beyond simply installing equipment. Organizations must protect their monitoring infrastructure against tampering or disabling, and they must comply with applicable privacy and data protection laws when recording individuals. This includes requirements around signage, data retention, and restricting access to footage.
The 2022 revision of ISO/IEC 27001:2022 brought 7.4 into sharper focus as a standalone control, separating it from the broader physical security requirements that previously combined monitoring with access control. This means auditors now evaluate monitoring as a distinct capability with its own evidence expectations.
Why 7.4 Matters
Consider a scenario: an unauthorized individual enters an unmonitored server room during off-hours through a propped-open fire exit. They connect a rogue device to the network, access an unlocked terminal, and leave undetected. Without functioning surveillance or alarm systems, the breach goes unnoticed for days. By the time IT discovers anomalous network activity, the attacker has exfiltrated sensitive data, and forensic investigators have no footage or access logs to reconstruct the incident timeline.
Physical breaches frequently enable digital attacks. A rogue USB device planted in a server room, a keylogger attached to a workstation, or a stolen backup drive can all bypass network-level defenses entirely. Without monitoring evidence, incident response teams have no way to determine who accessed which areas or when — crippling both containment and forensic investigation.
The damage extends beyond the immediate incident. Organizations without monitoring evidence face longer containment timelines because investigators must reconstruct events from indirect signals — network logs, endpoint telemetry, and user reports — rather than definitive surveillance records. This ambiguity delays root cause analysis, extends exposure windows, and increases the total cost of remediation.
IBM’s Cost of a Data Breach Report found that physical security incidents — including theft and loss of devices — cost organizations an average of $3.6 million per breach, with detection often taking months rather than days.
What attackers exploit
- Blind spots in CCTV coverage: stairwells, loading docks, emergency exits, and parking structures
- Alarm systems installed but never tested or maintained
- No after-hours monitoring — alarms trigger but nobody responds
- Monitoring systems running on the same network as general IT infrastructure, making them easy to disable
- No tamper detection on cameras or alarm control panels
- Visitor logs that are never cross-referenced with monitoring footage
- Over-reliance on badge access without visual verification of identity
How to Implement 7.4
Once you understand why physical security monitoring matters, the next step is building a monitoring program that satisfies the control’s requirements and holds up under audit.
For your organization (first-party)
1. Conduct a risk assessment. Identify which premises, buildings, and zones require monitoring based on the criticality of assets housed there. A co-located data center has different monitoring needs than a satellite office with no server infrastructure. Factor in threat likelihood — a ground-floor office in a high-traffic urban area warrants different coverage than a controlled-access campus. Your risk assessment should produce a prioritized list of zones ranked by asset value and exposure.
2. Define your monitoring scope. Map the perimeter, all entry and exit points, and restricted areas — server rooms, communications rooms, archive stores, and any area housing sensitive equipment. Document this scope in a monitoring coverage diagram.
3. Deploy layered monitoring. Use multiple, complementary technologies:
- CCTV cameras at all entrances, exits, and high-value areas
- Intruder alarms on external doors, windows, and emergency exits
- Motion sensors in corridors adjacent to secure rooms
- Electronic access logs at every controlled entry point
4. Establish response procedures. Define who gets notified when an alarm triggers, what the escalation path looks like, and what authorized responses are available. A monitoring system without a response procedure is just an expensive recording device. Include specific response timeframes — for example, security personnel must acknowledge an intrusion alarm within five minutes during business hours and fifteen minutes after hours.
5. Protect monitoring infrastructure. Lock DVR/NVR units in secured cabinets, run monitoring systems on a separate network segment from general IT, and enable tamper alerts on all cameras and alarm panels. Attackers who gain physical access often target the monitoring systems first — disabling a DVR or disconnecting a camera feed eliminates the evidence trail before the actual breach begins. Treat monitoring infrastructure as a high-value asset in its own right.
6. Implement a maintenance schedule. Test alarm systems monthly. Inspect cameras quarterly — check lens clarity, recording capability, night vision function, and firmware versions. Document every test with dates, results, and sign-off from responsible personnel. Maintenance gaps are one of the most common audit findings; a camera that recorded perfectly six months ago may now have a fogged lens or failed hard drive that nobody noticed.
7. Ensure legal compliance. Post clear CCTV signage, establish a data retention policy for recordings, and restrict access to footage to authorized personnel only. If operating across jurisdictions, verify compliance with local privacy regulations including GDPR.
8. Document everything. Maintain a physical security monitoring policy, scope diagrams, test logs, maintenance records, and response procedures. Auditors will ask for all of them.
Common mistakes to avoid:
- Installing cameras but never reviewing footage or testing that recording actually works
- No documented response procedure — alarms fire but nobody knows what action to take
- Failing to update monitoring scope after office layout changes, relocations, or new facility additions
- Ignoring privacy requirements for CCTV (no signage, no retention policy, unrestricted access to footage)
- Treating monitoring as a one-time installation project rather than an ongoing operational process
For your vendors (third-party assessment)
When assessing whether vendors comply with 7.4, go beyond self-attestation. According to IBM’s 2025 Cost of a Data Breach Report, 30% of breaches now involve third parties — double the rate from the previous year — making third-party risk assessment critical.
Questions to ask:
- “Describe your physical security monitoring controls for facilities housing our data.”
- “What is your alarm response time and escalation process?”
- “How frequently are monitoring systems tested, and can you provide recent vendor risk questionnaire responses or test logs?”
Evidence to request:
- Physical security policy with monitoring scope defined
- CCTV coverage map for relevant facilities
- Alarm and sensor test logs from the past 12 months
- SOC 2 Type II report or ISO 27001 certificate covering physical security controls
Red flags:
- Vendor cannot produce test or maintenance records
- Monitoring described only as “CCTV installed” with no mention of response processes
- No after-hours monitoring capability
- Physical security delegated entirely to building management with no vendor oversight or audit
Verification beyond self-attestation: Request a right-to-audit clause in contracts that address third-party risk requirements. Review SOC 2 report sections covering physical security. Ask for evidence of the most recent alarm test — not just a statement that tests occur.
Audit Evidence for 7.4
When preparing for an ISO 27001 audit of control 7.4, auditors will request specific evidence that monitoring is implemented, operational, and maintained. They are looking for proof that systems work as designed — not just that equipment exists. An auditor who finds cameras installed but no test logs or response records will flag a nonconformity. Prepare the following:
| Evidence Type | Example Artifact |
|---|---|
| Policy | Physical Security Monitoring Policy defining monitoring scope, technology standards, and response procedures |
| Diagram | Monitoring coverage map showing camera positions, alarm zones, and sensor placements relative to secure areas |
| Log | Alarm system test log with dates, test results, and sign-off from responsible personnel |
| Record | CCTV maintenance records including camera health checks, firmware updates, and lens cleaning schedule |
| Procedure | Alarm response procedure documenting notification chains, escalation paths, and authorized actions |
| Log | Visitor access log cross-referenced with monitoring system timestamps |
| Policy | CCTV data retention and access policy compliant with applicable privacy legislation |
| Report | Periodic review report of monitoring effectiveness including coverage gaps identified and remediation actions (ISO 27001 compliance template) |
Cross-Framework Mapping
If your organization must comply with multiple standards simultaneously, use this table to identify where 7.4 requirements overlap with equivalent controls across frameworks. Mapping these relationships reduces duplicated audit effort and helps you demonstrate compliance across programs with a single set of monitoring evidence.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AU-06(06) Audit Record Review, Analysis, and Reporting — Correlation with Physical Monitoring | Full |
| NIST 800-53 | PE-03 Physical Access Control | Partial |
| NIST 800-53 | PE-03(03) Physical Access Control — Continuous Guards | Partial |
| NIST 800-53 | PE-06 Monitoring Physical Access | Full |
| NIST 800-53 | PE-06(01) Monitoring Physical Access — Intrusion Alarms and Surveillance | Full |
| NIST 800-53 | PE-06(04) Monitoring Physical Access — Monitoring Physical Access to Information Systems | Full |
| NIST 800-53 | PM-01 Information Security Program Plan | Partial |
| NIST 800-53 | PM-15 Security and Privacy Groups and Associations | Partial |
| NIST 800-53 | PM-28 Risk Framing | Partial |
| NIST 800-53 | PM-31 Continuous Monitoring Strategy | Full |
| SOC 2 | CC6.4 Physical Access Restrictions | Partial |
| NIST CSF 2.0 | PR.AC-2 Physical Access; DE.CM-2 Physical Environment Monitoring | Full |
| DORA (EU) | Article 11 ICT-Related Incident Management (Physical Security Aspects) | Partial |
Related ISO 27001 Controls
Physical security monitoring does not operate in isolation. These controls work alongside 7.4 to form a comprehensive physical security program. Understanding these relationships helps you identify dependencies during implementation and ensures that gaps in one control do not undermine others:
| Control ID | Control Name | Relationship to 7.4 |
|---|---|---|
| 7.1 | Physical security perimeters | Defines the boundaries that 7.4 monitors |
| 7.2 | Physical entry | Controls who enters; 7.4 verifies compliance |
| 7.3 | Securing offices, rooms, and facilities | Protects the spaces; 7.4 detects breaches of those protections |
| 7.5 | Protecting against physical and environmental threats | Complementary threat protection (fire, flood, power) |
| 7.6 | Working in secure areas | Personnel rules for the areas that 7.4 monitors |
| 7.7 | Clear desk and clear screen | Reduces exposure if monitoring detects unauthorized access |
| 5.23 | Information security for use of cloud services | Extends physical monitoring obligations to cloud provider premises |
| 5.19 | Information security in supplier relationships | Third-party physical security obligations |
| 6.7 | Remote working | Monitoring scope changes when workforce is distributed |
| 8.12 | Data leakage prevention | Physical monitoring supports DLP by detecting unauthorized media removal |
Frequently Asked Questions
What is ISO 27001 7.4?
ISO 27001 7.4 is a physical security control requiring organizations to continuously monitor their premises for unauthorized physical access using surveillance systems, alarms, and detection mechanisms. Introduced as a standalone control in the 2022 revision, it covers deployment, maintenance, and legal compliance of monitoring technologies at any facility housing information assets.
What happens if 7.4 is not implemented?
Without physical security monitoring, unauthorized access can go undetected — enabling data theft, hardware tampering, or rogue devices that bypass network defenses entirely. Failure to implement 7.4 is a nonconformity that can prevent or jeopardize ISO 27001 certification.
How do you audit 7.4?
Auditors verify 7.4 by reviewing the monitoring policy, inspecting surveillance coverage against a documented scope diagram, testing alarm systems, and examining maintenance and test logs. Common audit findings include untested alarms, gaps in camera coverage, and missing maintenance records.
How UpGuard Helps
Physical security monitoring protects your own premises, but what about the facilities where your vendors store and process your data? UpGuard’s User Risk product and risk assessment capabilities provide continuous visibility into whether your third-party vendors maintain adequate physical security controls, helping you monitor compliance with standards like ISO 27001 across your entire vendor portfolio.