Contribute to the cybersecurity survey asking the questions others didn't dare to... Click here

ISO 27001 Control 7.4: Physical Security Monitoring

How to Spot – and Stop – Physical Threats in Time

ISO 27001 Control 7.4 Physical security monitoring is about having eyes and ears on the parts of your environment that matter – not just after an incident, but all the time.

You can have strong doors, locks and access controls, but if nobody notices when someone bypasses them, your physical security is half-finished. Control 7.4 expects you to detect, deter, and support response to physical threats through sensible monitoring: cameras, alarms, sensors and the processes that sit around them.

This guide explains what ISO 27001 Control 7.4 is really asking for, and how to design physical security monitoring that’s practical, proportionate, and compliant with privacy laws.

What ISO 27001 Control 7.4 Actually Requires

In plain English, ISO 27001 Control 7.4 – Physical security monitoring expects you to:

  • Monitor your offices, rooms and facilities so you can detect unauthorised physical access or attempts.
  • Use appropriate measures – CCTV, alarms, detectors – in a layered way.
  • Make sure monitoring systems themselves are protected against tampering and misuse.
  • Keep monitoring effective over time through maintenance, testing, and configuration reviews.
  • Comply with legal and privacy requirements for surveillance and recording.

It’s a preventive and detective control that supports confidentiality, integrity and availability by:

  • Deterring would-be intruders
  • Helping you respond quickly to real incidents
  • Providing evidence when something goes wrong

Step 1 – Decide What You Need to Monitor (and Why)

Start by identifying where physical security monitoring really matters:

  • Entrance points (front doors, staff entrances, loading bays)
  • Perimeter areas (car parks, access roads, external doors and windows)
  • Secure areas (server rooms, comms rooms, records rooms, labs, cash-handling, HR/finance offices)
  • Shared spaces that lead to critical areas (lift lobbies, stairwells, corridors near secure rooms)

For ISO 27001 Control 7.4, ask yourself:

  • Where would unauthorised physical access cause serious harm (data breach, outage, fraud)?
  • Where would early detection change your response (e.g. stopping someone before they reach a secure room)?
  • Where do you already have physical security measures that monitoring should support (locks, access control, guards)?

Document your monitoring scope in simple terms – for example:

“CCTV covers all external entrances and the server room corridor; alarms protect all ground-floor external doors and the comms room.”

That’s usually enough to show you’ve thought deliberately about physical security monitoring under ISO 27001 Control 7.4.

Step 2 – Deploy CCTV Where It Adds Real Value

CCTV (or other video monitoring) is often the most visible part of physical security monitoring.

To align with ISO 27001 Control 7.4:

  • Select coverage deliberately
    – Focus on entrances, exits, high-value areas, and routes to critical spaces.
    – Avoid blanket coverage “just in case”, especially where privacy concerns are high.
  • Ensure recording capability
    – Record video, not just live view.
    – Keep recordings for a retention period that matches your risk, legal requirements, and storage capacity.
  • Make it usable for investigations
    – Ensure timestamps are accurate.
    – Keep enough resolution and lighting to actually identify people or events.
    – Make sure authorised staff know how to retrieve and export footage when needed.
  • Consider integration platforms
    – Physical Security Information Management (PSIM) or similar can help unify CCTV, alarms and access control into a single view in larger environments.

Remember: CCTV under ISO 27001 Control 7.4 is there to support detection, deterrence and investigation, not to watch every square metre of your premises.

Step 3 – Use Alarms and Detectors as Early Warning Systems

Alarms and detectors are critical to detecting unauthorised access quickly, especially out of hours.

For ISO 27001 Control 7.4, think about:

  • Intruder alarms on external doors and accessible windows
    – Contact sensors on doors and windows that trigger when opened unexpectedly.
    – Focus on ground-floor or easily reachable areas, and routes into secure rooms.
  • Motion detectors in key zones
    – PIR (infrared) motion sensors in corridors, stairwells, plant rooms and secure areas.
    – Coverage that balances sensitivity with avoiding constant false alarms.
  • Specialised detectors where needed
    – Glass-break sensors near vulnerable windows.
    – Panic buttons or hidden alarms in reception or high-risk areas.
  • Out-of-hours coverage
    – Make sure monitoring covers periods when staff are not present or are minimal.
    – Define clearly when alarms should be armed and disarmed.
  • Clear response procedures
    – Who gets notified when an alarm triggers (security, on-call, monitoring centre)?
    – What they should do (check cameras, call police, attend site, escalate).

ISO 27001 Control 7.4 is just as interested in the response to alarms as in the technology itself.

Step 4 – Protect the Monitoring Systems Themselves

Physical security monitoring is only useful if attackers can’t easily disable or manipulate it.

To support ISO 27001 Control 7.4:

  • Control access to monitoring systems
    – Limit who can view live feeds, access recordings, acknowledge alarms, or change settings.
    – Use named accounts with appropriate roles and strong authentication.
  • Secure the hardware
    – Place DVR/NVR units, alarm panels, and control consoles in locked rooms or cabinets.
    – Protect cabling routes where reasonable, especially from cameras in sensitive areas.
  • Use tamper detection
    – Configure alarms on power loss, panel tampering, or camera disconnection where supported.
    – Log and review such events.
  • Segment the network
    – Put CCTV and alarm systems on appropriate network segments, not wide-open on the main user LAN.
    – Secure remote access (if any) via VPN or tightly controlled management channels.

These controls show that ISO 27001 Control 7.4 has been applied to monitoring as an asset, not just to the spaces it watches.

Step 5 – Maintain, Test and Review Monitoring Regularly

A camera with a dusty lens or an alarm with a dead battery won’t help you. ISO 27001 Control 7.4 expects ongoing assurance that physical security monitoring actually works.

Build in:

  • Regular testing
    – Periodic tests of alarm triggers and notification paths.
    – Spot checks on camera feeds and recordings (image quality, coverage, playback).
  • Preventive maintenance
    – Cleaning and repositioning cameras as needed.
    – Battery checks and replacement for wireless sensors or backup supplies.
    – Firmware updates in line with your change management process.
  • Configuration reviews
    – Are new areas still unmonitored after a layout change?
    – Are camera views still aligned with current risk?
    – Are alarm zones and schedules still correct?
  • Fault handling
    – Log and track any monitoring failures (cameras offline, sensors faulty).
    – Fix issues as a priority when they impact critical coverage.

Being able to show maintenance records and test logs is strong evidence that ISO 27001 Control 7.4 is operational, not aspirational.

Step 6 – Respect Legal and Privacy Requirements

Any physical security monitoring that records people will intersect with data protection and privacy law.

To keep ISO 27001 Control 7.4 compliant and ethical:

  • Define clear purposes
    – Document why you are using CCTV and alarms (e.g. crime prevention, safety, asset protection).
    – Ensure usage doesn’t drift into unjustified surveillance.
  • Set and respect retention periods
    – Keep recorded footage only as long as needed for those purposes.
    – Configure automatic deletion where possible.
  • Inform people appropriately
    – Use signage to make staff and visitors aware of CCTV and its purpose.
    – Reflect monitoring in your privacy notices if required by local law.
  • Control access to recordings
    – Only allow authorised personnel to view or export footage.
    – Log access to recordings where feasible.
  • Handle subject access or law enforcement requests properly
    – Have a procedure for responding to requests for footage.
    – Ensure redaction or limitation where necessary.

ISO 27001 Control 7.4 doesn’t override privacy – it expects you to balance security and individual rights in a structured way.

Step 7 – Integrate Physical Security Monitoring with Your ISMS

To get the best out of ISO 27001 Control 7.4, treat physical security monitoring as part of your wider security and incident management processes, not a standalone silo.

You should:

  • Link to incident management
    – Use alarms and CCTV as triggers for incident logging and investigation.
    – Reference monitoring in your incident response playbooks.
  • Use monitoring data in investigations
    – Review logs and footage when something goes wrong (e.g. suspected data breach, theft, system tampering).
    – Feed lessons learned into improvements in layout, access control, or monitoring coverage.
  • Correlate with other systems where appropriate
    – Access control logs + CCTV + alarm data can provide a richer picture of events.
    – For larger organisations, PSIM or SIEM integration can help correlate physical and logical security events.

This is where ISO 27001 Control 7.4 really earns its keep – by supporting fast detection and evidence-backed response to physical incidents.

Quick Implementation Checklist for ISO 27001 Control 7.4

Use this checklist to review your physical security monitoring against ISO 27001 Control 7.4:

  • ISO 27001 Control 7.4 (Physical security monitoring) is documented in your physical security procedures.
  • You’ve identified which areas need monitoring (entrances, secure rooms, critical routes).
  • CCTV (or equivalent) is deployed in appropriate locations with recording enabled.
  • Intruder alarms and detectors protect external doors, accessible windows and key internal areas.
  • There are clear response procedures for alarm activations and suspicious events.
  • Access to monitoring systems (live feeds, recordings, alarm panels) is restricted and logged.
  • Monitoring hardware and infrastructure are physically protected and, where relevant, network-segmented.
  • Monitoring systems are maintained and tested regularly; faults are tracked and resolved.
  • CCTV and other monitoring comply with legal and privacy requirements, including signage and retention limits.
  • Monitoring is integrated with incident management, and evidence is used in investigations and improvements.

Bringing It All Together

ISO 27001 Control 7.4 – Physical security monitoring – is about making sure you don’t just hope your physical security is working; you watch it working.

If you:

  • Monitor the right places,
  • Use CCTV, alarms and detectors in a layered, controlled way,
  • Maintain and protect your monitoring systems, and
  • Respect privacy while integrating monitoring into your ISMS,

you’ll be in a strong position to detect and deter physical threats – and to demonstrate to an auditor that physical security monitoring is a deliberate, well-managed part of your overall security posture.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG