Physical Security Monitoring - ISO 27001 Annex A Control

ISO 27001 Annex A 7.4

Detection sits alongside prevention - know when something has gone wrong.

ISO 27001 Annex A 7.4 - Physical Security Monitoring

Prevention controls keep most attempts at unauthorised access out, but no prevention is perfect. The control adds detection - the ability to see when something has gone wrong, ideally as it happens. CCTV, intruder alarms, access control logs, security patrols, and staff awareness all contribute to the monitoring picture, each with strengths in different scenarios.

The monitoring needs to be active rather than passive. CCTV that records but is never reviewed only helps after the fact. Alarms that sound when no one is listening protect nothing. Access logs that nobody reviews tell only a historical story. Effective monitoring includes someone or something actually watching, and a process for responding to what is seen.

The mix of monitoring needs to fit the operation. A 24/7 manned facility may rely heavily on patrol and live CCTV review. An office that closes at 6pm may rely on intruder alarms with monitored response and recorded CCTV for review the next morning. The principle is that the monitoring covers the times when active risk exists.

Monitoring is one of those areas where compliance and useful security can drift apart. A box-ticked CCTV system that records but is never reviewed costs money and provides limited security. The monitoring that actually works is monitoring that people pay attention to - whether that is an alarm that someone responds to, footage that gets reviewed after an incident, or simply staff who notice when something looks wrong. The audit will look at how the monitoring actually operates, not just whether the equipment exists.

Practical Compliance Guidance

Physical monitoring arrangements are described in the IMS1 Manual in Section 8.3 IT Equipment and Physical Security, alongside the Physical Security Policy. CCTV and alarm systems are listed in the asset inventory and supported by their own operational records.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Physical Security Policy setting out the monitoring arrangements expected for the premises.
F-Q26 Premises Monthly Checklist	This checklist can be used to facilitate monthly security checks.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need CCTV everywhere?

No. CCTV is one option among several. Many sites use a combination of CCTV at entry points and externally, intruder alarms inside, access control logs at sensitive doors, and staff awareness for general office areas. The mix should be proportionate to the risk and tailored to the operating pattern of the premises.

What are the privacy obligations for CCTV?

CCTV that captures identifiable individuals is processing personal data and falls within UK data protection law. The ICO publishes specific guidance on CCTV use including signage, retention periods, access controls and the lawful basis for monitoring. The CCTV arrangements should be aligned with that guidance and reflected in the privacy notices.

How long should monitoring records be kept?

Long enough to be useful for incident investigation but no longer than necessary. CCTV footage is typically held for 30 days and overwritten unless preserved for an incident. Access control logs are typically kept longer because they support the wider security audit trail. The retention periods should be set in the policy and documented in the personal data register where relevant.

Further Resources