ISO 27001:2022 Annex A 7.4 – Physical Security Monitoring Explained

Physical security controls only work if breaches are detected, not just prevented.

Annex A 7.4 exists to ensure organisations monitor physical security effectively, so unauthorised access, intrusion, or suspicious activity is detected early and responded to before information or assets are compromised.

This control is about visibility and deterrence, not constant surveillance.

ISO 27001

Quick Guide: Annex A 7.4 at a Glance

Annex A 7.4 of ISO 27001:2022 focuses on physical security monitoring.

At a practical level, this means:

  • Monitoring access to security-sensitive physical areas
  • Detecting unauthorised entry or suspicious activity
  • Using appropriate monitoring mechanisms such as alarms or surveillance
  • Supporting timely response to physical security events
  • Operating monitoring in a lawful and proportionate manner

The control does not mandate specific technologies or continuous monitoring everywhere. It expects risk-based monitoring aligned to physical security needs.

In-Depth Guide to Annex A 7.4

What Is Annex A 7.4 and Why Does It Matter?

Even well-designed physical security perimeters and entry controls can fail.

Without monitoring:

  • Intrusions may go unnoticed
  • Delayed response increases impact
  • Theft or tampering may only be discovered later
  • Accountability becomes difficult

Annex A 7.4 ensures organisations do not rely solely on barriers and locks, but actively monitor physical security to detect and deter unauthorised activity.

This control supports:

  • Early detection of physical security incidents
  • Deterrence through visible monitoring
  • Evidence gathering for investigation
  • Reinforcement of other physical controls

How to Implement Annex A 7.4 Effectively

A pragmatic approach to Annex A 7.4 typically includes the following elements.

1. Identify Areas That Require Physical Security Monitoring

Monitoring should be focused where risk justifies it.

This commonly includes:

  • Server rooms and communications facilities
  • Areas housing critical systems or information
  • Secure storage for records or media
  • Entry and exit points to restricted areas

Not all spaces require the same level of monitoring.

2. Select Appropriate Monitoring Measures

Monitoring measures may include:

  • CCTV or video surveillance
  • Intruder detection or alarm systems
  • Motion, contact, or break-glass detectors
  • Physical security patrols or guards

Controls should be appropriate to the environment and threat, not deployed by default.

3. Ensure Monitoring Supports Detection and Deterrence

Effective monitoring:

  • Detects unauthorised access or abnormal activity
  • Acts as a deterrent to opportunistic intrusion
  • Provides alerts that enable timely response

Monitoring that is not observed or acted upon adds limited value.

4. Integrate Monitoring With Response Processes

Monitoring should feed into:

  • Physical security response procedures
  • Incident reporting and management
  • Escalation and investigation processes

Detection without response does not reduce risk.

5. Protect Monitoring Systems Themselves

Monitoring systems are security assets.

Organisations should ensure:

  • Monitoring systems are protected from tampering
  • Access to feeds, recordings, and controls is restricted
  • Monitoring infrastructure is resilient and maintained

If monitoring systems fail silently, risk increases.

6. Operate Monitoring Lawfully and Transparently

Physical security monitoring often involves people.

Organisations should ensure:

  • Monitoring complies with applicable privacy and data protection law
  • Monitoring is used only for legitimate security purposes
  • Retention of recordings is defined and proportionate
  • Individuals are informed where required

Compliance failures can create legal risk greater than the security risk being addressed.

7. Review Monitoring Coverage and Effectiveness

Physical environments change.

Organisations should periodically review:

  • Whether monitored areas remain appropriate
  • Whether blind spots or new access points exist
  • Whether alerts and response remain effective

Monitoring that is not reviewed gradually loses relevance.

In-Depth Guide to Annex A 5.1

What is Annex A 5.1 and Why Does It Matter?

  • What the organisation values
  • How security decisions are approached
  • Where accountability sits
  • Aligns security with business objectives
  • Supports proportionate, risk-based decisions
  • Provides a reference point during incidents and disputes
  • Creates consistency without bureaucracy

How to Implement Annex A 5.1 Effectively

1. Define a Comprehensive Information Security Policy
  • Scope: What the policy applies to (systems, data, people).
  • Objectives: Why security is important for the business.
  • Roles & Responsibilities: Who is accountable for security.
  • Key Principles: Risk management, access control, and data protection.
2. Secure Senior Management Approval
  • Review and approve policies.
  • Ensure resources are allocated for implementation.
  • Lead by example in enforcing security policies.
3. Communicate and Train Employees
  • Include security policies in onboarding and ongoing training.
  • Ensure policies are easily accessible to all employees.
  • Encourage acknowledgment and acceptance of security responsibilities.
4. Regular Review & Continuous Improvement
  • Set a schedule for periodic policy reviews (at least annually).
  • Update policies based on business changes, new threats, or regulatory updates.
  • Conduct audits to ensure compliance and effectiveness.
5. Integrate Policies into the ISMS
  • Use it to develop more detailed security procedures.
  • Ensure policies align with other Annex A controls and broader risk management practices.
Key Differences: ISO 27001:2013 vs ISO 27001:2022
AspectISO 27001:2013ISO 27001:2022
Control StructureTwo separate controls: 5.1.1 & 5.1.2Merged into one control (5.1)
Implementation GuidanceLess prescriptiveMore detailed guidance for policy creation and alignment
Awareness & TrainingNot explicitly mentionedExplicitly requires policies to be part of training programmes
Attributes TableNot includedew attributes table for mapping policies to industry terms
Common Challenges & How to Overcome Them
  • Challenge: Employees don’t follow security policies.
  • Solution: Make policies practical and relevant to daily work. Use real-world examples in training.
  • Challenge: Policies are outdated or too generic.
  • Solution: Schedule annual reviews and update policies based on real threats and business changes.
  • Challenge: Policies are written in technical jargon.
  • Solution: Use plain language that all employees can understand.
  • Challenge: Lack of leadership buy-in.
  • Solution: Show how weak security affects business objectives—costs of breaches, loss of client trust, and legal penalties.
Final Recommendations
  • Make security policies living documents—review, refine, and update regularly.
  • Use policy training and awareness to create a security-conscious workforce.
  • Ensure policies are accessible, relevant, and easy to understand.
  • Keep policies aligned with business strategy and regulatory requirements.
  • Engage leadership in driving security culture from the top down.

Practical Considerations

Annex A 7.4 does not require:

  • Surveillance of all areas
  • Constant real-time monitoring
  • Highly intrusive or disproportionate controls

It does require organisations to:

  • Understand where physical intrusion creates information risk
  • Apply monitoring deliberately
  • Balance security, privacy, and practicality

Physical monitoring should be targeted, justified, and maintained.

Common Challenges and How to Overcome Them

  • Installing monitoring but not reviewing alerts
  • Ensure alerts trigger defined response actions
  • Monitoring deployed without privacy consideration
  • Align monitoring with legal and regulatory obligations
  • Blind spots caused by layout or change
  • Review coverage when facilities change
  • Over-reliance on deterrence alone
  • Combine monitoring with response capability

Monitoring fails most often through neglect, not absence.

In-Depth Guide to Annex A 5.1

What is Annex A 5.1 and Why Does It Matter?

  • What the organisation values
  • How security decisions are approached
  • Where accountability sits
  • Aligns security with business objectives
  • Supports proportionate, risk-based decisions
  • Provides a reference point during incidents and disputes
  • Creates consistency without bureaucracy

How to Implement Annex A 5.1 Effectively

1. Define a Comprehensive Information Security Policy
  • Scope: What the policy applies to (systems, data, people).
  • Objectives: Why security is important for the business.
  • Roles & Responsibilities: Who is accountable for security.
  • Key Principles: Risk management, access control, and data protection.
2. Secure Senior Management Approval
  • Review and approve policies.
  • Ensure resources are allocated for implementation.
  • Lead by example in enforcing security policies.
3. Communicate and Train Employees
  • Include security policies in onboarding and ongoing training.
  • Ensure policies are easily accessible to all employees.
  • Encourage acknowledgment and acceptance of security responsibilities.
4. Regular Review & Continuous Improvement
  • Set a schedule for periodic policy reviews (at least annually).
  • Update policies based on business changes, new threats, or regulatory updates.
  • Conduct audits to ensure compliance and effectiveness.
5. Integrate Policies into the ISMS
  • Use it to develop more detailed security procedures.
  • Ensure policies align with other Annex A controls and broader risk management practices.
Key Differences: ISO 27001:2013 vs ISO 27001:2022
AspectISO 27001:2013ISO 27001:2022
Control StructureTwo separate controls: 5.1.1 & 5.1.2Merged into one control (5.1)
Implementation GuidanceLess prescriptiveMore detailed guidance for policy creation and alignment
Awareness & TrainingNot explicitly mentionedExplicitly requires policies to be part of training programmes
Attributes TableNot includedew attributes table for mapping policies to industry terms
Common Challenges & How to Overcome Them
  • Challenge: Employees don’t follow security policies.
  • Solution: Make policies practical and relevant to daily work. Use real-world examples in training.
  • Challenge: Policies are outdated or too generic.
  • Solution: Schedule annual reviews and update policies based on real threats and business changes.
  • Challenge: Policies are written in technical jargon.
  • Solution: Use plain language that all employees can understand.
  • Challenge: Lack of leadership buy-in.
  • Solution: Show how weak security affects business objectives—costs of breaches, loss of client trust, and legal penalties.
Final Recommendations
  • Make security policies living documents—review, refine, and update regularly.
  • Use policy training and awareness to create a security-conscious workforce.
  • Ensure policies are accessible, relevant, and easy to understand.
  • Keep policies aligned with business strategy and regulatory requirements.
  • Engage leadership in driving security culture from the top down.

Final Recommendations

Annex A 7.4 is about knowing when physical security fails.

When physical security monitoring is implemented effectively:

  • Intrusions are detected earlier
  • Impact is reduced through faster response
  • Deterrence is strengthened
  • Other physical controls are reinforced

Barriers slow attackers.
Monitoring tells you when they succeed.

That is exactly what Annex A 7.4 is designed to ensure.

In-Depth Guide to Annex A 5.1

What is Annex A 5.1 and Why Does It Matter?

  • What the organisation values
  • How security decisions are approached
  • Where accountability sits
  • Aligns security with business objectives
  • Supports proportionate, risk-based decisions
  • Provides a reference point during incidents and disputes
  • Creates consistency without bureaucracy

How to Implement Annex A 5.1 Effectively

1. Define a Comprehensive Information Security Policy
  • Scope: What the policy applies to (systems, data, people).
  • Objectives: Why security is important for the business.
  • Roles & Responsibilities: Who is accountable for security.
  • Key Principles: Risk management, access control, and data protection.
2. Secure Senior Management Approval
  • Review and approve policies.
  • Ensure resources are allocated for implementation.
  • Lead by example in enforcing security policies.
3. Communicate and Train Employees
  • Include security policies in onboarding and ongoing training.
  • Ensure policies are easily accessible to all employees.
  • Encourage acknowledgment and acceptance of security responsibilities.
4. Regular Review & Continuous Improvement
  • Set a schedule for periodic policy reviews (at least annually).
  • Update policies based on business changes, new threats, or regulatory updates.
  • Conduct audits to ensure compliance and effectiveness.
5. Integrate Policies into the ISMS
  • Use it to develop more detailed security procedures.
  • Ensure policies align with other Annex A controls and broader risk management practices.
Key Differences: ISO 27001:2013 vs ISO 27001:2022
AspectISO 27001:2013ISO 27001:2022
Control StructureTwo separate controls: 5.1.1 & 5.1.2Merged into one control (5.1)
Implementation GuidanceLess prescriptiveMore detailed guidance for policy creation and alignment
Awareness & TrainingNot explicitly mentionedExplicitly requires policies to be part of training programmes
Attributes TableNot includedew attributes table for mapping policies to industry terms
Common Challenges & How to Overcome Them
  • Challenge: Employees don’t follow security policies.
  • Solution: Make policies practical and relevant to daily work. Use real-world examples in training.
  • Challenge: Policies are outdated or too generic.
  • Solution: Schedule annual reviews and update policies based on real threats and business changes.
  • Challenge: Policies are written in technical jargon.
  • Solution: Use plain language that all employees can understand.
  • Challenge: Lack of leadership buy-in.
  • Solution: Show how weak security affects business objectives—costs of breaches, loss of client trust, and legal penalties.
Final Recommendations
  • Make security policies living documents—review, refine, and update regularly.
  • Use policy training and awareness to create a security-conscious workforce.
  • Ensure policies are accessible, relevant, and easy to understand.
  • Keep policies aligned with business strategy and regulatory requirements.
  • Engage leadership in driving security culture from the top down.

The Annex Control Table

ISO 27001:2022 Organisational Controls
ISO 27001:2022 Technological Controls