ISO 27001 Annex A 7.4 is a control about physical security. You need a security border for your offices and work areas. The main goal is to watch for people trying to get in without permission. This control helps you catch people who should not enter if they manage to do so.
Table of contents
What is ISO 27001 Annex A 7.4?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Physical Security Monitoring “.
What is the ISO 27001 Annex A 7.4 control objective?
The formal definition and control objective in the standard is: “Premises should be continuously monitored for unauthorised physical access.“
What is the purpose of ISO 27001 Annex A 7.4?
The purpose of ISO 27001 Annex A 7.4 is “to ensure you detect and deter unauthorised physical access.“
Is ISO 27001 Annex A 7.4 Mandatory?
ISO 27001 Annex A control 7.4 (Physical Security Monitoring in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.4 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Health and Safety
Your main goal is to follow all laws. Make sure to talk to a lawyer to learn exactly what you can and cannot do. This helps you avoid breaking rules. The most important laws concern health and safety because protecting people is always the top concern. You should think about common items like fire alarms, fire doors, fire suppression systems, and doors that open automatically during failures. While protecting buildings and data is important, protecting people is your first duty.
Alarms and Monitors
When you look at alarms and monitors, you are choosing a control to warn you when something has happened. You know what alarms are, and having them installed is wise. You will want to plan your response process. Make sure the list of contacts who are told about an alarm is current. Who will get the call at two in the morning, and what action will they take?
CCTV
You might think about using CCTV, but be aware this choice creates extra work with laws like GDPR. You should get legal advice before you put in CCTV. If you decide to install cameras, ensure you do it in a way that obeys the rules. You need to think about how, how long, where, and in what format you keep the recordings. Then, consider who can see the footage, how they get it, and how you delete it later. It is not as simple as just putting up a Ring camera.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
- Your physical security boundary: Checking your physical security boundary is often one of the first and easiest things an auditor does if you have a physical office. They will visit and check all physical places included in your scope.
- Your physical security checks: Auditors have done this job for a long time, so they know what to look for. They will test your controls to see how they react. They will try opening doors, opening storage areas, and gaining access to places you should not allow them to enter. Your security checks must allow you to properly respond to these actions. They will also confirm that you have tested these security checks within the last twelve months.
- Your written records: The auditor will review your audit trails and all of your documents. They will look at proper access reviews, logs from your security checks and reports, and records of security incidents and how you managed them.
