If you have been working with information security for a while, you know that the ISO 27001 standard is the “gold standard” for keeping data safe. However, the world has changed quite a bit since 2013. We have more cloud services, more remote work, and more sophisticated physical threats. That is why the update to ISO 27001:2022 was so necessary.
One of the most specific shifts occurred in what we now call Annex A 7.11. If you are looking at your old 2013 documentation and trying to map it to the new 2022 requirements, you might notice things look a little different. Let’s break down exactly what changed and what you need to do about it.
Table of contents
The Shift from 2013 to 2022: A New Structure
In the 2013 version of the standard, physical security controls were scattered across Domain 11. Specifically, the old version focused heavily on “Delivery and Loading Areas” and general physical entry. In the ISO 27001:2022 update, the entire Annex A was restructured into four themes: People, Organisational, Technological, and Physical.
Annex A 7.11 now falls under the “Physical” theme. But it isn’t just a change of address; it is a change of focus. While the 2013 version felt a bit more like a checklist of “do you have a door lock?”, the 2022 version, specifically A 7.11, is focused on Physical Security Monitoring.
What is Annex A 7.11 Physical Security Monitoring?
The core change here is the emphasis on active oversight. In the previous iteration, you might have been compliant just by having a CCTV camera or a guard. Under the 2022 standard, Annex A 7.11 requires that premises are continuously monitored for unauthorised physical access.
This means your organisation must not only have the security tools in place but also a system to monitor them, alert the right people when a breach occurs, and review the footage or logs regularly. It turns a “passive” control into an “active” one. According to the experts at Hightable.io, this transition is one of the most common stumbling blocks for companies undergoing their transition audit, as it requires proof of ongoing monitoring rather than just proof of installation.
Key Differences You Need to Know
To make it easy, here are the primary differences between the old approach and the new A 7.11 requirements:
- From Static to Dynamic: The 2013 version focused on the physical perimeter itself. The 2022 version focuses on the act of monitoring that perimeter.
- Integrated Technology: The new standard acknowledges that we use much more than just “keys.” It expects a combination of alarms, intrusion detection systems, and video monitoring to be working in tandem.
- Detection vs. Prevention: While the old standard was heavy on preventing access, A 7.11 is heavily weighted toward the detection of access. If someone gets in, how quickly do you know about it?
The Role of Attributes in ISO 27001:2022
One of the coolest additions to the 2022 version is the use of “attributes.” These are essentially tags that help you categorise your controls. For Annex A 7.11, the attributes include “Preventative,” “Detective,” and “Corrective.” This helps security managers understand that monitoring isn’t just about watching a screen, it’s about having a plan to correct the issue once the alarm goes off.
How to Comply with the New Annex A 7.11
If you are migrating from the 2013 version, you don’t necessarily need to rip out your old cameras. However, you do need to update your Physical Security Policy. You should ensure that your risk assessment reflects the need for “Monitoring.”
You should consider the following steps:
- Review your current surveillance: Does it cover all sensitive areas, not just the front door?
- Check your notification settings: Does your alarm system actually notify someone who can respond 24/7?
- Document your reviews: Keep logs that prove you are checking your security footage or access logs.
As noted by Hightable.io, documentation is the “bridge” between the 2013 and 2022 versions. Without a clear audit trail of your monitoring activities, an auditor won’t be able to verify that you’ve met the new 7.11 criteria.
Why Does This Change Matter?
The shift toward Physical Security Monitoring reflects the modern threat landscape. Physical breaches often lead to digital ones. If an intruder can get into your server room or even a hot-desking area, they can bypass many of your digital firewalls. By strengthening A 7.11, ISO is ensuring that your physical and digital security layers are working together.
If you’re feeling overwhelmed by the transition, remember that the 2022 version is designed to be more flexible and better aligned with how businesses actually operate today. Focus on the “Monitoring” aspect, update your Statement of Applicability (SoA), and you’ll be well on your way to a successful 2022 certification.