What is physical security monitoring in ISO 27001?

Physical security monitoring involves continuous surveillance of premises to detect unauthorised access. Organisations use cameras, alarms, and sensors to protect assets. This process must produce documented evidence within internal management systems like SharePoint.

How do I prove monitoring is effective?

Effectiveness is proven through documented response logs and maintenance records. Auditors check Jira tickets showing how staff handled specific alerts. They also look for internal wiki pages containing regular sensor test results.

Do I need CCTV for Annex A 7.4?

CCTV is a common control but not a strict requirement for every site. The necessity depends on your internal risk assessment. If used, you must document its management within your existing organisational tools.

ISO 27001:2022 Annex A 7.4 Guide

What is ISO 27001 Annex A 7.4 Physical Security Monitoring in ISO 27001?

ISO 27001 Annex A 7.4 requires continuous surveillance of physical premises. This documented process must integrate with existing organisational tools like SharePoint. It ensures detection of unauthorised access or environmental threats. Effective monitoring relies on clear internal procedures rather than disconnected software.

Auditor’s Eye: The Shortcut Trap

Many organisations rely on automated SaaS dashboards for monitoring alerts. These platforms often provide a false sense of security through green ticks. Auditors prefer seeing response evidence within your native Jira environment. We want to see the human oversight behind the technology. If a camera fails, your internal maintenance log should record the fix. Reliance on external software often leads to a lack of genuine management ownership.

ISO 27001:2013 Control	ISO 27001:2022 Control	Nature of Change
A.11.1.2 / A.11.1.6	Annex A 7.4	Monitoring is now a standalone requirement. It focuses on detection and response capabilities.

How to Implement ISO 27001 Annex A 7.4 (Step-by-Step)

Monitoring requires a structured approach using tools your staff already use. Documentation should focus on how people respond to technical alerts. Frame this as an operational habit: not a software installation.

Define your monitoring scope in a SharePoint document.
Link alarm systems to Jira to create automated response tickets.
Ensure staff record their actions within the Jira workflow.
Maintain sensor testing records on a dedicated Confluence page.
Review monitoring logs during regular internal security meetings.

ISO 27001 Annex A 7.4 Physical Security Monitoring Audit Evidence Checklist

Auditors look for manual records and version-controlled documents. These items prove that your monitoring system is active and managed. Avoid presenting evidence that only exists in a third-party portal.

Surveillance policies stored and approved in SharePoint.
Jira tickets showing the resolution of security alarms.
Maintenance logs for physical hardware kept in Confluence.
Internal audit reports covering physical site monitoring.
Staff training records for alarm response procedures.

Relational Mapping

Control A 7.4 is highly dependent on other clauses:

Clause 8.1 (Operational Planning): Defines the monitoring schedule.
Annex A 5.24 (Incident Management): Dictates the response to detected breaches.
Annex A 7.1 (Physical Perimeters): Determines where sensors are placed.

Auditor Interview

Auditor: How do you know if your monitoring system fails?

Manager: We perform weekly sensor tests. Staff record these tests in a Confluence log.

Auditor: Where is the evidence of your response to last month’s alarm?

Manager: All alerts generate a Jira ticket. You can see the investigation steps in this ticket history.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Relying on a SaaS dashboard without internal response records.	Document all alert investigations within Jira.
Blind Spots	Sensors or cameras do not cover high-risk areas.	Update the monitoring scope in SharePoint.
Missing Maintenance	No evidence that alarms or cameras are tested.	Create a testing log in Confluence.

Frequently Asked Questions

What is the main goal of Annex A 7.4?

The bottom line: It ensures you detect and respond to physical security events. You must monitor secure areas continuously. This detection must trigger a documented response. Using internal tools like Jira ensures your team remains accountable for every alert.

How does an auditor verify monitoring?

The bottom line: Auditors check for records of activity and maintenance. They will ask for Jira tickets related to recent alarms. They also want to see sensor test logs in SharePoint. Purely technical setups without management records will fail the audit.

Can I use motion sensors instead of cameras?

The bottom line: Yes, if your risk assessment justifies it. ISO 27001 does not mandate specific technology. You must prove the chosen sensors are monitored and maintained. Record these decisions in your internal management system to provide a clear audit trail.

LA CASA DE CERTIFICACIÓN