Control Definition
The organization must continuously monitor its premises for unauthorized physical access, using measures appropriate to the risk — surveillance cameras, intruder and motion detection, alarms, guards and patrols — and must protect the monitoring systems themselves from tampering and disclosure. One of the 11 controls introduced in the 2022 revision, it also requires monitoring to operate within applicable laws on surveillance and personal data.
Control Objective
To detect and deter unauthorized physical access by keeping premises under continuous watch, so intrusions are discovered in time to respond rather than by their consequences.
What This Really Means
Walls and locks are static defenses: they resist, but they cannot tell you they are being defeated. A.7.4 adds the nervous system — detection. Where A.7.1 through A.7.3 decide how hard your spaces are to enter, this control asks whether you would actually know when someone enters anyway, and what happens in the minutes after. It is new in ISO 27001:2022: earlier editions implied monitoring inside the secure-area controls, but the 2022 revision made continuous monitoring an explicit, named requirement that auditors now probe directly.
In practice the control draws on three families of measures, mixed to fit the risk. Surveillance: CCTV covering perimeter entrances, entry points, and critical rooms, with defined retention and tightly restricted access to footage. Detection: contact, motion, and glass-break sensors — external doors and accessible windows alarmed, unoccupied areas and server or comms rooms alarmed at all times. People: guards, patrols, and a staffed reception where the business justifies them. Coverage should match risk, not ambition — monitor the decision points an intruder must cross, not every square meter.
Detection without response is decoration. The working core of A.7.4 is the alarm response procedure: who is alerted, who attends, how quickly, and what gets recorded afterwards — including at 2 a.m. on a holiday. The monitoring system itself also needs protecting: keep camera and detector placement confidential, put recorders and alarm panels inside protected zones, guard against tampering, and test detectors and alarms on a schedule so the first real activation is not also the first test.
Two things sit at the heart of the auditor's view. First, the loop: detect, alert, respond, record — evidenced by alarm logs, response records, and test results rather than camera counts. Second, lawfulness: surveillance watches your own people as well as intruders, and footage of identifiable individuals is personal data in most jurisdictions. Notice to staff and visitors, proportionate coverage that stays out of private areas, defined retention, and controlled access to recordings are part of the control, not an optional extra.
Why It Matters
Without monitoring, physical breaches are discovered by their consequences: the laptop missing on Monday, the cabinet found open, the rogue device discovered months later during a network sweep. The interval between intrusion and discovery is the attacker's free working window, and unmonitored premises hand it over by default — along with any chance of knowing what else was touched.
Monitoring also carries the burden of proof. When something does happen, footage and alarm records are the difference between an investigation and an unresolvable suspicion — for disciplinary processes, police reports, and insurance claims alike. And because A.7.4 arrived with the 2022 revision, certification auditors now ask for it by name: a legacy CCTV installation with no retention rules, no response procedure, and no test records is one of the easier findings for them to write.
When premises go unmonitored, organizations face:
- •Silent breaches – An after-hours entry is discovered days later through its consequences, if it is discovered at all
- •No investigative record – Incidents end as suspicion without footage or alarm logs to establish what happened, when, and who
- •Response that never happens – Alarms routed to an unwatched inbox or a departed employee's phone are functionally no alarms at all
- •Easy audit findings – Cameras without retention rules, response procedures, or test evidence convert an old installation into a fresh nonconformity
- •Privacy backfire – Surveillance deployed without notice, proportionality, and access controls turns a security measure into a legal liability
Regional Compliance Context
In India, CCTV footage, badge logs, and alarm records that identify individuals are personal data under the DPDP Act 2023 — full compliance obligations land on 13 May 2027, with the DPDP Rules notified in 2025. Practical implications: notice to employees and visitors that monitoring operates (signage plus HR policy coverage for staff), purpose limitation, retention discipline, and restricted access to recordings, especially where footage feeds disciplinary action. Where access-control systems and camera recorders count among an organization's ICT systems, many India-connected organizations also align their log retention posture with the CERT-In direction's 180-day expectation rather than maintain two standards.
In the Gulf, the Saudi PDPL and UAE federal PDPL treat surveillance recordings as personal data with similar notice and retention consequences, and some jurisdictions add premises-surveillance rules through local security authorities for specific sectors — verify local requirements before fixing camera placement and retention periods.
Implementation Guidance
Derive Monitoring Requirements from Risk
Decide what genuinely needs continuous watch: perimeter entrances, entry points into restricted zones, server and comms rooms, delivery areas, and unoccupied spaces adjoining them. Use the zone map from A.7.1 and the risk assessment to justify coverage — and to justify what you deliberately do not monitor. Record the rationale; proportionality is the first thing both auditors and privacy regulators probe.
Deploy Detection Matched to Each Area
Cover entry points and critical rooms with CCTV positioned to capture faces at choke points rather than blanketing open floors. Alarm external doors and accessible windows with contact sensors, use motion detection in unoccupied areas, and keep server and comms rooms alarmed at all times. Where guards or patrols exist, define their rounds and reporting so human monitoring leaves records too.
Protect the Monitoring System Itself
Keep the design confidential — camera positions, detector coverage, and alarm logic should not be readable from a public wall plan. Site recorders (NVR/DVR) and alarm panels inside protected, alarmed zones, enable tamper detection on detectors and cameras, restrict footage access to named roles with logging, and ensure the system fails safe and alerts on loss of power or connectivity.
Define the Alarm Response Procedure
Document who is alerted for each alarm type, who physically attends, the escalation path when the first responder is unreachable, and the expected response time — including nights, weekends, and holidays. If a third-party monitoring service or guard force responds, put response obligations and timings in the contract. Log every activation with the response taken and the outcome.
Set Retention and Handling Rules for Recordings
Define how long footage and alarm logs are kept, balancing investigation needs against privacy law — common commercial practice sits between 30 and 90 days unless local rules or sector requirements dictate otherwise. Verify the recorder actually achieves the stated period, store recordings securely, log access to them, and define how footage is exported and protected when an incident requires preservation.
Address Privacy and Legal Constraints Deliberately
Post clear signage where monitoring operates, cover employee monitoring in HR-facing policy with notice, and keep cameras out of private areas — washrooms, changing rooms, prayer and rest spaces. Confirm proportionality: monitor where intrusion risk lives, not where it is merely convenient. Take legal advice before any covert monitoring; in most jurisdictions it is tightly constrained.
Test, Maintain, and Review on a Schedule
Test alarms and detectors on a defined cycle, check camera health and recording integrity regularly, and keep maintenance under contract with records. Tune out chronic false alarms — repeated false activations train responders to ignore the system. Re-verify coverage after every layout change, and review monitoring records periodically as both an operational and an audit habit.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.4:
Documentation
- Monitoring coverage plan or register mapping cameras, detectors, and alarmed doors to zones and the risks they address
- Alarm response procedure with named roles, escalation paths, and expected response times — plus contracts where response is outsourced
- CCTV retention and access policy, with privacy notices and signage evidence for staff and visitors
- Alarm activation and response logs showing the loop operates, including out-of-hours events
- Test and maintenance records for cameras, detectors, and alarm panels
Interviews
- Security or facilities manager about alarm response in practice — who attends at night, how escalation works, and recent activations
- CISO or DPO about the privacy basis for monitoring: notices, proportionality decisions, retention, and who can view footage
- Guards or reception staff about what they actually do when an alarm triggers or they spot someone unexpected on camera
Observations
- Location and protection of recorders and alarm panels — inside secured zones, not in an unlocked cupboard behind reception
- A walk of monitored areas: camera coverage of entry points, signage present, and no cameras aimed at private areas
- A live check that retention matches the policy — the auditor asks to see footage from a date near the edge of the stated period
Practitioner Insights
A.7.4 is where pre-2022 habits show their age: the cameras went in years ago, so everyone assumes the control is covered — but the requirement is monitoring, not equipment. When I ask who responded to the last alarm and where that response is recorded, the room often goes quiet; there is footage of everything and a record of nothing. Build the loop first — named responders, an escalation path that works at 2 a.m., and a log of every activation with the action taken. A modest system with a working response procedure beats a forty-camera deployment nobody watches.
The gaps I find in this control are mundane: the recorder sits in an unlocked cupboard where anyone could pocket the disks, retention is "whenever it overwrites," nobody remembers who holds the viewer password, and there is no signage — which becomes a privacy problem the moment footage appears in a disciplinary case. Keep a one-page monitoring register: each camera and detector, what it covers, retention, who can access recordings, and the last test date. It takes an hour to build and answers nearly every question an auditor or a privacy officer will ask.
Common Challenges & Solutions
Challenge
Cameras record everything, but nobody monitors them and alarms go nowhere actionable.
Solution
Accept that most organizations cannot watch screens live, and design for response instead: route alarms to named people with a tested escalation chain, define who attends and how fast, and log every activation with its outcome. For after-hours coverage, a contracted central monitoring station with agreed response times is usually cheaper and more reliable than improvised on-call.
Challenge
Footage retention is undefined — the recorder simply overwrites when full, and nobody knows the real window.
Solution
Set a retention period deliberately, balancing incident investigation against privacy law and any sector rules, then verify the hardware achieves it — storage that was sized years ago often holds far less than assumed. Document the period, check it during maintenance, and define an incident-preservation step so relevant footage is exported and protected before it ages out.
Challenge
Coverage has quiet gaps: the back door, the loading bay, or the comms room was never wired in.
Solution
Map every entry point and critical room from your zone plan against actual camera and detector coverage, and close the gaps in risk order — an intruder uses the unmonitored door precisely because it is unmonitored. Re-run the mapping after every renovation or layout change; coverage decays through facility drift, not equipment failure.
Challenge
Employees push back on surveillance, and counsel raises data protection concerns.
Solution
Treat both as design inputs: monitor intrusion points rather than people at work, keep cameras out of rest and private areas, give clear notice through signage and HR policy, restrict footage access to named roles with logging, and keep retention short. A documented proportionality decision answers the workforce, the regulator, and the auditor with the same artifact.
Challenge
Detectors and alarms are never tested, and chronic false alarms have trained everyone to ignore them.
Solution
Put testing on a schedule — walk-test detectors, trigger each alarmed door, and verify alerts reach responders end-to-end — and keep the records. Tune or fix the noisy sensors causing false activations, because every ignored alarm rehearses ignoring the real one. Treat a persistent false-alarm pattern as a risk item, not an annoyance.
