Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Physical Control

A.7.4 — Physical Security Monitoring

Updated on 5 min Reviewed by: Cenedril Editorial
A.7.4 ISO 27001ISO 27002BSI INF.1BSI INF.2

A break-in occurs at a branch office on Saturday night. The thieves enter through a rear window, access the server rack and remove two hard drives. On Monday morning, the team discovers the theft. The alarm system was installed three years ago and never tested — the sensors on the rear windows had dead batteries. The CCTV system recorded to a local drive that was also stolen. A.7.4 requires monitoring that actually works: tested, maintained and designed to survive the scenario it is meant to detect.

The control requires organizations to continuously monitor their premises to detect and deter unauthorized physical access. Monitoring systems must be regularly tested and protected against tampering.

What does the standard require?

The core requirements cover four areas:

  • Continuous monitoring. Premises must be monitored on an ongoing basis — during and outside working hours. The monitoring approach should cover all entry points, critical areas and external perimeters.
  • Detection mechanisms. Organizations should deploy appropriate detection systems: CCTV, motion sensors, door/window contact alarms, intrusion-detection panels or a combination.
  • Testing and maintenance. Monitoring systems must be tested regularly and maintained to ensure they function when needed. Test results should be documented.
  • Tamper protection. Monitoring systems should be protected against interference — tamper-proof camera housings, off-site recording, UPS-backed alarm panels.
  • Legal compliance. Monitoring must comply with local privacy laws, including signage requirements, retention limits and data-protection impact assessments.

In practice

Map monitoring coverage. Create a floor plan showing camera positions, sensor locations and alarm zones. Identify blind spots and document risk-acceptance decisions for areas that cannot be covered.

Test quarterly. Walk-test motion sensors, trigger door contacts, verify camera image quality and check that alarms reach the monitoring station. Document every test and remediate failures immediately.

Define response procedures. A monitoring system that nobody watches is decorative. Define who receives alerts (security company, on-call staff), what the expected response time is and what actions the responder takes (verify alarm, dispatch security, contact police).

Manage retention. Define how long footage and alarm logs are retained. Align with local data-protection requirements — typically 72 hours to 30 days for general CCTV, longer for incident-related recordings preserved for investigation.

Typical audit evidence

Auditors typically expect the following evidence for A.7.4:

  • Monitoring coverage plan — floor plan showing camera and sensor positions (link to Physical Security Policy in the Starter Kit)
  • Test records — documentation of periodic alarm and camera tests
  • Maintenance records — evidence that systems are serviced per manufacturer schedule
  • Response procedure — documented alarm-response process
  • Sample footage — demonstration that cameras record and retain usable images
  • DPIA or legal assessment — data-protection impact assessment for CCTV (where required)

KPI

% of secure areas covered by physical security monitoring (e.g. CCTV)

Measured as a percentage: how many of your secure areas (server rooms, restricted zones, perimeter entry points) are covered by functioning monitoring systems? Target: 100%. Gaps typically exist at secondary entrances, loading docks and branch offices.

Supplementary KPIs:

  • % of monitoring systems tested in the last quarter
  • Average alarm-response time (target: under 15 minutes for manned monitoring)
  • Number of monitoring blind spots documented and risk-accepted
  • Uptime percentage of CCTV and alarm systems

BSI IT-Grundschutz

A.7.4 maps to BSI infrastructure monitoring requirements:

  • INF.1.A26 (Appropriate protection against break-ins and theft) — requires intrusion-detection measures for general buildings.
  • INF.1.A27 (Burglary alarm system) — requires a burglar alarm system for buildings with sensitive areas, including testing and response procedures.
  • INF.1.A34 (Planning and implementation of building surveillance) — covers CCTV planning, camera placement and monitoring workflows.
  • INF.1.A35 (Perimeter protection) — exterior monitoring: fences, motion detection, exterior cameras.
  • INF.2.A13 (Planning and implementation of monitoring of the data center) — specific monitoring requirements for data centers.
  • INF.2.A24 (Alarm system for the data center) — data-center alarm systems with defined response procedures.
  • INF.2.A28 (Use of higher-quality fire alarm systems) — cross-reference to fire-detection monitoring.

A.7.4 provides the detection layer for the physical security chain:

Sources

Frequently asked questions

Is CCTV mandatory under A.7.4?

The standard does not mandate CCTV specifically. It requires continuous monitoring of premises to detect unauthorized access. CCTV is the most common solution, but alternatives include motion sensors, door-contact alarms, security patrols and AI-based anomaly detection. The choice depends on the risk assessment.

How does GDPR affect physical security monitoring?

Video surveillance that captures personal data (faces, movements) is subject to GDPR. You need a legitimate interest, must conduct a data-protection impact assessment where required, display signage informing people of the surveillance, limit retention periods and restrict access to footage. Coordinate with your DPO.

Should monitoring details be kept confidential?

Yes. The location of cameras, sensor blind spots and monitoring schedules should be treated as confidential. Disclosing these details makes it easier for an attacker to avoid detection.