ISO 27001:2022 – 7.4 Physical Security Monitoring

Physical security monitoring

ISO/IEC 27001:2022 adds 11 new controls, one of these being the new 7.4 Physical Security Monitoring control objective that resides within Annex A.

Monitoring for unauthorised physical access was strangely absent from the 2013 version of the standard, but like some of the other control additions, like ICT readiness for business continuity, is a common control you may already have in place. The new 2022 version formalises this requirement. It’s a much-needed control and I can understand the reasoning for the previous absence of the control. Ten years ago, installing cameras and other monitoring infrastructure was a costly endeavour. In 2023, you can get high-quality video cameras that capture in 4K, have night vision, and can be connected wirelessly or using a single power-over-ethernet (PoE) cable reducing installation costs dramatically. And all this for a couple of hundred dollars. Wow. I sound like I should be selling cameras 😉

Physical security was always addressed in ISO 27001, but not monitoring of physical access. The existing controls haven’t changed, just the structure to break out the controls made a lot clearer. While 2013 had two objective areas with a number of sub-controls, all these sub-controls have now been broken out into 14 controls, including the new 7.4. I must say it’s a much better structure, making it much easier to read, comprehend and comply with.

What is ISO 27001 Annex A 7.4’s expectation?

As with the other clauses in Annex A, we get our standard one-liner:

“Premises shall be continuously monitored for unauthorized physical access.”

Again, it’s very broad, but like all the other controls, this allows organisations to take a risk-based approach to satisfy the control, commensurate with the threats and risks posed to their specific business. “Premises” is very broad, and based on what an organisation has within their various premises, this control may not be relevant.

We work with a lot of clients that are going through ISO/IEC 27001 certification for the first time, are undergoing their annual audits, or are transitioning to the new 2022 version of the standard. Physical controls have become less relevant in many organisations due to changes in their working models, as well as digital transformation projects that have moved so much to the cloud. Years ago, everyone was in the office on a daily basis, employees had desktop systems hardwired into racks of switches, and onsite server rooms housed organisational systems and databases full of sensitive data. This has now moved to remote and hybrid workspaces, most people using laptops, and those server rooms have all been migrated to the cloud. Offices have become what we often call “Internet Cafes” when it comes to looking at physical security controls under ISO. People have a hot desk, connect to WiFi or tether to their phones, and that’s about it for their office.

7.4’s broad definition allows you to assess whether monitoring is relevant to each “premise”, and for many organisations, it may not be, or requirements may be very small.

ISO 27002 physical security monitoring implementation advice

As with the other controls, while we don’t have to use ISO/IEC 27002 as our controls framework for satisfying 27001’s Annex A control objectives, it provides us insight into what ISO 27001 expects from each control, the purpose, and implementation advice you can follow to achieve the objective.

First up, the purpose states:

“To detect and deter unauthorized access.”

Wow. Thanks for those deep insights 😉 Luckily the first part of 7.4’s Guidance section provides us with more on expectations:

“Physical premises should be monitored by surveillance systems, which can include guards, intruder alarms, video monitoring systems such as closed-circuit television and physical security information management software either managed internally or by a monitoring service provider.

Access to buildings that house critical systems should be continuously monitored to detect unauthorized access or suspicious behaviour by…”

Even though 7.4’s title states “monitoring” and you would expect this to be a detective control, ISO 27002 has this control marked as both detective and preventive. The reason for this is the example controls in the quote above. Controls such as guards deter threat actors from taking action in the first place. Also, even though video cameras are a detective control, they also act as a deterrent. Just look at all the fake cameras you can buy on the Internet. Someone thinking they will be seen and recorded can be just as good as the actual act in deterring someone from taking action. I’m not saying a fake camera will cut it for your ISO auditors though 😂

The key takeaway from the above quote, so we understand the intent of what should be monitored, is “that house critical systems”. As I mentioned above around physical controls, they need to be relevant to the threats posed to your business, what is housed and accessible within your premises, and your individual business risks.

Quick Rant on Risk Assessments vs Gap Assessments

“Your individual risks”. I’m going to take a quick segue into what this means, especially when talking about ISO/IEC 27001 compliance. ISO takes a risk-based approach to security. Yes, there are 114 controls in 27001:2013 and 93 controls in the 2022 version, but you don’t need to implement them all. This is why ISO has a Statement of Applicability (SOA). It states which of these controls are applicable to your business. If it’s not applicable, you document why. A perfect example are controls related to software development. If you don’t do software development, it isn’t applicable so why would you implement controls addressing development?

I’ve seen so many consultancies and organisations do gap assessments against ISO 27001. They look at whether you have everything in place, leveraging the standard as a best practice. The problem is, just because you didn’t implement a control doesn’t mean you have a gap. It may not be relevant for your business. Even when organisations are looking at certifying to ISO for the first time, they often have a consultant come in to do a gap assessment to tell them what’s missing so they can create a roadmap of what to do to certify. Sorry? How does this work? This is why organisations end up with this massively bloated action plan, it gets thrown in the too-hard basket and gets abandoned, or it’s so much work it never gets done.

This is why ISO has risk assessments. Identify your risks, then identify your controls to remediate your risks. This gives you your roadmap, not a gap assessment. Yes there are mandatory documents you need for ISO and you can perform a gap assessment against these, but that takes minutes to assess, not days or weeks.

Where am I going with this? The new 7.4 control, like all controls in ISO 27001, needs to be based on risk. As it says in 27002, “Access to buildings that house critical systems“, so you are addressing the potential risk of unauthorised access, theft or tampering of critical systems. You should already have these systems identified within your asset register. This doesn’t mean you need these physical monitoring controls everywhere. Nor do you need armed guards, alarms, or motion sensor cameras to satisfy the control. You might, but that’s your call based on your business and your risks. It’s not based on someone’s idea of “best practice”.

How do I comply with ISO 27001:2022 Annex A 7.4?

So now I got that off my chest, how do you comply with this requirement? You guessed it, first up assess the risk posed to critical assets based on where they are housed. If you still have onsite server rooms or a data centre, you’re going to have more risk and need more controls than a five-person company that takes their laptops into a WeWork office 2 days a week, where they have no data and nothing to access, steal or tamper with. And don’t say their laptops. They are addressed under other controls 😉

There are three main controls you will probably end up looking at based on risks posed to your business:

• Video monitoring systems that record access to sensitive areas, with adequate controls in place to protect recorded data
• Alarm systems
• Guards

It’s a short list, but there are different levels for each of these controls based on your risks. For example, some organisations will have a guard come around to check the premises once a night. Others will have a guard sitting at a front desk all night. High-security premises may have roaming guards. It’s all commensurate with your level of risk.

If you need help or just advice in this area, please reach out as we are happy to help or provide advice. It’s a control that all businesses should be assessing, irrespective of whether you certify to ISO/ IEC 27001 or not.