Continuous monitoring of physical access to premises
Use systems like CCTV and alarms to detect unauthorized physical entry.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Detective
🧱 ISO 27001 domain
Physical controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 Maturity levels
N/A
Premises shall be continuously monitored for unauthorized physical access.
Source: ISO/IEC 27001:2022
Plain language
This control is about ensuring the security of your physical location, such as an office or warehouse, by keeping an eye out for people who shouldn't be there. If premises aren't monitored, unauthorised individuals might sneak in, potentially leading to theft, data breaches, or even harm to your employees.
Why it matters
Without continuous monitoring, intruders may enter undetected, steal assets, or access systems, causing financial loss and reputational harm.
Operational notes
Monitor CCTV/alarms continuously, alert on after-hours entry/door-forced events, and test response and escalation procedures regularly.
Implementation tips
- The office manager should arrange for the installation of surveillance systems like CCTV and alarms. This involves reaching out to security companies to assess needs and install cameras and sensors at key access points such as entrances and windows.
- Security personnel should be tasked with regularly checking the functionality of monitoring equipment. They should test alarms and CCTV systems weekly to ensure they work correctly, and report any issues immediately for repair.
- The IT manager should secure access to surveillance data. They must set strong passwords and ensure only authorised personnel view video feeds, complying with the Privacy Act 1988 regarding personal information.
- Facilities management should review and update the monitoring plan annually or after significant changes. They should verify that all areas where sensitive activities occur, like server rooms, are covered, and make adjustments based on any operational changes.
- The compliance officer should ensure all surveillance practices align with local laws. They should consult guidance from the OAIC to maintain compliance with regulations on data use and retention, particularly concerning video footage.
Audit / evidence tips
-
Ask: the surveillance system installation report
-
Ask: maintenance logs of surveillance equipment
-
Ask: the access control logs for surveillance data
-
Ask: evidence of compliance with privacy regulations
-
Ask: the monitoring plan and its review schedule
Cross-framework mappings
How Annex A 7.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| ISM-1053 | ISM-1053 requires classified servers, network devices and cryptographic equipment to be housed in secure rooms that meet security zone re... | |
| Supports (3) | ||
| ISM-1296 | ISM-1296 requires implementing physical security to protect network devices in public areas from unauthorised access and physical damage | |
| ISM-1973 | Annex A 7.4 requires premises to be continuously monitored to detect unauthorised physical access (e.g | |
| ISM-1974 | Annex A 7.4 requires continuous monitoring of premises to detect unauthorised physical access | |