Continuous monitoring of physical access to premises
Use systems like CCTV and alarms to detect unauthorized physical entry.
Plain language
This control is about ensuring the security of your physical location, such as an office or warehouse, by keeping an eye out for people who shouldn't be there. If premises aren't monitored, unauthorised individuals might sneak in, potentially leading to theft, data breaches, or even harm to your employees.
Framework
ISO/IEC 27001:2022
Control effect
Detective
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Premises shall be continuously monitored for unauthorized physical access.
Why it matters
Without continuous monitoring, intruders may enter undetected, steal assets, or access systems, causing financial loss and reputational harm.
Operational notes
Monitor CCTV/alarms continuously, alert on after-hours entry/door-forced events, and test response and escalation procedures regularly.
Implementation tips
- The office manager should arrange for the installation of surveillance systems like CCTV and alarms. This involves reaching out to security companies to assess needs and install cameras and sensors at key access points such as entrances and windows.
- Security personnel should be tasked with regularly checking the functionality of monitoring equipment. They should test alarms and CCTV systems weekly to ensure they work correctly, and report any issues immediately for repair.
- The IT manager should secure access to surveillance data. They must set strong passwords and ensure only authorised personnel view video feeds, complying with the Privacy Act 1988 regarding personal information.
- Facilities management should review and update the monitoring plan annually or after significant changes. They should verify that all areas where sensitive activities occur, like server rooms, are covered, and make adjustments based on any operational changes.
- The compliance officer should ensure all surveillance practices align with local laws. They should consult guidance from the OAIC to maintain compliance with regulations on data use and retention, particularly concerning video footage.
Audit / evidence tips
-
Askthe surveillance system installation report
-
Askmaintenance logs of surveillance equipment
-
Askthe access control logs for surveillance data
-
Askevidence of compliance with privacy regulations
-
Askthe monitoring plan and its review schedule
Cross-framework mappings
How Annex A 7.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1053 | ISM-1053 requires classified servers, network devices and cryptographic equipment to be housed in secure rooms that meet security zone re... | |
| handshake Supports (3) expand_less | ||
| ISM-1296 | ISM-1296 requires implementing physical security to protect network devices in public areas from unauthorised access and physical damage | |
| ISM-1973 | Annex A 7.4 requires premises to be continuously monitored to detect unauthorised physical access (e.g | |
| ISM-1974 | Annex A 7.4 requires continuous monitoring of premises to detect unauthorised physical access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.