The purpose of this new ISO27001 control is to focus on implementing monitoring systems that detect and deter unauthorised physical access to critical areas of your business.  In Annex A Control A7.3 (Securing offices, rooms and facilities), you should implement security controls to protect specific areas, and in Annex A control A7.1 (Physical security perimeter), you must also comply with these requirements.

Increasingly, some of these controls include the use of security monitoring systems and services and therefore it makes perfect sense that this new control is to be addressed in ISO27001.

What does the standard require?

The standard states that “Premises shall be continuously monitored for unauthorised physical access.” (A7.4 – Physical Security Monitoring).

Note that the requirement is for premises to be continuously monitored. Therefore any controls you implement need to be fixed, or established for ongoing monitoring.

Why is this required?

To protect your personal property, and the assets you value (i.e. your family), you most likely have some form of physical security monitoring at home. Burglar alarms and smoke detectors are now common place, including door-bells which monitor who your visitors are.  Therefore, the idea that our work spaces should also be protected shouldn’t be alien to you.

We often leave our work spaces unattended for extended periods of time. Therefore having some form of early detection that something is going wrong or there is an issue will either protect our property or reduce the damage that an incident may cause.

If there is no security monitoring in place, you may not notice intruders or your response to an incident may be delayed. Without the use of CCTV, there may be a lack of evidence for post-incident investigation.

What the auditor is looking for

The auditor will be looking for evidence of some form of physical security monitoring which may include;

• Intruder Alarms

• Environmental Alarms and Alerts (e.g underfloor water detection)

• Smoke Alarms

• CCTV

• Security Guards (including contracts covering their roles and responsibilities)

• Fire alarm tests

• Fire drills (i.e. evacuation tests)

• Incident Response Plans (A5.26 - Response to information security incidents)

• Incident Investigation Processes (A5.28 - Collection of evidence)

• Audit reports

• Incident logs

The auditor will want to see evidence that where security monitoring is in place, that someone is monitoring these facilities. For example, do you have a team of people sat behind security screens, watching to see if anything is amiss? The auditor will want to know how monitoring takes place. Is it active, meaning it is being monitored at all times? Or is it passive, meaning it is simply being recorded, for later analysis should something happen?

What do you need to do?

Arrange a meeting with the person responsible for facilities and take a walk around your premises to assess what security systems and services are in place.  For example, do you have CCTV? Are there security guards?

Identify who manages any alarms or CCTV and seek to understand;

• What happens if an alarm or issue is raised?

• Who is notified?

• Is there a documented process?

• In the case of CCTV;

  • What coverage is provided?

  • Who controls or monitors the CCTV?

  • How long are recordings held for?

When designing security monitoring controls, keep in mind that controls will either be preventative, or detective. Meaning that the control will either prevent an incident occurring, or will detect if an incident has occurred. You could describe one as being proactive and the other as being reactive.

Also keep in mind that alarms can also include environmental issues, such as fire and floods. If you are at particular risk of flooding during winter, do you have someone who is monitoring local weather reports or river levels (if you are in a flood zone)? 

Document these controls and include them within your audit process.

Q & A

Is this a mandatory ISO27001 control?

No, no control is truly mandatory (although it would be difficult to see how you would implement security without some of the key ones).  If you are a completely remote business, working from home, then you might not have any form of physical security monitoring in place and therefore this control would not be applicable.

If you’re in a multi-tenanted building where any form of physical security monitoring is outside your control, you should still include this control, and ask the questions outlined above. 

Difficulty rating

We rate this a 2.5 out of 5 difficulty rating. This ISO27001 control isn’t difficult, but it requires that you speak to those in control of the physical aspects of your business.  You need to establish what is in place and identify any vulnerabilities and risks to your facilities. If you need to implement physical security monitoring solutions, you should identify controls that both prevent and detect issues. This can become more complex, but start simple and identify what you already have.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.