A.7.4 — Is physical security monitored continuously (cameras, intrusion detection, alarms)? (NEW in 2022)
Demonstrate that physical security monitoring systems operate continuously across all critical facilities, generate actionable alerts for security events, and maintain auditable records of detected incidents and system health.
Description
What this control does
This control requires organizations to implement continuous monitoring of physical security perimeters and sensitive areas using cameras, intrusion detection systems, motion sensors, and alarm systems. Monitoring systems must operate 24/7, generate alerts for security events, and maintain logs of access attempts, breaches, and environmental anomalies. Continuous monitoring provides real-time detection of unauthorized physical access, vandalism, or environmental threats to facilities housing critical information systems and assets.
Control objective
What auditing this proves
Demonstrate that physical security monitoring systems operate continuously across all critical facilities, generate actionable alerts for security events, and maintain auditable records of detected incidents and system health.
Associated risks
Risks this control addresses
- Unauthorized individuals gain physical access to server rooms or data centers without detection, enabling theft of equipment or data
- Insider threats exploit gaps in monitoring coverage to access restricted areas during off-hours without triggering alarms
- Equipment theft or sabotage occurs in areas with disabled or non-functional monitoring systems
- Environmental hazards such as water leaks or temperature anomalies go undetected, causing equipment damage or data loss
- Tailgating or piggybacking incidents remain undetected due to inadequate camera coverage or delayed review of footage
- Monitoring system failures or gaps in coverage create blind spots exploited by attackers during reconnaissance
- Delayed incident response due to failed alert mechanisms or lack of real-time monitoring personnel
Testing procedure
How an auditor verifies this control
- Obtain and review the physical security monitoring architecture documentation, including camera placements, intrusion detection sensor locations, and alarm system coverage maps for all facilities containing information systems.
- Inventory all active monitoring devices (cameras, motion sensors, door contacts, glass break detectors) and verify each device is operational and connected to the central monitoring system.
- Review monitoring system configurations to confirm 24/7 recording schedules, retention periods (minimum 90 days recommended), motion detection sensitivity settings, and alert thresholds.
- Select a representative sample of critical areas (server rooms, data centers, telecommunications closets, backup media storage) and physically verify camera angles provide unobstructed coverage of all entry points and sensitive equipment.
- Examine monitoring system logs for a 30-day period to verify continuous operation, identify any gaps in recording or sensor failures, and confirm automated health-check alerts are functioning.
- Review alert escalation procedures and test a sample of recent security alerts (intrusion attempts, door-forced-open events, after-hours access) to verify alerts were generated, routed to appropriate personnel, and documented with response actions.
- Interview security operations personnel or contracted monitoring service providers to confirm procedures for real-time alert review, incident response protocols, and periodic testing of alarm systems.
- Request evidence of periodic system testing (quarterly minimum) including simulated intrusion events, camera failure scenarios, and backup power failover tests with documented results.