A.7.4 / PE-6 / CIS-14.6 ISO/IEC 27001:2022 Annex A

CCTV coverage of all entry points

Demonstrate that all physical entry points to facilities containing information assets are monitored by operational CCTV systems with adequate coverage, retention, and review processes.

Description

What this control does

This control requires the deployment of closed-circuit television (CCTV) cameras positioned to capture visual footage of all physical entry points to facilities housing information systems and sensitive data. Cameras must provide sufficient coverage, resolution, and lighting to identify individuals and detect unauthorized access attempts. This physical security measure establishes a detective control that complements preventive access controls and provides forensic evidence for security incident investigations.

Control objective

What auditing this proves

Demonstrate that all physical entry points to facilities containing information assets are monitored by operational CCTV systems with adequate coverage, retention, and review processes.

Associated risks

Risks this control addresses

Unauthorized individuals gain physical access to facilities without detection or visual record
Tailgating or piggybacking occurs at entry points without ability to identify perpetrators or victims
Physical security incidents lack forensic video evidence needed for investigation or prosecution
Insider threats exploit gaps in camera coverage to access restricted areas undetected
After-hours unauthorized access goes undetected due to inadequate monitoring or blind spots
Social engineering attacks at entry points succeed without visual documentation of the interaction
Compliance violations occur when physical access controls are circumvented without audit trail

Testing procedure

How an auditor verifies this control

Obtain facility floor plans and identify all physical entry points including main entrances, emergency exits, loading docks, and secured zone access points
Request the current CCTV camera inventory listing camera identifiers, locations, field of view specifications, and operational status
Conduct a physical walkthrough of the facility to verify camera placement at each documented entry point
Review camera field-of-view angles and test footage quality to confirm coverage captures faces and access badge interactions at standard entry distances
Examine video retention policies and verify storage capacity meets documented retention requirements (typically 30-90 days)
Select a sample of five entry point cameras and request recorded footage from the past 48 hours to verify operational functionality and image quality
Review maintenance logs to confirm cameras undergo regular preventive maintenance and failures are remediated within defined timeframes
Interview security personnel to verify procedures for monitoring live feeds and reviewing footage during incident investigations

Evidence required CCTV camera inventory spreadsheet with locations mapped to entry points, facility floor plans annotated with camera positions and coverage zones, sample video footage files demonstrating resolution and coverage quality at each entry type, maintenance and incident logs showing camera uptime and repair history, video retention policy document, and interview notes from security operations personnel describing monitoring and review procedures.

Pass criteria All documented physical entry points have operational CCTV cameras with verified coverage capturing clear facial images and access interactions, video footage is retained per policy requirements, and maintenance records demonstrate systems are actively monitored and maintained.

Where this control is tested

Audit programs including this control

Datacentre Access Walkthrough

If you have on-prem racks anywhere, walk the physical security controls — badge access, CCTV, environment, visitor log.