A.7.4 Physical Security Monitoring

What is A.7.4 Physical Security Monitoring?

ISO 27001:2022 Annex A 7.4 requires organisations to monitor physical areas and the physical location of digital access to detect and deter unauthorised access. For cloud-native organisations, this is achieved through a hybrid monitoring model: Facility Monitoring (leveraging surveillance infrastructure of serviced office providers and cloud data centres), Asset Monitoring (direct monitoring of Secure Zones via intruder alarms), and Digital-Physical Monitoring (using Microsoft Entra Identity Protection and SIEM to detect location anomalies such as Impossible Travel that indicate physical or logical perimeter compromise). This control recognises that “physical access” is often a precursor to “digital access” and correlates physical and digital events accordingly.

How to implement A.7.4 in Microsoft 365

Implementing ISO 27001:2022 A.7.4 involves establishing a hybrid monitoring model. For Cloud Facilities, rely on Microsoft’s 24/7 CCTV and biometric monitoring validated via SOC 2 reporting. For Head Office building-level monitoring, maintain a right-to-audit clause with the serviced office provider for perimeter CCTV, main entrance logging, and out-of-hours security patrols.

For Internal Secure Zones, arm the office with intruder alarm systems out of hours, test alarms quarterly, and ensure equipment storage does not obstruct motion sensor fields. For Digital-Physical Monitoring, configure Microsoft Entra Identity Protection to trigger high-severity alerts for Impossible Travel, enable unified audit logging to capture the who/where/when of access, and configure FortiGate to log to a remote collector (Sentinel/FortiAnalyzer) to prevent intruders from hiding their tracks.

What an auditor checks for A.7.4

• Auditors will verify that Microsoft Entra Identity Protection has Impossible Travel risk detection enabled with appropriate alert severity.
• They will check that unified audit logging is enabled to capture digital footprints of user access.
• Auditors will request physical alarm maintenance records confirming quarterly testing by facilities management or security contractors.
• They will verify the right-to-audit clause exists with the serviced office provider for CCTV footage access during incidents.
• Auditors will review FortiGate configuration confirming local logging is enabled and forwarded to a remote collector.
• They will cross-reference with A.7.1-A.7.3 evidence for perimeter, entry, and facility controls to ensure complete physical security coverage.

What your auditor expects for A.7.4

• Control: A.7.4 (Physical security monitoring) - ISMS Sections 3
• 5 Related Controls: A.7.1 (Physical security perimeters)
• A.7.2 (Physical entry)
• A.7.3 (Securing offices) Shows: Identity Protection risk policies for Impossible Travel detection
• unified audit log configuration
• physical alarm testing records
• serviced office monitoring verification
• FortiGate remote logging configuration Audit: Validates hybrid monitoring model through digital-physical correlation capabilities and manual verification of physical monitoring infrastructure

Related controls

• [A.7.1 (Physical security perimeters)](/controls/a-7-1 (physical security perimeters)/)
• [A.7.2 (Physical entry)](/controls/a-7-2 (physical entry)/)
• [A.7.3 (Securing offices](/controls/a-7-3 (securing offices/)
• [rooms and facilities)](/controls/rooms and facilities)/)
• [A.8.16 (Monitoring activities)](/controls/a-8-16 (monitoring activities)/)