Unauthorised access to restricted physical areas such as server rooms and IT equipment rooms can result in loss of confidentiality, availability, integrity, and security of information assets.
Control 7.4 deals with the implementation of appropriate surveillance systems to prevent unauthorised access by intruders to sensitive physical premises.
Control 7.4 is a new type of control that requires organisations to detect and prevent external and internal intruders who enter into restricted physical areas without permission by putting in place suitable surveillance tools.
These surveillance tools constantly monitor and record access-restricted areas and protect organisation against risks that may arise as a result of unauthorised access, including but not limited to:
Control 7.4 is detective and preventive in nature. It enables organisations to maintain the integrity, confidentiality, availability, and security of sensitive data and critical information assets by continuously monitoring access to restricted premises.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive #Detective | #Confidentiality #Integrity #Availability | #Protect #Detect | #Physical Security | #Protection #Defence |
Compliance with Control 7.4 requires identification of all restricted areas and the determination of surveillance tools appropriate to the relevant physical area.
Therefore, chief security officers should be accountable for the proper implementation, maintenance, management, and review of surveillance systems.
Control 7.4 requires organisations to implement these three steps to detect and deter unauthorised access to facilities that host critical information assets:
Organisations should have a video surveillance system, one example being a CCTV camera, in place to continuously monitor access to restricted areas which hosts critical information assets. Furthermore, this surveillance system should keep a record of all entries into the physical premises.
Trigger an alarm when an intruder accesses physical premises enables the security team to respond quickly to security breaches. Furthermore, it can also be effective at deterring the intruder.
Organisations should use motion, sound, and contact detectors that set off an alarm when an unusual activity within the physical premises is detected.
In particular:
The third compliance step requires the configuration of the alarm system to ensure that all sensitive areas, including all external doors, windows, unoccupied areas and computer rooms are within the range of the alarm system so that there is no vulnerability that can be exploited.
For example, if premises such as smoking areas or even gym entrances are not surveilled, these may be used as attack vectors by intruders.
Our recent success achieving ISO 27001, 27017 & 27018 certification was in large part down to ISMS.online.
While Control 7.4 does not state that organisations must choose and implement a specific surveillance system over other alternatives, it lists a range of surveillance tools that can be used separately or in combination with others:
Control 7.4 highlights that organisations should take into account the following when implementing physical security monitoring systems:
Control 7.4 is a new control that was not addressed in ISO 27002:2013 in any capacity.
The ISMS.online platform provides a range of powerful tools that simplify the way you can document, implement, maintain and improve your information security management system (ISMS) and achieve compliance with ISO 27002.
The comprehensive package of tools gives you one central place where you can create a bespoke set of policies and procedures that align with your organisation’s specific risks and needs. It also allows for collaboration between colleagues as well as external partners such as suppliers or third party auditors.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
