Purpose of Control 7.4
Control 7.4 is a new type of control that requires organisations to detect and prevent external and internal intruders who enter into restricted physical areas without permission by putting in place suitable surveillance tools.
These surveillance tools constantly monitor and record access-restricted areas and protect organisation against risks that may arise as a result of unauthorised access, including but not limited to:
- Theft of sensitive data.
- Loss of information assets.
- Financial damage.
- Theft of removable media assets for malicious use.
- Infection of IT assets with a malware.
- Ransomware attacks that may be carried out by an intruder.
Attributes Table of Controls 7.4
Control 7.4 is detective and preventive in nature. It enables organisations to maintain the integrity, confidentiality, availability, and security of sensitive data and critical information assets by continuously monitoring access to restricted premises.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Protect | #Physical Security | #Protection |
| #Detective | #Integrity | #Detect | #Defence | |
| #Availability |
Ownership of Control 7.4
Compliance with Control 7.4 requires identification of all restricted areas and the determination of surveillance tools appropriate to the relevant physical area.
Therefore, chief security officers should be accountable for the proper implementation, maintenance, management, and review of surveillance systems.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
General Guidance on How to Comply
Control 7.4 requires organisations to implement these three steps to detect and deter unauthorised access to facilities that host critical information assets:
- Step 1: Put in place a video monitoring system
Organisations should have a video surveillance system, one example being a CCTV camera, in place to continuously monitor access to restricted areas which hosts critical information assets. Furthermore, this surveillance system should keep a record of all entries into the physical premises.
- Step 2: Install detectors to set off an alarm
Trigger an alarm when an intruder accesses physical premises enables the security team to respond quickly to security breaches. Furthermore, it can also be effective at deterring the intruder.
Organisations should use motion, sound, and contact detectors that set off an alarm when an unusual activity within the physical premises is detected.
In particular:
- A contact detector should be installed and it should set off an alarm when an unknown object/individual gets in contact with an object or breaks contact with an object. For example, a contact detector can be configured to trigger an alarm when a window or a door is contacted with.
- Motion detectors can be programmed to start an alarm when the movement of an object is detected within their range of view.
- Sound detectors such as break glass detectors can be activated when a sound is detected.
- Step 3: Configuration of alarms to protect all internal premises
The third compliance step requires the configuration of the alarm system to ensure that all sensitive areas, including all external doors, windows, unoccupied areas and computer rooms are within the range of the alarm system so that there is no vulnerability that can be exploited.
For example, if premises such as smoking areas or even gym entrances are not surveilled, these may be used as attack vectors by intruders.
Types of Surveillance Systems
While Control 7.4 does not state that organisations must choose and implement a specific surveillance system over other alternatives, it lists a range of surveillance tools that can be used separately or in combination with others:
- CCTV Cameras
- Security guards
- Security alarms for intruders
- Software tools for physical security management
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Supplementary Guidance on Control 7.4
Control 7.4 highlights that organisations should take into account the following when implementing physical security monitoring systems:
- The design and inner workings of the monitoring systems should be kept confidential.
- Appropriate measures should be implemented to prevent the disclosure of monitoring activities and video feeds to unauthorised parties and to eliminate the risk of remote disabling of the monitoring systems by malicious parties.
- The alarm control panels should be located in an alarmed zone and there must be a safe and easy exit way for the person who triggers the alarm.
- All detectors used and the alarm control panels used should be tamper proof.
- Monitoring and recording of individuals via surveillance systems, even when it is for legitimate purposes, should be in compliance with all applicable laws and regulations, particularly data protection laws. For example, the EU and UK GDPR may require organisations to carry out an impact assessment before the deployment of CCTV cameras. Furthermore, the recording of video feeds should adhere to the data retention periods set out by the applicable local laws.
Changes and Differences From ISO 27002:2013
Control 7.4 is a new control that was not addressed in ISO 27002:2013 in any capacity.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
The ISMS.online platform provides a range of powerful tools that simplify the way you can document, implement, maintain and improve your information security management system (ISMS) and achieve compliance with ISO 27002.
The comprehensive package of tools gives you one central place where you can create a bespoke set of policies and procedures that align with your organisation’s specific risks and needs. It also allows for collaboration between colleagues as well as external partners such as suppliers or third party auditors.
Get in touch today to book a demo.
