Background
----------

ISO/IEC 27002:2022 clause 7.4 indicates that "Premises should be continuously monitored for unauthorized physical access [in order] to detect and deter unauthorized physical access."


Policy statements
-----------------

1.	Physical premises, especially those housing critical IT systems etc., should be monitored continuously by surveillance systems such as security guards, intruder alarms and CCTV coverage.

2.	CCTV systems should record access to sensitive areas, whether inside or outside the premises.

3.	Contact, sound or motion detectors should trigger intruder alarms.

4.	Alarm systems should cover all external doors, accessible windows and unoccupied areas.

5.	Since the design/specification, operation and output of physical security/monitoring systems and guarding arrangements is confidential, access should be restricted accordingly.  However, an alarm system control panel should be located in an alarmed zone and should be readily accessible to responding workers or emergency services.

6.	Alarm systems should be competently tested at planned intervals.


Notes
-----

This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation.  Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.