How do you implement A.7.4 in Microsoft 365?

A.7.4 Physical Security Monitoring can be implemented in Microsoft 365 using Microsoft Entra admin center (entra.microsoft.com) > Protection > Identity Protection > Risk policies. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.7.4?

Auditors verify that A.7.4 Physical Security Monitoring is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.7.4: Physical Security Monitoring — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001:2022 Annex A 7.4 requires organisations to monitor physical areas and the physical location of digital access to detect and deter unauthorised access. For cloud-native organisations, this is achieved through a hybrid monitoring model: Facility Monitoring (leveraging surveillance infrastructure of serviced office providers and cloud data centres), Asset Monitoring (direct monitoring of Secure Zones via intruder alarms), and Digital-Physical Monitoring (using Microsoft Entra Identity Protection and SIEM to detect location anomalies such as Impossible Travel that indicate physical or logical perimeter compromise). This control recognises that “physical access” is often a precursor to “digital access” and correlates physical and digital events accordingly.

How to implement in Microsoft 365

Implementing ISO 27001:2022 A.7.4 involves establishing a hybrid monitoring model. For Cloud Facilities, rely on Microsoft’s 24/7 CCTV and biometric monitoring validated via SOC 2 reporting. For Head Office building-level monitoring, maintain a right-to-audit clause with the serviced office provider for perimeter CCTV, main entrance logging, and out-of-hours security patrols.

For Internal Secure Zones, arm the office with intruder alarm systems out of hours, test alarms quarterly, and ensure equipment storage does not obstruct motion sensor fields. For Digital-Physical Monitoring, configure Microsoft Entra Identity Protection to trigger high-severity alerts for Impossible Travel, enable unified audit logging to capture the who/where/when of access, and configure FortiGate to log to a remote collector (Sentinel/FortiAnalyzer) to prevent intruders from hiding their tracks.

What an auditor looks for

Auditors will verify that Microsoft Entra Identity Protection has Impossible Travel risk detection enabled with appropriate alert severity. They will check that unified audit logging is enabled to capture digital footprints of user access. Auditors will request physical alarm maintenance records confirming quarterly testing by facilities management or security contractors.

They will verify the right-to-audit clause exists with the serviced office provider for CCTV footage access during incidents. Auditors will review FortiGate configuration confirming local logging is enabled and forwarded to a remote collector. They will cross-reference with A.7.1-A.7.3 evidence for perimeter, entry, and facility controls to ensure complete physical security coverage.

[A.7.1 (Physical security perimeters)](/controls/a-7-1 (physical security perimeters)/)
[A.7.2 (Physical entry)](/controls/a-7-2 (physical entry)/)
[A.7.3 (Securing offices](/controls/a-7-3 (securing offices/)
[rooms and facilities)](/controls/rooms and facilities)/)
[A.8.16 (Monitoring activities)](/controls/a-8-16 (monitoring activities)/)

M365 capabilities that implement this control

Microsoft-managed physical access controls for datacentres including monitoring, intrusion detection, and access logging

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control