Implementing ISO 27001 Annex A 7.11 Supporting Utilities is the process of protecting essential services like power and HVAC from failure. The Primary Implementation Requirement involves deploying redundant feeds and backup generators to ensure continuity, providing the Business Benefit of resilient information processing and minimised downtime.
ISO 27001 Annex A Supporting Utilities Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.11. This control ensures that supporting utilities such as electricity, water, and HVAC are protected from failure or interference to maintain the continuity of information processing facilities.
1. Map All Critical Utility Dependencies
Control Requirement: Identify all supporting utilities necessary for the operation of information processing facilities. Required Implementation Step: Physically trace and document all utility entry points to the building, including electricity feeders, water mains, and telecommunications conduits. Create a “Utility Dependency Map” that shows which server racks or cooling units are served by which specific breaker panels or pipework.
Minimum Requirement: A technical diagram or spreadsheet listing every critical utility and its specific business impact if lost.
2. Install Uninterruptible Power Supply (UPS) Systems
Control Requirement: Provide protection against power failures. Required Implementation Step: Deploy UPS hardware with sufficient capacity to maintain the load of all critical servers and network switches for at least 20 minutes. Configure the UPS to send an automated “low battery” signal to the OS to trigger a graceful shutdown of databases before the power is exhausted.
Minimum Requirement: Verified UPS capacity that exceeds the peak power draw of the server room.
3. Deploy Redundant Power Feeds
Control Requirement: Minimise the risk of single points of failure in power delivery. Required Implementation Step: Use Power Distribution Units (PDUs) with dual power inputs (A and B feeds). Connect these to separate circuit breakers or, ideally, separate utility providers to ensure that a single tripped breaker doesn’t take down an entire rack of dual-power-supply servers.
Minimum Requirement: Photographic evidence of dual power cabling in the server racks.
4. Configure Backup Power Generators
Control Requirement: Maintain utility continuity during prolonged outages. Required Implementation Step: Install an on-site diesel or gas generator with an Automatic Transfer Switch (ATS). Ensure the fuel tank is kept at least 75% full at all times and that you have a signed contract with a local fuel supplier for emergency priority delivery within 4 hours.
Minimum Requirement: A generator capable of running the entire IT load and cooling indefinitely with refuelling.
5. Implement Redundant HVAC (Cooling) Systems
Control Requirement: Protect information processing facilities from environmental failure (heat). Required Implementation Step: Deploy cooling in an N+1 configuration. If one air conditioning unit fails, the remaining unit(s) must be physically capable of maintaining a temperature below 24°C under full server load without manual intervention.
Minimum Requirement: Technical specification of the cooling units proving N+1 redundancy.
6. Secure Utility Entry Points and Routing
Control Requirement: Protect utility lines from physical damage or interference. Required Implementation Step: Enclose all external cabling and pipework in grounded steel conduit. Ensure that the primary power transformer and water shut-off valves are located within the secure perimeter or inside a locked, alarmed enclosure to prevent malicious sabotage.
Minimum Requirement: Physical inspection showing no exposed utility lines in public or unsecured areas.
7. Integrate Environmental Monitoring Alerts
Control Requirement: Detect utility failures in real-time. Required Implementation Step: Install networked sensors for temperature, humidity, and water leaks. Configure these to send SNMP or SMS alerts to the IT team immediately upon a threshold breach, rather than waiting for a dashboard to be manually checked.
Minimum Requirement: Active environmental sensors reporting to an automated alerting system.
8. Conduct Monthly Load Bank and ATS Testing
Control Requirement: Regularly test the effectiveness of backup utilities. Required Implementation Step: Perform a monthly “pull the plug” test where you manually trigger the ATS to move the load to the generator. Run the generator under load for at least 60 minutes to verify that the cooling and power remain stable and no breakers trip.
Minimum Requirement: A signed logbook of monthly successful generator and ATS failover tests.
9. Schedule Preventive Utility Maintenance
Control Requirement: Ensure utilities are maintained according to manufacturer specifications. Required Implementation Step: Contract a certified engineer to service the UPS batteries, generator, and HVAC systems at least twice a year. Retain the physical service reports as evidence, ensuring they note the specific health of batteries and filters.
Minimum Requirement: Current maintenance certificates for all critical supporting infrastructure.
10. Establish Emergency Shut-off Procedures
Control Requirement: Provide the ability to isolate utilities in an emergency. Required Implementation Step: Clearly label every emergency power-off (EPO) button and water shut-off valve. Create a physical “Emergency Utility Manual” and place it in a red box by the server room door so that any staff member can isolate the equipment in the event of a fire or flood.
Minimum Requirement: Visible, labelled isolation points and a documented emergency procedure.
ISO 27001 Annex A 7.11 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Power Redundancy | Checking a box saying “Dual power is implemented.” | Are the two cables plugged into the same extension lead? SaaS tools don’t see the physical wiring errors that cause outages. |
| UPS Health | Recording the purchase date of the UPS. | UPS batteries degrade every year. A GRC tool won’t tell you the battery has swelled or leaked; only a physical inspection does. |
| Cooling Integrity | Uploading a PDF of the AC maintenance contract. | The contract doesn’t stop the server room from melting at 2 AM. You need real-time temperature sensors with hard-wired alerts. |
| Generator Testing | Marking a “Task” as complete every month. | Did the generator actually start under load? GRC tasks are often “pencil-whipped” by staff who never actually leave their desks. |
| Fuel Management | Stating that “Refuelling is managed.” | If your diesel has “algae” or the tank is empty during an outage, the GRC dashboard will still look green while your servers are off. |
| Utility Protection | Assuming the landlord is responsible for security. | If your external internet cables are in an unlocked box on the street, anyone with snips can bypass your “ISO 27001 Certified” SaaS. |
| Emergency Isolation | Hosting the “Emergency Manual” in the Cloud. | If the internet is down and the power is off, can you access the Cloud manual? You need a physical copy by the server room door. |
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
About the author
