Implementing ISO 27001 Annex A 7.13 Equipment Maintenance is the technical process of ensuring hardware reliability through documented service schedules. The Primary Implementation Requirement mandates strict adherence to manufacturer specifications and proactive testing, providing the Business Benefit of sustained information availability, hardware longevity, and minimized downtime.
ISO 27001 Annex A Equipment Maintenance Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.13. This control requires that all information processing equipment is correctly maintained to ensure its continued availability and integrity, moving beyond mere manufacturer warranties to proactive, documented technical upkeep.
1. Create a Master Maintenance Asset Register
Control Requirement: Maintain a complete list of all assets requiring periodic maintenance. Required Implementation Step: Open your asset management database and filter for physical hardware including servers, UPS units, HVAC systems, and fire suppression cylinders. Assign a “Maintenance Owner” to each category and document the required service frequency (e.g. quarterly, annually) based on technical manuals rather than guess-work.
Minimum Requirement: A centralised register listing every piece of critical infrastructure and its next scheduled service date.
2. Review Manufacturer Specifications for Baseline Schedules
Control Requirement: Maintenance must be carried out according to the supplier’s recommended service intervals. Required Implementation Step: Download the technical data sheets for your core infrastructure (e.g. Dell PowerEdge servers, APC UPS, Mitsubishi HVAC). Transcribe the recommended “preventative maintenance” actions into your internal maintenance plan to ensure you aren’t under-servicing critical components.
Minimum Requirement: Documented maintenance intervals that match or exceed the manufacturer’s official specifications.
3. Implement a Permit-to-Work System for On-Site Engineers
Control Requirement: Only authorised personnel should carry out maintenance. Required Implementation Step: Establish a physical “Permit to Work” form. Before any external engineer touches a server rack or a cooling unit, they must provide proof of identity, sign the permit, and be physically escorted by an internal staff member; do not grant unescorted access to server rooms for “routine” visits.
Minimum Requirement: A signed log of “Permits to Work” for every external maintenance visit over the last 12 months.
4. Execute Quarterly UPS Battery Impedance Testing
Control Requirement: Supporting utilities and equipment must be tested for continued operationality. Required Implementation Step: Manually test the health of UPS batteries using an impedance tester. Do not rely on the “Green Light” on the front of the unit; batteries can fail under load even if the software reports them as healthy. Document the voltage and resistance readings for every individual cell.
Minimum Requirement: Quarterly technical reports showing individual battery cell health for all critical UPS systems.
5. Conduct Semi-Annual HVAC Deep Cleaning and Calibration
Control Requirement: Environmental controls must be maintained to prevent equipment failure. Required Implementation Step: Schedule a certified technician to clean condenser coils, replace filters, and check refrigerant levels in the server room cooling units. Verify that the thermostats are calibrated against a known-good handheld thermometer to ensure the room isn’t actually hotter than the system reports.
Minimum Requirement: Service records from a F-Gas certified engineer confirming cooling system integrity.
6. Verify Off-Site Maintenance Security Protocols
Control Requirement: Equipment sent off-site for maintenance must be protected. Required Implementation Step: If a server or storage array must leave the building for repair, physically remove all hard drives/SSDs first. If the media cannot be removed, you must use a certified courier and receive a written “Data Protection Guarantee” from the repair facility, though physical removal remains the only secure option.
Minimum Requirement: A signed “Media Removal Log” for every asset that left the premises for repair.
7. Document Post-Maintenance Functional Testing
Control Requirement: Equipment must be tested before being put back into production. Required Implementation Step: Create a “Return to Service” checklist. After any maintenance, an internal engineer must verify that the equipment operates as expected (e.g. failover works, logs are being generated) before the maintenance ticket is closed. Never assume a “fix” didn’t break a security configuration.
Minimum Requirement: Evidence of functional test results appended to maintenance logs.
8. Establish an Emergency Spares Inventory
Control Requirement: Maintain the availability of equipment through the provision of spare parts. Required Implementation Step: Identify “High-Failure” items like power supplies (PSUs), fans, and drive controllers. Physically store a pre-tested “Critical Spares Kit” in a locked cupboard on-site so that a component failure doesn’t result in prolonged downtime while waiting for a delivery.
Minimum Requirement: A physical inventory check of on-site critical spare parts conducted every six months.
9. Review Maintenance Logs for Trend Analysis
Control Requirement: Records of all suspected or actual faults and all preventive and corrective maintenance must be kept. Required Implementation Step: Conduct an annual review of all maintenance tickets. If a specific HVAC unit or server model is failing more frequently than others, document a “Root Cause Analysis” and initiate a replacement project. Use reality-based data to justify hardware refresh budgets.
Minimum Requirement: An annual summary report for management detailing infrastructure reliability and “Mean Time Between Failures” (MTBF).
10. Audit Supplier Service Level Agreements (SLAs)
Control Requirement: Maintenance by third parties must meet organisational security requirements. Required Implementation Step: Review your maintenance contracts for 4-hour or Next-Business-Day responses. Test these SLAs by raising a “low priority” simulated fault ticket and measuring the actual response time. If the supplier fails to meet the SLA, issue a formal complaint and seek a more reliable provider.
Minimum Requirement: Evidence of “SLA Stress Testing” conducted at least once per year.
ISO 27001 Annex A 7.13 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Preventative Maintenance | Ticking “Compliant” because a contract exists with a vendor. | A contract doesn’t clean a dust-clogged server fan. If the physical work isn’t done, the equipment will fail regardless of the dashboard status. |
| Maintenance Logs | Uploading a single PDF of a “Maintenance Policy”. | Auditors don’t want policies; they want the dated service records for Server #4. GRC tools often lack the granular asset-level history. |
| On-Site Supervision | Marking a task “Engineer Visited” in the portal. | Did anyone watch them? Unsupervised engineers are a massive insider threat. Physical escort logs are the only real evidence here. |
| UPS Reliability | Assuming the UPS is fine because the dashboard says “Online”. | UPS software frequently fails to detect “dry” capacitors or high-impedance battery cells. Only a manual load-bank test provides truth. |
| Off-Site Repairs | Sending a laptop to a shop without removing the SSD. | The GRC tool tracks the “Repair Ticket”, but it doesn’t stop the technician from cloning your data. Physical media removal is the control. |
| SLA Verification | Stating “We have 4-hour support” in the risk register. | When was the last time you tested that? Many vendors over-promise and under-deliver; if you don’t audit them, the control is a fantasy. |
| Spare Parts | Recording “Spares are available” in a spreadsheet. | Are the spares actually in the cupboard? Only a physical “Show me the part” audit proves availability for Annex A 7.13. |
About the author
