In this ultimate how to implement guide to ISO 27001 Annex A 7.13 Equipment Maintenance, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Create a Master Maintenance Asset Register
- 2. Review Manufacturer Specifications for Baseline Schedules
- 3. Implement a Permit-to-Work System for On-Site Engineers
- 4. Execute Quarterly UPS Battery Impedance Testing
- 5. Conduct Semi-Annual HVAC Deep Cleaning and Calibration
- 6. Verify Off-Site Maintenance Security Protocols
- 7. Document Post-Maintenance Functional Testing
- 8. Establish an Emergency Spares Inventory
- 9. Review Maintenance Logs for Trend Analysis
- 10. Audit Supplier Service Level Agreements (SLAs)
- ISO 27001 Annex A 7.13 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 7.13 Equipment Maintenance is the technical process of ensuring hardware reliability through documented service schedules. The Primary Implementation Requirement mandates strict adherence to manufacturer specifications and proactive testing, providing the Business Benefit of sustained information availability, hardware longevity, and minimised downtime.
ISO 27001 Annex A Equipment Maintenance Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.13. This control requires that all information processing equipment is correctly maintained to ensure its continued availability and integrity, moving beyond mere manufacturer warranties to proactive, documented technical upkeep.
1. Create a Master Maintenance Asset Register
Control Requirement: Maintain a complete list of all assets requiring periodic maintenance. Required Implementation Step: Open your asset management database and filter for physical hardware including servers, UPS units, HVAC systems, and fire suppression cylinders. Assign a “Maintenance Owner” to each category and document the required service frequency (e.g. quarterly, annually) based on technical manuals rather than guess-work.
Minimum Requirement: A centralised register listing every piece of critical infrastructure and its next scheduled service date.
2. Review Manufacturer Specifications for Baseline Schedules
Control Requirement: Maintenance must be carried out according to the supplier’s recommended service intervals. Required Implementation Step: Download the technical data sheets for your core infrastructure (e.g. Dell PowerEdge servers, APC UPS, Mitsubishi HVAC). Transcribe the recommended “preventative maintenance” actions into your internal maintenance plan to ensure you aren’t under-servicing critical components.
Minimum Requirement: Documented maintenance intervals that match or exceed the manufacturer’s official specifications.
3. Implement a Permit-to-Work System for On-Site Engineers
Control Requirement: Only authorised personnel should carry out maintenance. Required Implementation Step: Establish a physical “Permit to Work” form. Before any external engineer touches a server rack or a cooling unit, they must provide proof of identity, sign the permit, and be physically escorted by an internal staff member; do not grant unescorted access to server rooms for “routine” visits.
Minimum Requirement: A signed log of “Permits to Work” for every external maintenance visit over the last 12 months.
