Auditing ISO 27001 Annex A 7.11 Supporting Utilities is a rigorous technical evaluation of the infrastructure providing electricity, telecommunications, and environmental controls to information facilities. The Primary Implementation Requirement is ensuring redundant supply paths and functional failover systems, providing the Business Benefit of operational resilience and protection against data loss.
ISO 27001 Annex A 7.11 Supporting Utilities Audit Checklist
This technical verification tool is designed for lead auditors to establish the resilience of infrastructure supporting the ISMS. Use this checklist to validate compliance with ISO 27001 Annex A 7.11.
1. Supporting Utilities Inventory and Mapping Verified
Verification Criteria: All utilities required for the operation of information processing facilities (electricity, water, gas, HVAC, telecommunications) are identified and documented.
Required Evidence: Facilities Management Asset Register or Site Infrastructure Map identifying utility entry points and distribution paths.
Pass/Fail Test: If the organisation cannot identify which utilities are critical to its ISMS operations or where their shut-off points are located, mark as Non-Compliant.
2. Redundancy for Critical Utilities Confirmed
Verification Criteria: Critical information processing facilities have redundant utility supplies (e.g. dual power feeds, multiple telecommunication providers) to prevent single points of failure.
Required Evidence: Service provider contracts showing diverse routing or physical sighting of secondary utility feeds.
Pass/Fail Test: If a single utility failure (e.g. one power line cut) results in a total ISMS shutdown without automated failover, mark as Non-Compliant.
3. Uninterruptible Power Supply (UPS) Functionality Validated
Verification Criteria: UPS systems are active, sized appropriately to support the critical load, and configured to trigger graceful shutdowns or bridge to a generator.
Required Evidence: UPS load capacity reports and battery health diagnostic logs from the current audit quarter.
Pass/Fail Test: If the UPS battery health is reported as ‘Poor’ or if the system cannot support the load for at least 15 minutes, mark as Non-Compliant.
4. Backup Generator Operational Readiness Verified
Verification Criteria: On-site secondary power generators are present, fuelled, and integrated with an Automatic Transfer Switch (ATS).
Required Evidence: Fuel level monitoring logs and generator maintenance certificates showing successful monthly “no-load” and quarterly “load-bank” tests.
Pass/Fail Test: If the generator fails to start during a simulated mains failure or if fuel levels are below the required threshold for 24-hour operation, mark as Non-Compliant.
5. HVAC Environmental Control Integrity Confirmed
Verification Criteria: Heating, Ventilation, and Air Conditioning (HVAC) systems maintain temperature and humidity within manufacturer specifications for the equipment housed.
Required Evidence: Historic temperature and humidity logs from the server room environmental monitoring system (e.g. NetBotz).
Pass/Fail Test: If temperature logs show consistent spikes above 27°C without a corresponding incident report and investigation, mark as Non-Compliant.
6. Telecommunications Path Diversity Validated
Verification Criteria: Telecommunications cabling and internet connectivity enter the building at geographically diverse points to prevent accidental severing of all communication.
Required Evidence: Site drawings showing physical entry points for different carriers (e.g. North and South entry).
Pass/Fail Test: If all fibre and copper lines enter through the same conduit or trench, mark as Non-Compliant.
7. Utility Infrastructure Physical Protection Verified
Verification Criteria: Utility distribution points (UPS rooms, generator yards, telecommunication racks) are physically secured to the same level as the secure offices they support.
Required Evidence: Physical sighting of locked enclosures, fences, or restricted access control (badge readers) on utility rooms.
Pass/Fail Test: If an external backup generator or HVAC unit is accessible to the public without a protective barrier, mark as Non-Compliant.
8. Emergency Power-Off (EPO) Controls Confirmed
Verification Criteria: Emergency power-off switches are installed in designated locations, protected against accidental activation, and clearly labelled.
Required Evidence: Physical sighting of EPO switches with protective covers and inclusion of EPO testing in annual maintenance logs.
Pass/Fail Test: If EPO switches lack protective covers or are located in public-access areas where they can be maliciously activated, mark as Non-Compliant.
9. Utility Maintenance and Service Record Integrity Verified
Verification Criteria: Supporting utilities undergo regular preventive maintenance as specified by the manufacturer or facilities standards.
Required Evidence: Signed service logs for HVAC, Fire Suppression, and Electrical switchgear for the current 12-month period.
Pass/Fail Test: If critical utility maintenance is overdue by more than 30 days without a documented extension or risk assessment, mark as Non-Compliant.
10. Utility Monitoring and Alerting Integration Confirmed
Verification Criteria: Utility failures (e.g. mains power loss, HVAC failure) are integrated into the central security or facilities monitoring system for immediate alerting.
Required Evidence: Notification logs showing alerts sent to responders (SMS/Email) during a simulated or actual utility event.
Pass/Fail Test: If a HVAC unit fails and no alert is sent to the IT or Facilities team until equipment begins to overheat, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Utility Redundancy | Tool identifies “Dual Power” in a text field. | Demand the Single Line Diagram. Verify that the two feeds come from different substations, not the same local transformer. |
| UPS Health | GRC dashboard shows “UPS Active” green light. | Verify the Battery Impedance Test. A “live” UPS can still fail instantly if the batteries haven’t been tested under load. |
| Generator Readiness | Platform marks “Generator Maintenance” as complete. | Check the Fuel Contract. A generator is useless if there is no guaranteed 4-hour fuel delivery SLA during a regional crisis. |
| HVAC Reliability | Tool records “Air Conditioning Working” status. | Verify N+1 Configuration. If one AC unit fails, can the remaining units hold the temperature below the thermal shutdown limit? |
| Physical Security | Tool lists “Plant Room” as a secure location. | Perform a Key Audit. Facilities staff often leave utility rooms unlocked for convenience; GRC tools never see this. |
| Telecom Diversity | Tool verifies that the company has “two ISPs.” | Check the Physical Trench. If both ISPs use the same Openreach ducting, a single digger will cut both lines. |
| Maintenance Proof | Platform identifies “Policy.pdf” as evidence. | Demand the Service Sticker. Physical infrastructure requires physical inspection. GRC tools cannot smell an overheating transformer. |
About the author
