4. Backup Generator Operational Readiness Verified

Verification Criteria: On-site secondary power generators are present, fuelled, and integrated with an Automatic Transfer Switch (ATS). Required Evidence: Fuel level monitoring logs and generator maintenance certificates showing successful monthly "no-load" and quarterly "load-bank" tests. Pass/Fail Test: If the generator fails to start during a simulated mains failure or if fuel levels are below the required threshold for 24-hour operation, mark as Non-Compliant.

5. HVAC Environmental Control Integrity Confirmed

Verification Criteria: Heating, Ventilation, and Air Conditioning (HVAC) systems maintain temperature and humidity within manufacturer specifications for the equipment housed. Required Evidence: Historic temperature and humidity logs from the server room environmental monitoring system (e.g. NetBotz). Pass/Fail Test: If temperature logs show consistent spikes above 27°C without a corresponding incident report and investigation, mark as Non-Compliant.

6. Telecommunications Path Diversity Validated

Verification Criteria: Telecommunications cabling and internet connectivity enter the building at geographically diverse points to prevent accidental severing of all communication. Required Evidence: Site drawings showing physical entry points for different carriers (e.g. North and South entry). Pass/Fail Test: If all fibre and copper lines enter through the same conduit or trench, mark as Non-Compliant.

7. Utility Infrastructure Physical Protection Verified

Verification Criteria: Utility distribution points (UPS rooms, generator yards, telecommunication racks) are physically secured to the same level as the secure offices they support. Required Evidence: Physical sighting of locked enclosures, fences, or restricted access control (badge readers) on utility rooms. Pass/Fail Test: If an external backup generator or HVAC unit is accessible to the public without a protective barrier, mark as Non-Compliant.

8. Emergency Power-Off (EPO) Controls Confirmed

Verification Criteria: Emergency power-off switches are installed in designated locations, protected against accidental activation, and clearly labelled. Required Evidence: Physical sighting of EPO switches with protective covers and inclusion of EPO testing in annual maintenance logs. Pass/Fail Test: If EPO switches lack protective covers or are located in public-access areas where they can be maliciously activated, mark as Non-Compliant.

9. Utility Maintenance and Service Record Integrity Verified

Verification Criteria: Supporting utilities undergo regular preventive maintenance as specified by the manufacturer or facilities standards. Required Evidence: Signed service logs for HVAC, Fire Suppression, and Electrical switchgear for the current 12-month period. Pass/Fail Test: If critical utility maintenance is overdue by more than 30 days without a documented extension or risk assessment, mark as Non-Compliant.

10. Utility Monitoring and Alerting Integration Confirmed

Verification Criteria: Utility failures (e.g. mains power loss, HVAC failure) are integrated into the central security or facilities monitoring system for immediate alerting. Required Evidence: Notification logs showing alerts sent to responders (SMS/Email) during a simulated or actual utility event. Pass/Fail Test: If a HVAC unit fails and no alert is sent to the IT or Facilities team until equipment begins to overheat, mark as Non-Compliant.

ISO 27001 Annex A 7.11 Audit Checklist [+ Templates]

Q: 1. Supporting Utilities Inventory and Mapping Verified

Verification Criteria: All utilities required for the operation of information processing facilities (electricity, water, gas, HVAC, telecommunications) are identified and documented. Required Evidence: Facilities Management Asset Register or Site Infrastructure Map identifying utility entry points and distribution paths. Pass/Fail Test: If the organisation cannot identify which utilities are critical to its ISMS operations or where their shut-off points are located, mark as Non-Compliant.

Q: 2. Redundancy for Critical Utilities Confirmed

Verification Criteria: Critical information processing facilities have redundant utility supplies (e.g. dual power feeds, multiple telecommunication providers) to prevent single points of failure. Required Evidence: Service provider contracts showing diverse routing or physical sighting of secondary utility feeds. Pass/Fail Test: If a single utility failure (e.g. one power line cut) results in a total ISMS shutdown without automated failover, mark as Non-Compliant.

Q: 3. Uninterruptible Power Supply (UPS) Functionality Validated

Verification Criteria: UPS systems are active, sized appropriately to support the critical load, and configured to trigger graceful shutdowns or bridge to a generator. Required Evidence: UPS load capacity reports and battery health diagnostic logs from the current audit quarter. Pass/Fail Test: If the UPS battery health is reported as 'Poor' or if the system cannot support the load for at least 15 minutes, mark as Non-Compliant.

In this ultimate how to audit guide to ISO 27001 Annex A 7.11 Supporting Utilities, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 7.11 Supporting Utilities Audit Checklist

ISO 27001 Annex A 7.11 Supporting Utilities Audit Checklist

Auditing ISO 27001 Annex A 7.11 Supporting Utilities is a rigorous technical evaluation of the infrastructure providing electricity, telecommunications, and environmental controls to information facilities. The Primary Implementation Requirement is ensuring redundant supply paths and functional failover systems, providing the Business Benefit of operational resilience and protection against data loss.

This technical verification tool is designed for lead auditors to establish the resilience of infrastructure supporting the ISMS. Use this checklist to validate compliance with ISO 27001 Annex A 7.11.

1. Supporting Utilities Inventory and Mapping Verified

Verification Criteria: All utilities required for the operation of information processing facilities (electricity, water, gas, HVAC, telecommunications) are identified and documented.

Required Evidence: Facilities Management Asset Register or Site Infrastructure Map identifying utility entry points and distribution paths.

Pass/Fail Test: If the organisation cannot identify which utilities are critical to its ISMS operations or where their shut-off points are located, mark as Non-Compliant.

2. Redundancy for Critical Utilities Confirmed

Verification Criteria: Critical information processing facilities have redundant utility supplies (e.g. dual power feeds, multiple telecommunication providers) to prevent single points of failure.

Required Evidence: Service provider contracts showing diverse routing or physical sighting of secondary utility feeds.

Pass/Fail Test: If a single utility failure (e.g. one power line cut) results in a total ISMS shutdown without automated failover, mark as Non-Compliant.

3. Uninterruptible Power Supply (UPS) Functionality Validated

Verification Criteria: UPS systems are active, sized appropriately to support the critical load, and configured to trigger graceful shutdowns or bridge to a generator.

Required Evidence: UPS load capacity reports and battery health diagnostic logs from the current audit quarter.

Pass/Fail Test: If the UPS battery health is reported as ‘Poor’ or if the system cannot support the load for at least 15 minutes, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

How to Audit ISO 27001 Annex A 7.11: Supporting Utilities

Table of contents

ISO 27001 Annex A 7.11 Supporting Utilities Audit Checklist

1. Supporting Utilities Inventory and Mapping Verified

2. Redundancy for Critical Utilities Confirmed

3. Uninterruptible Power Supply (UPS) Functionality Validated