Auditing ISO 27001 Annex A 7.12 Cabling Security is a technical verification of the physical infrastructure carrying sensitive data and power. The Primary Implementation Requirement involves the physical segregation and hardening of conduits, providing the Business Benefit of ensuring communications integrity and preventing unauthorised data interception or infrastructure tampering.
ISO 27001 Annex A 7.12 Cabling Security Audit Checklist
This technical verification tool is designed for lead auditors to establish the physical integrity of power and telecommunications infrastructure. Use this checklist to validate compliance with ISO 27001 Annex A 7.12.
1. Telecommunications and Power Line Segregation Verified
Verification Criteria: Power and telecommunications lines are physically separated to prevent electromagnetic interference (EMI) and reduce the risk of simultaneous accidental damage.
Required Evidence: Physical inspection of internal cable trunking or conduit layouts showing a minimum separation distance (typically 50mm+) or shielded dividers.
Pass/Fail Test: If unshielded data cables are found bundled directly with high-voltage power lines in shared trays, mark as Non-Compliant.
2. Cabling Physical Protection and Conduit Usage Confirmed
Verification Criteria: Exposed cabling in public or uncontrolled areas is housed within secure conduits or armoured trunking to prevent tampering or accidental severing.
Required Evidence: Visual verification of secure cable routing in public hallways, basements, or external building faces.
Pass/Fail Test: If network or power cables are found dangling or accessible to the public without protective casing, mark as Non-Compliant.
3. Entry Point Physical Security Validated
Verification Criteria: Physical entry points for external telecommunications and power feeds into the building are secured and restricted to authorised facilities personnel.
Required Evidence: Physical sighting of locked cabinets or secure rooms for external service entry points (manholes, cable vaults, or telecom rooms).
Pass/Fail Test: If the building’s primary external cable entry vault is found unlocked or accessible to unauthorised tenants/visitors, mark as Non-Compliant.
4. Cabling Documentation and Labelling Integrity Verified
Verification Criteria: Infrastructure cabling is clearly labelled at both ends and accurately documented in a current patch schedule or network map.
Required Evidence: Patch panel schedules and physical cable tags cross-referenced against the internal network topology diagram.
Pass/Fail Test: If more than 10% of sampled cables in a server room lack labels or do not match the documented patch schedule, mark as Non-Compliant.
5. Redundant Path Geographic Diversity Confirmed
Verification Criteria: Where redundancy is required, cabling paths for primary and secondary services follow geographically diverse routes to prevent a single point of failure (e.g., a single digger event).
Required Evidence: Site drawings showing “North/South” or diverse entry points for carrier fibre feeds.
Pass/Fail Test: If “redundant” internet lines enter the building through the same conduit or trench, mark as Non-Compliant.
6. Patch Panel and Termination Point Security Verified
Verification Criteria: All cabling termination points (patch panels, distribution frames) are located within secure, restricted-access rooms or locked cabinets.
Required Evidence: Physical inspection of comms cupboards showing restricted access control (badge readers or mechanical locks).
Pass/Fail Test: If a network patch panel is located in an unlocked, unattended communal area, mark as Non-Compliant.
7. Electromagnetic Interference (EMI) Shielding Confirmed
Verification Criteria: Cabling is protected from EMI sources (e.g., lift motors, fluorescent lighting ballasts, or large transformers) through distance or shielding.
Required Evidence: Technical specifications of installed cabling (e.g., Category 6A F/UTP or S/FTP) and physical routing away from high-interference equipment.
Pass/Fail Test: If data cabling is draped directly over unshielded high-wattage lighting ballasts or industrial motors, mark as Non-Compliant.
8. Unused Cable Decommissioning Evidence Identified
Verification Criteria: Redundant or decommissioned cabling is removed or clearly identified and disconnected at both ends to prevent unauthorized “shadow” connections.
Required Evidence: Inventory of “Dark Fibre” or decommissioned cable logs; visual inspection for unlabelled, disconnected cables in racks.
Pass/Fail Test: If live, unlabelled network ports are found active in vacant public offices without a security lock, mark as Non-Compliant.
9. Cabling Maintenance and Service Records Present
Verification Criteria: The cabling infrastructure undergoes periodic inspections for wear, heat damage, or environmental degradation.
Required Evidence: Annual physical security walk-through reports or cable certification test results (e.g., Fluke test reports).
Pass/Fail Test: If the organisation has no record of inspecting the integrity of critical cabling infrastructure in the current audit cycle, mark as Non-Compliant.
10. Fire-Stopping Compliance in Cable Penetrators Verified
Verification Criteria: Points where cables penetrate fire-rated walls or floors are sealed with fire-stopping material to maintain the integrity of physical security zones.
Required Evidence: Physical sighting of fire pillows or intumescent mastic around cable bundles at zone boundaries.
Pass/Fail Test: If a cable tray passes through a fire-rated server room wall without an airtight fire-stop seal, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Physical Segregation | Tool identifies “Segregation Policy” exists. | Verify the Trunking. Physical inspection is required to ensure data and power aren’t touching in the same conduit. |
| Path Diversity | Platform lists two ISPs and marks as ‘Redundant’. | Check the Building Entry. GRC tools don’t know if both providers use the same physical duct that can be cut by one digger. |
| Termination Security | Tool records “Server Room” as a secure location. | Verify Intermediate Frames. Patch panels in unmonitored hallways/storage rooms are often missed by automated asset tools. |
| Protection | SaaS tool assumes compliance based on building age. | Audit the Basement. Check for exposed, unarmoured cabling in shared building spaces where any tenant can tamper. |
| EMI Mitigation | Tool marks “CAT6” as the standard. | Verify Routing. A GRC tool can’t see if CAT6 is wrapped around a high-voltage elevator motor. |
| Label Integrity | Platform assumes patch panels are documented. | Perform a Trace. Pull a random port in the office; if it’s not in the GRC-linked map, the documentation has failed. |
| Fire Sealing | Tool checks if “Fire Policy” is uploaded. | Inspect the Penetrations. If you can see light through the cable entry into the server room, the physical perimeter is compromised. |
About the author
