ISO 27001 Annex A 7.13 Explained: Lead Auditor’s Guide

ISO 27001 Annex A 7.13 Equipment Maintenance is a security control that mandates organisations maintain hardware according to manufacturer specifications to prevent unauthorized access and data loss. Implementing this control ensures the availability and integrity of information assets by securing equipment during on-site servicing and off-site repairs.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.13 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 7.13 Equipment Maintenance

ISO 27001 Annex A 7.13 requires organizations to maintain equipment correctly to ensure its availability, integrity, and confidentiality. While this sounds like a general IT task, the standard focuses on preventing security breaches that occur during the maintenance process, such as a technician seeing sensitive data on a server or a hard drive being stolen while in transit to a repair shop.

Core requirements for compliance include:

Manufacturer Guidelines: You must follow the official maintenance schedule provided by your hardware vendors. This ensures that cooling systems, power supplies, and storage drives are inspected before they fail.
Maintenance Logs: You must keep a record of all maintenance performed. Auditors want to see that maintenance isn’t “random” but is a planned and documented business process.
Supervised Access: If an external engineer comes on-site to fix a server, they must be supervised at all times to ensure they don’t perform unauthorized actions or access sensitive data.
Secure Off-Site Repair: If you send a device away for repair, you must have a process to protect the data on it. This usually means full-disk encryption or removing the hard drive entirely before the device leaves your office.
Supporting Facilities: Don’t forget the “non-IT” equipment that protects your data. This includes maintaining fire extinguishers, UPS batteries, and air conditioning units in your server rooms.

Audit Focus: Auditors will look for “The Repair Audit Trail”:

Vendor Agreements: “Show me the confidentiality agreement (NDA) for the company that repairs your laptops.”
On-Site Logs: “Where is the visitor log showing the last time the AC technician was in the server room?”
Physical Evidence: They may check the service stickers on your fire extinguishers to ensure they aren’t out of date.

Repair Security Checklist (Must-Do Before Shipping):

Step	Action	Why it Matters	ISO 27001:2022 Control
1. Backup	Mandatory Full Backup.	Prevents data loss if the vendor wipes or replaces the device.	8.13 (Information Backup)
2. Remove Media	Remove Hard Drive (if possible).	The best way to ensure data confidentiality during repair.	7.14 (Secure Disposal or Re-use)
3. Encrypt	Activate BitLocker / FileVault.	If the device is stolen during shipping, the data remains unreadable.	8.1 (User Endpoint Devices)
4. Legal	Sign an NDA with the repair shop.	Provides a legal framework for data protection and liability.	7.13 (Equipment Maintenance)

What is ISO 27001 Annex A 7.13?
ISO 27001 Annex A 7.13 Free Training Video
ISO 27001 Annex A 7.13 Explainer Video
ISO 27001 Annex A 7.13 Podcast
ISO 27001 Annex A 7.13 Implementation Guidance
How to implement ISO 27001 Annex A 7.13
How to comply
Repair Security Checklist
Top 3 ISO 27001 Annex A 7.13 mistakes and how to avoid them
Applicability of ISO 27001 Annex A 7.13 across different business models.
Fast Track ISO 27001 Annex A 7.13 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 7.13 FAQ
Related ISO 27001 Controls
Controls and Attribute Values

What is ISO 27001 Annex A 7.13?

The focus for this ISO 27001 Control is maintaining equipment and this is about maintaining equipment in line with manufacturer recommendations to prevent failure or damage.

ISO 27001 Equipment Maintenance understands that equipment requires maintaining so as to eliminate or reduce the likelihood of equipment failure and information security vulnerabilities over time.

ISO 27001 Annex A 7.13 Equipment Maintenance is an ISO 27001 control that looks to make sure you maintain your equipment in line with guidance so it keeps working and protects the confidentiality, integrity and availability of data.

ISO 27001 Annex A 7.13 Purpose

The purpose of ISO 27001 Equipment Maintenance is to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations caused by lack of maintenance.

ISO 27001 Annex A 7.13 Definition

The ISO 27001 standard defines ISO 27001 Annex A 7.13 as:

Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.
ISO 27001:2022 Annex A 7.13 Equipment Maintenance

ISO 27001 Annex A 7.13 Free Training Video

In the video ISO 27001 Equipment Maintenance Explained – ISO27001:2022 Annex A 7.13 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 7.13 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 7.13 Equipment Maintenance, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 7.13 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.13 Equipment Maintenance. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 7.13 Implementation Guidance

Maintain Equipment

Equipment that is used will need to be maintained so that it keeps operating. If you do not maintain equipment then the risk of the device failing or being compromised is going to increase. For this control it is as simple as following the manufactures guidelines for maintenance for your equipment.

To some extent this control is outside of your gift to control but there are some considerations that you can put in place and evidence.

Manufacturers Guidelines

To meet the control you would, as with everything, operate any equipment and maintain it in line with the manufacturers guidelines. This usually means appropriate professional maintenance. The professional maintenance would include testing and inspection although we would expect this to be a legal and regulatory requirement anyway, usually around health and safety.

Use Professionals

The advice here is, if you have a server room or information processing facility to bring in professional third parties to advise and maintain equipment. This is not something you will undertake yourself and there are many laws that govern this that are outside your capability.

Providing Access

The things that you can do and consider include access. We cover this in access control but looking at how people are allowed on site or remotely connect and how you supervise the activity are in your control. Monitoring for faults and having a process to record and respond to incidents is a simple step you can implement.

Fire Safety Equipment

There are some things that you might not have thought about that can catch you out. These include maintaining all your fire safety equipment such as extinguishers and alarms.

How to implement ISO 27001 Annex A 7.13

Implementing ISO 27001 Annex A 7.13 requires a proactive strategy to ensure hardware reliability and security. This technical guide outlines the action-result workflow for maintaining equipment in a way that prevents data loss, service interruptions, and unauthorised physical access during servicing.

1. Formalise the Equipment Maintenance Schedule

Develop a structured maintenance plan based on manufacturer specifications and the criticality of the asset to ensure continued availability and integrity.

Review manufacturer service intervals for all critical infrastructure hardware.
Identify high-priority assets within the Asset Register that require more frequent inspections.
Document the planned maintenance dates to avoid operational downtime during peak hours.
Assign clear ownership for maintenance tasks to specific facilities or IT teams.

2. Authenticate and Supervise Maintenance Personnel

Ensure that only vetted and authorised technicians have physical or logical access to organisational equipment to mitigate the risk of tampering or data theft.

Verify the credentials of third-party engineers before granting site access.
Enforce strict supervision requirements for any maintenance performed in secure areas like server rooms.
Provision temporary access badges that are logged and revoked immediately upon completion of the work.
Ensure that all maintenance staff have signed a Non-Disclosure Agreement (NDA) or similar confidentiality contract.

3. Provision Secure Off-Site Repair Protocols

Establish strict security measures for equipment that must be removed from the secure perimeter for technical repairs or servicing.

Mandate full-disk encryption (FDE) for any portable device or storage media leaving the premises.
Remove highly sensitive storage components or securely wipe data before transport if repairs do not require data access.
Formalise a secure chain of custody using tracked couriers or internal logistics.
Inspect the equipment upon return to verify that no unauthorised hardware modifications have occurred.

4. Restrict and Monitor Remote Maintenance Access

Apply technical barriers to remote diagnostic connections to prevent external providers from gaining persistent or unauthorised network access.

Disable remote maintenance ports by default and only activate them for the duration of the service.
Enforce Multi-Factor Authentication (MFA) for any remote connection made by a service provider.
Apply granular IAM roles and Least Privilege access to ensure the technician only reaches the specific system being maintained.
Monitor and log all remote sessions in real time for audit purposes.

5. Maintain the Formal Maintenance Log

Record every maintenance action to provide a verifiable audit trail that demonstrates compliance with ISO 27001 requirements.

Update the maintenance log with the specific date, time, and nature of the repair.
Document any hardware components that were replaced or upgraded.
Include a formal sign-off from the internal asset owner confirming the device is back in a secure operating state.
Review logs during internal ISMS audits to identify recurring hardware failures that may indicate a security risk.

How to comply

To comply with ISO 27001 Annex A 7.13 Equipment Maintenance you are going to

Get the help of professional third parties to put in place controls around maintenance where required.
Have policies and procedures in place
Assess your equipment and perform a risk assessment
Implement controls proportionate to the risk posed
Keep maintenance records
Test the controls that you have to make sure they are working

Repair Security Checklist

The biggest security risk in this control is sending equipment away for repair.

Step	Action	Why?
1. Backup	Mandatory	In case the vendor wipes the device.
2. Remove Media	If possible, remove the Hard Drive.	Don’t send your data to the repair shop.
3. Encrypt	Ensure BitLocker/FileVault is active.	If the drive is stolen in transit, data is safe.
4. NDA	Check the vendor’s confidentiality agreement.	Ensure they are legally bound to protect your data.

Top 3 ISO 27001 Annex A 7.13 mistakes and how to avoid them

The top 3 mistakes people make for ISO 27001 Annex A 7.13 Equipment Maintenance are

You have no records of maintenance: Keep records that show that things have been maintained and that it has followed the guidance of the manufacturer. Record keeping!
You forgot about fire extinguishers: Proper left field this one but they do check and they can fail you on it. Check!
Your document and version control is wrong: Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 7.13 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Applies to ensuring basic office hardware (laptops, routers, fire extinguishers) is serviced to prevent downtime and security lapses. The goal is to avoid unmanaged data exposure during repairs.	Removing the hard drive from a faulty laptop before sending it to a high-street repair shop. Keeping a simple log of annual fire extinguisher services and office electrical safety (PAT) tests. Enforcing an NDA with local IT contractors who perform on-site hardware maintenance.
Tech Startups	Critical for managing remote work assets and server room health. Compliance involves ensuring that hardware failures don’t lead to accidental data theft by external technicians.	Mandating that all laptops are fully encrypted (BitLocker/FileVault) before being shipped for warranty repair. Supervising third-party AC or power technicians at all times while they are in the server room. Performing a full backup of any device before it leaves the organization’s physical control for maintenance.
AI Companies	Vital for protecting expensive GPU clusters and high-performance computing (HPC) nodes. Focus is on maintaining hardware availability and preventing model IP leaks during component replacement.	Maintaining a detailed log of component swaps (e.g., GPU or NVMe replacements) in training nodes to ensure physical chain of custody. Requiring cryptographically verified secure erasure of “stale” training data before replacing defective server storage modules. Verifying the “service stickers” and maintenance records of redundant cooling systems to prevent GPU thermal shutdowns.

Fast Track ISO 27001 Annex A 7.13 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 7.13 (Equipment maintenance), the requirement is to correctly maintain equipment to ensure the availability, integrity, and confidentiality of information. This includes following manufacturer guidelines and ensuring repairs are handled securely.

Compliance Factor	SaaS Asset Health Modules	High Table ISO 27001 Toolkit	Audit Evidence Example
Strategy Ownership	Rents access to your maintenance rules; losing the subscription means losing your operational history and repair protocols.	Permanent Assets: Fully editable Word/Excel Equipment Maintenance Policies and logs that you own forever.	A localized “Equipment Maintenance Policy” defining service intervals for HVAC and UPS systems.
Operational Simplicity	Over-engineers hardware upkeep with dashboards that cannot supervise on-site technicians or verify physical repairs.	Governance-First: Formalizes your existing facilities management and vendor servicing workflows.	A completed “Maintenance Log” entry verified by a technician’s service report for fire suppression systems.
Cost Structure	Charges an “Asset Maintenance Tax” based on the volume of physical infrastructure or total tracked items.	One-Off Fee: A single payment covers your governance documentation for 5 servers or a global data center.	Allocating budget to actual professional service contracts rather than a monthly paperwork subscription fee.
Vendor Freedom	Limited by API “connectors” to major facilities platforms; struggles with specialized local service providers.	100% Agnostic: Procedures adapt to any service vendor, maintenance schedule, or specialized hardware provider.	The ability to switch maintenance contractors without needing to reconfigure a rigid SaaS compliance module.

Summary: For Annex A 7.13, the auditor wants to see that you have a formal policy for equipment maintenance and proof that you follow it (e.g., service records and repair logs). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 7.13 FAQ

What is ISO 27001 Annex A 7.13?

ISO 27001 Annex A 7.13 is a physical and environmental security control that requires organizations to maintain equipment correctly to ensure its continued availability, integrity, and security.

Equipment must be serviced according to manufacturer specifications.
Maintenance must be performed by authorized personnel only.
Records of all maintenance, repairs, and inspections must be documented.
Controls must be applied to hardware taken off-site for repairs.

Is an equipment maintenance log mandatory for ISO 27001?

Yes, maintaining a detailed maintenance log is mandatory under ISO 27001 as it serves as primary evidence during an audit that hardware is being managed in accordance with security requirements.

Logs should include the date and time of maintenance.
A description of the work performed and the parts replaced.
Information on whether the service was routine or corrective.
Confirmation of the technician’s identity and authorization.

How do you secure equipment sent for off-site maintenance?

Securing equipment for off-site maintenance involves implementing strict data protection controls and physical security measures before the hardware leaves the organization’s secure perimeter.

Enable full-disk encryption to prevent unauthorized data access.
Remove or securely wipe sensitive storage media if the repair does not require it.
Ensure a Non-Disclosure Agreement (NDA) is in place with the service provider.
Use secure, tracked transport to move assets between locations.

What are the requirements for third-party maintenance providers?

Third-party maintenance providers must be vetted and managed under supplier security requirements to ensure they do not compromise the organization’s security posture.

Contractual clauses must define security responsibilities and data handling.
Technicians should be supervised while in secure areas.
Remote maintenance access must be granted only when needed and logged.
Providers must demonstrate their own security credentials or compliance.

What are the security risks of poor equipment maintenance?

Poor equipment maintenance leads to critical security vulnerabilities, primarily affecting the availability and integrity of sensitive organizational data.

Unexpected hardware failure causing significant operational downtime.
Data corruption due to malfunctioning storage or processing components.
Exploitable physical vulnerabilities in aging or unpatched hardware.
Unauthorized physical access if maintenance bypasses standard security protocols.

Who is responsible for Annex A 7.13 compliance?

Primary responsibility for Annex A 7.13 usually falls to the Facilities Management or IT Operations team, under the oversight of the Chief Information Security Officer (CISO).

IT Operations manage the scheduling of hardware servicing.
The Asset Owner ensures the equipment is functioning as required.
The CISO ensures maintenance activities align with the broader ISMS.
Internal Auditors verify that maintenance logs are complete and accurate.

Controls and Attribute Values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Protect	Physical Security	Protection
	Integrity	Detect	Asset Management	Resilience
	Availability

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 7.13 Equipment Maintenance : The Lead Auditor’s Guide.

Table of Contents