In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.13 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.13 Equipment Maintenance
ISO 27001 Annex A 7.13 requires organizations to maintain equipment correctly to ensure its availability, integrity, and confidentiality. While this sounds like a general IT task, the standard focuses on preventing security breaches that occur during the maintenance process, such as a technician seeing sensitive data on a server or a hard drive being stolen while in transit to a repair shop.
Core requirements for compliance include:
- Manufacturer Guidelines: You must follow the official maintenance schedule provided by your hardware vendors. This ensures that cooling systems, power supplies, and storage drives are inspected before they fail.
- Maintenance Logs: You must keep a record of all maintenance performed. Auditors want to see that maintenance isn’t “random” but is a planned and documented business process.
- Supervised Access: If an external engineer comes on-site to fix a server, they must be supervised at all times to ensure they don’t perform unauthorized actions or access sensitive data.
- Secure Off-Site Repair: If you send a device away for repair, you must have a process to protect the data on it. This usually means full-disk encryption or removing the hard drive entirely before the device leaves your office.
- Supporting Facilities: Don’t forget the “non-IT” equipment that protects your data. This includes maintaining fire extinguishers, UPS batteries, and air conditioning units in your server rooms.
Audit Focus: Auditors will look for “The Repair Audit Trail”:
- Vendor Agreements: “Show me the confidentiality agreement (NDA) for the company that repairs your laptops.”
- On-Site Logs: “Where is the visitor log showing the last time the AC technician was in the server room?”
- Physical Evidence: They may check the service stickers on your fire extinguishers to ensure they aren’t out of date.
Repair Security Checklist (Must-Do Before Shipping):
| Step | Action | Why it matters |
| 1. Backup | Mandatory Full Backup. | Prevents data loss if the vendor wipes or replaces the device. |
| 2. Remove Media | Remove Hard Drive (if possible). | The best way to ensure data confidentiality during repair. |
| 3. Encrypt | Activate BitLocker / FileVault. | If the device is stolen during shipping, the data remains unreadable. |
| 4. Legal | Sign an NDA with the repair shop. | Provides a legal framework for data protection and liability. |
Table of Contents
- Key Takeaways: ISO 27001 Annex A 7.13 Equipment Maintenance
- What is ISO 27001 Annex A 7.13?
- ISO 27001 Annex A 7.13 Free Training Video
- ISO 27001 Annex A 7.13 Explainer Video
- ISO 27001 Annex A 7.13 Podcast
- How to implement ISO 27001 Annex A 7.13
- How to comply
- Repair Security Checklist
- Top 3 ISO 27001 Annex A 7.13 mistakes and how to avoid them
- Fast Track Compliance with the ISO 27001 Toolkit
- Related ISO 27001 Controls
- Controls and Attribute Values
What is ISO 27001 Annex A 7.13?
The focus for this ISO 27001 Control is maintaining equipment and this is about maintaining equipment in line with manufacturer recommendations to prevent failure or damage.
ISO 27001 Equipment Maintenance understands that equipment requires maintaining so as to eliminate or reduce the likelihood of equipment failure and information security vulnerabilities over time.
ISO 27001 Annex A 7.13 Equipment Maintenance is an ISO 27001 control that looks to make sure you maintain your equipment in line with guidance so it keeps working and protects the confidentiality, integrity and availability of data.
ISO 27001 Annex A 7.13 Purpose
The purpose of ISO 27001 Equipment Maintenance is to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations caused by lack of maintenance.
ISO 27001 Annex A 7.13 Definition
The ISO 27001 standard defines ISO 27001 Annex A 7.13 as:
Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.
ISO 27001:2022 Annex A 7.13 Equipment Maintenance
ISO 27001 Annex A 7.13 Free Training Video
In the video ISO 27001 Equipment Maintenance Explained – ISO27001:2022 Annex A 7.13 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.13 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.13 Equipment Maintenance, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.13 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.13 Equipment Maintenance. The podcast explores what it is, why it is important and the path to compliance.
How to implement ISO 27001 Annex A 7.13
Maintain Equipment
Equipment that is used will need to be maintained so that it keeps operating. If you do not maintain equipment then the risk of the device failing or being compromised is going to increase. For this control it is as simple as following the manufactures guidelines for maintenance for your equipment.
To some extent this control is outside of your gift to control but there are some considerations that you can put in place and evidence.
Manufacturers Guidelines
To meet the control you would, as with everything, operate any equipment and maintain it in line with the manufacturers guidelines. This usually means appropriate professional maintenance. The professional maintenance would include testing and inspection although we would expect this to be a legal and regulatory requirement anyway, usually around health and safety.
Use Professionals
The advice here is, if you have a server room or information processing facility to bring in professional third parties to advise and maintain equipment. This is not something you will undertake yourself and there are many laws that govern this that are outside your capability.
Providing Access
The things that you can do and consider include access. We cover this in access control but looking at how people are allowed on site or remotely connect and how you supervise the activity are in your control. Monitoring for faults and having a process to record and respond to incidents is a simple step you can implement.
Fire Safety Equipment
There are some things that you might not have thought about that can catch you out. These include maintaining all your fire safety equipment such as extinguishers and alarms.
How to comply
To comply with ISO 27001 Annex A 7.13 Equipment Maintenance you are going to
- Get the help of professional third parties to put in place controls around maintenance where required.
- Have policies and procedures in place
- Assess your equipment and perform a risk assessment
- Implement controls proportionate to the risk posed
- Keep maintenance records
- Test the controls that you have to make sure they are working
Repair Security Checklist
The biggest security risk in this control is sending equipment away for repair.
| Step | Action | Why? |
| 1. Backup | Mandatory | In case the vendor wipes the device. |
| 2. Remove Media | If possible, remove the Hard Drive. | Don’t send your data to the repair shop. |
| 3. Encrypt | Ensure BitLocker/FileVault is active. | If the drive is stolen in transit, data is safe. |
| 4. NDA | Check the vendor’s confidentiality agreement. | Ensure they are legally bound to protect your data. |
Top 3 ISO 27001 Annex A 7.13 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 7.13 Equipment Maintenance are
1. You have no records of maintenance
Keep records that show that things have been maintained and that it has followed the guidance of the manufacturer. Record keeping!
2. You forgot about fire extinguishers
Proper left field this one but they do check and they can fail you on it. Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Fast Track Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.13 (Equipment maintenance), the requirement is to correctly maintain equipment to ensure the availability, integrity, and confidentiality of information. This includes following manufacturer guidelines and ensuring repairs are handled securely.
While SaaS compliance platforms often try to sell you “automated maintenance trackers” or complex asset health modules, they cannot actually check your fire extinguishers or supervise a technician in your server room, they are merely a place to host your documentation. The High Table ISO 27001 Toolkit is the logical choice because it provides the governance layer that defines these rules, allowing you to manage your maintenance schedules effectively without a recurring subscription fee.
1. Ownership: You Own Your Maintenance Governance Forever
SaaS platforms act as a middleman for your compliance evidence. If you define your maintenance rules and store your service records inside their proprietary system, you are essentially renting your own operational history.
- The Toolkit Advantage: You receive the Equipment Maintenance Policy and Maintenance Log templates in standard Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as repair security protocols), ensuring you are always ready for an audit without an ongoing “rental” fee.
2. Simplicity: Governance for Real-World Hardware
Annex A 7.13 is about maintaining physical equipment. You don’t need a complex new software interface to manage what your facility managers or third-party vendors already do.
- The Toolkit Advantage: Your team already knows when the HVAC needs servicing or when fire alarms need testing. What they need is the governance layer to prove to an auditor that these actions are formal, consistent, and documented. The Toolkit provides the pre-written policies and “Repair Security Checklists” that formalize your existing maintenance work into an auditor-ready framework, without forcing your team to learn a new software platform.
3. Cost: A One-Off Fee vs. The “Asset Maintenance” Tax
Many compliance SaaS platforms charge based on the number of “assets” you track. For a control that applies to every piece of physical infrastructure in your organization, these monthly costs can scale aggressively.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you are maintaining 5 servers or a global data center facility, the cost of your Maintenance Documentation remains the same. You save your budget for the actual professional maintenance services rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Facilities Strategy
SaaS tools often only integrate with a limited number of “standard” facilities management systems. If you use specialized local vendors or change your maintenance providers, the SaaS tool can become a barrier to operational flexibility.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can edit the Maintenance Procedures to match any environment, on-premise, remote storage, or third-party facilities. You maintain total freedom to choose the best service providers for your business without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Annex A 7.13, the auditor wants to see that you have a formal policy for equipment maintenance and proof that you follow it (e.g., service records and repair logs). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
Related ISO 27001 Controls
ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats
ISO 27001 Annex A 7.8 Equipment Siting And Protection
ISO 27001 Annex A 7.11 Supporting Utilities
ISO 27001 Annex A 7.14 Secure Disposal Or Re-Use Of Equipment
Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical Security | Protection |
| Integrity | Detect | Asset Management | Resilience | |
| Availability |
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
