ISO 27001 Annex A 7.13 Equipment Maintenance

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 7.13 Equipment Maintenance

ISO 27001 Equipment Maintenance

The focus for this ISO 27001 Control is maintaining equipment. As one of the ISO 27001 controls this is about maintaining equipment in line with manufacturer recommendations to prevent failure or damage.

You will learn what the ISO 27001 control 7.13 is, how to simply and easily implement it for ISO 27001 certification and I will show you some common gotchas so you can avoid them.

What is ISO 27001 Annex A 7.13 Equipment Maintenance?

ISO 27001 Annex A 7.13 Equipment Maintenance is an ISO 27001 control that looks to make sure you maintain your equipment in line with guidance so it keeps working and protects the confidentiality, integrity and availability of data.

ISO 27001 Annex A 7.13 Purpose

The purpose of Annex A 7.13 is to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations caused by lack of maintenance.

ISO 27001 Annex A 7.13 Definition

The ISO 27001 standard defines Annex A 7.13 as:

Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.

ISO 27001:2022 Annex A 7.13 Equipment Maintenance



ISO 27001 Toolkit Business Edition

How to implement ISO 27001 Annex 7.13

Maintain Equipment

Equipment that is used will need to be maintained so that it keeps operating. If you do not maintain equipment then the risk of the device failing or being compromised is going to increase. For this control it is as simple as following the manufactures guidelines for maintenance for your equipment.

To some extent this control is outside of your gift to control but there are some considerations that you can put in place and evidence.

Manufacturers Guidelines

To meet the control you would, as with everything, operate any equipment and maintain it in line with the manufacturers guidelines. This usually means appropriate professional maintenance. The professional maintenance would include testing and inspection although we would expect this to be a legal and regulatory requirement anyway, usually around health and safety.

Use Professionals

The advice here is, if you have a server room or information processing facility to bring in professional third parties to advise and maintain equipment. This is not something you will undertake yourself and there are many laws that govern this that are outside your capability.

Providing Access

The things that you can do and consider include access. We cover this in access control but looking at how people are allowed on site or remotely connect and how you supervise the activity are in your control. Monitoring for faults and having a process to record and respond to incidents is a simple step you can implement.

Fire Safety Equipment

There are some things that you might not have thought about that can catch you out. These include maintaining all your fire safety equipment such as extinguishers and alarms.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. Not interested in ISO 27001 templates, then you can skip to the next section.

How to comply with ISO 27001 Annex A 7.13

To comply with ISO 27001 Annex A 7.13 you are going to

  • Get the help of professional third parties to put in place controls around maintenance where required.
  • Have policies and procedures in place
  • Assess your equipment and perform a risk assessment
  • Implement controls proportionate to the risk posed
  • Keep maintenance records
  • Test the controls that you have to make sure they are working

Top 3 Mistakes People Make for ISO 27001 Annex A 7.13

The top 3 mistakes people make for ISO 27001 Annex A 7.13 are

1. You have no records of maintenance

Keep records that show that things have been maintained and that it has followed the guidance of the manufacturer. Record keeping!

2. You forgot about fire extinguishers

Proper left field this one but they do check and they can fail you on it. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

Controls and Attribute Values

Control typeInformation
security properties
Security domains
PreventiveConfidentialityProtectPhysical SecurityProtection
IntegrityDetectAsset ManagementResilience
ISO 27001 Toolkit Business Edition

Do It Yourself ISO27001

Stop Spanking £10,000s on consultants and ISMS online-tools.