ISO 27001 Annex A 7.7 Audit Checklist

/ By
ISO 27001 Annex A 7.7 audit checklist

Auditing ISO 27001 Annex A 7.7 Maintenance of Equipment is the systematic verification of technical servicing and operational reliability for physical assets. The Primary Implementation Requirement is scheduled preventive care aligned with manufacturer specifications, ensuring the Business Benefit of maximum system uptime and integrity of critical ISMS infrastructure.

ISO 27001 Annex A 7.7 Maintenance of Equipment Audit Checklist

This technical verification tool is designed for lead auditors to establish the continuous availability and integrity of physical assets supporting the ISMS. Use this checklist to validate compliance with ISO 27001 Annex A 7.7.

1. Equipment Maintenance Inventory Verified

Verification Criteria: A master register exists identifying all equipment that requires periodic maintenance to ensure continued availability and integrity.

Required Evidence: Asset Register containing maintenance metadata (e.g. last service date, next service date, and service provider).

Pass/Fail Test: If critical infrastructure (e.g. UPS or HVAC) is missing from the maintenance tracking system, mark as Non-Compliant.

2. Manufacturer Specifications Alignment Confirmed

Verification Criteria: Maintenance intervals and procedures are aligned with the manufacturer’s recommendations and technical specifications.

Required Evidence: Comparison report between manufacturer manuals and the organisation’s internal Maintenance Schedule.

Pass/Fail Test: If maintenance is performed less frequently than the manufacturer-recommended interval without a documented risk-based justification, mark as Non-Compliant.

3. Preventive Maintenance Execution Records Present

Verification Criteria: Documented evidence confirms that preventive maintenance tasks have been completed according to the established schedule.

Required Evidence: Signed service reports, job sheets, or maintenance logs from internal technicians or third-party contractors.

Pass/Fail Test: If more than 10% of scheduled maintenance tasks for the current period are overdue without an extension or explanation, mark as Non-Compliant.

4. Corrective Maintenance Log Integrity Validated

Verification Criteria: All equipment failures and subsequent repairs are logged, including root cause analysis and details of parts replaced.

Required Evidence: Corrective Maintenance Log or ticketing system export showing resolution details for hardware failures.

Pass/Fail Test: If a major equipment failure occurred but no record exists of the repair or the verification of the fix, mark as Non-Compliant.

5. Maintenance Personnel Authorisation Verified

Verification Criteria: Only authorised and qualified personnel (internal or external) are permitted to perform maintenance on sensitive equipment.

Required Evidence: Approved vendor list for maintenance services and training/certification records for internal maintenance staff.

Pass/Fail Test: If maintenance was performed on a production server or UPS by an unvetted or unapproved third party, mark as Non-Compliant.

6. Secure Handling of Equipment During Maintenance Confirmed

Verification Criteria: Controls are in place to prevent unauthorised access to data or systems when equipment is being serviced by external parties.

Required Evidence: Visitor logs showing external engineers are escorted; evidence of disk removal or encryption for off-site repairs.

Pass/Fail Test: If equipment containing sensitive data was sent off-site for repair without a signed data processing agreement or disk wiping/removal, mark as Non-Compliant.

7. Redundant System Functional Testing Validated

Verification Criteria: Redundant systems (e.g. backup generators, secondary cooling) are tested under load during maintenance to ensure failover capability.

Required Evidence: Load test logs for generators or failover drill reports for secondary environmental controls.

Pass/Fail Test: If a generator is maintained but never “switched on” or load-tested to verify it can support the data centre, mark as Non-Compliant.

8. Maintenance Tool Calibration Records Verified

Verification Criteria: Tools used for measuring or testing equipment (e.g. multimeters, thermal sensors) are calibrated against national standards.

Required Evidence: Valid Calibration Certificates for tools used in the maintenance of critical infrastructure.

Pass/Fail Test: If maintenance decisions are made based on uncalibrated or expired test equipment, mark as Non-Compliant.

9. Maintenance-Related Security Incident Linkage Identified

Verification Criteria: Any security breaches or anomalies discovered during maintenance activities are formally reported as security incidents.

Required Evidence: Cross-reference between maintenance logs and the Information Security Incident Register.

Pass/Fail Test: If a technician discovers evidence of tampering during maintenance but no incident report was raised, mark as Non-Compliant.

10. Management Review of Maintenance Trends Confirmed

Verification Criteria: Maintenance reports and equipment uptime metrics are reviewed by management to determine if equipment replacement is necessary.

Required Evidence: Management Review Meeting (MRM) minutes showing analysis of equipment lifecycle and maintenance costs.

Pass/Fail Test: If equipment consistently fails and requires excessive corrective maintenance without a management plan for replacement, mark as Non-Compliant.
ISO 27001 Annex A 7.7 SaaS / GRC Platform Failure Checklist
Control Requirement The ‘Checkbox Compliance’ Trap The Reality Check
Maintenance Schedule Tool marks “Compliant” because an “Annual Maintenance Policy” PDF is uploaded. Auditor must verify the Actual Logs. A policy is an intent; a signed engineer’s report is the evidence.
Redundancy Testing GRC tool identifies “Generator” as an asset and assigns a task. Verify the Load Test. Many tools allow a “Yes” answer without requiring a load-test certificate upload.
Personnel Vetting Platform assumes the maintenance company is safe because it’s a “known brand.” Review the Service Contract. GRC tools often ignore whether the specific engineer had a background check or was escorted.
Technical Specificity Tool provides a generic “Maintenance Task” for all hardware. Check the Manual. Maintenance for a CCTV camera is not the same as a fire suppression system; the checklist must be specific.
Off-site Security Tool marks “Repaired” when the status is updated to ‘Closed’. Demand the Data Disposal Certificate. If a laptop went off-site for a screen fix, was the SSD removed or encrypted?
Calibration Platform ignores the tools used to perform the maintenance. Check the Multimeter. If the UPS was tested with an uncalibrated meter, the maintenance results are technically invalid.
Lifecycle Management Tool assumes hardware lasts forever until a “Failure Task” is raised. Verify EOL (End of Life). GRC tools rarely flag equipment that is no longer supported by the manufacturer.

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top