Auditing ISO 27001 Annex A 7.8 Equipment Siting and Protection is the systematic technical verification of the physical and environmental resilience of information processing assets. The Primary Implementation Requirement demands secure placement and environmental hardening, providing the Business Benefit of ensuring continuous availability and operational integrity.
ISO 27001 Annex A 7.8 Equipment Siting and Protection Audit Checklist
This technical verification tool is designed for lead auditors to establish the environmental and physical resilience of critical information processing assets. Use this checklist to validate compliance with ISO 27001 Annex A 7.8.
1. Environmental Risk Assessment for Equipment Siting Verified
Verification Criteria: A documented assessment exists identifying potential environmental threats (e.g. fire, flood, earthquake, civil unrest) for all sites housing critical equipment.
Required Evidence: Physical Risk Assessment or Business Impact Analysis (BIA) with site-specific environmental threat mapping.
Pass/Fail Test: If the organisation has sited a data centre or server room in a high-risk flood zone or below water pipes without documented mitigation, mark as Non-Compliant.
2. Protection Against Environmental Threats Confirmed
Verification Criteria: Physical controls are in place to protect equipment from identified environmental hazards, such as fire suppression systems and raised flooring.
Required Evidence: Maintenance logs for gas-based fire suppression (e.g. FM200/Inergen) and physical sighting of leak detection sensors.
Pass/Fail Test: If critical ICT equipment is located in a room with standard water sprinklers or lacks fire detection integrated into the central alarm, mark as Non-Compliant.
3. Restricted Access Siting for Processing Assets Validated
Verification Criteria: Information processing facilities are sited in a manner that minimises public access and avoids unnecessary transit of personnel through secure areas.
Required Evidence: Site floor plans showing that the server room or archive is not located on a primary thoroughfare or near public reception.
Pass/Fail Test: If the main server rack is located in an open-plan office or a communal corridor accessible to visitors, mark as Non-Compliant.
4. Protection Against Power Failures Verified
Verification Criteria: Equipment is protected from power failures and electrical anomalies using Uninterruptible Power Supplies (UPS) and/or backup generators.
Required Evidence: Physical sighting of UPS hardware and logs confirming successful load testing and generator cut-over drills.
Pass/Fail Test: If a mains power failure causes an immediate, ungraceful shutdown of critical processing assets, mark as Non-Compliant.
5. Protection of Cabling Infrastructure Confirmed
Verification Criteria: Power and telecommunications cabling is protected from interception, interference, or damage through secure conduits or subterranean routing.
Required Evidence: Physical inspection of secure cable trunking and floor-to-ceiling conduits in secure areas.
Pass/Fail Test: If network or power cables are found exposed in public areas where they can be unplugged or tampered with manually, mark as Non-Compliant.
6. Climate and Humidity Control Integrity Validated
Verification Criteria: Environmental monitoring systems are active to maintain temperature and humidity within manufacturer-specified operating ranges.
Required Evidence: Historic temperature and humidity logs from the HVAC or environmental monitoring system (e.g. NetBotz).
Pass/Fail Test: If the server room temperature exceeds 27°C (80°F) without an automated alert being triggered and logged, mark as Non-Compliant.
7. Siting to Prevent Unauthorised Viewing Verified
Verification Criteria: Displays and input devices are sited to prevent the viewing of sensitive information by unauthorised persons (“shoulder surfing”).
Required Evidence: Physical walkthrough confirming monitor positioning and the use of privacy filters in high-traffic or public-facing areas.
Pass/Fail Test: If a screen displaying confidential PII or financial data is clearly visible from a public window or reception area, mark as Non-Compliant.
8. Protection Against Electromagnetic Interference (EMI) Confirmed
Verification Criteria: Equipment is sited or shielded to protect it from electromagnetic interference that could cause data corruption or system failure.
Required Evidence: Physical sighting of separation between power lines and data cables (e.g. 50mm+ gap) or use of shielded (STP/FTP) cabling.
Pass/Fail Test: If high-voltage power cables are bundled directly with unshielded network cables, mark as Non-Compliant.
9. Combustible Material Management Validated
Verification Criteria: Secure areas housing equipment are free from large quantities of combustible materials (e.g. empty cardboard boxes, paper archives).
Required Evidence: Visual inspection of the server room and facilities storage areas; documented “No Storage” policy for secure rooms.
Pass/Fail Test: If the server room is found being used as a general storage area for cardboard boxes or stationery, mark as Non-Compliant.
10. Secure Siting of Support Utilities Verified
Verification Criteria: Support utilities (UPS, HVAC, Gas canisters) are secured to the same level as the primary equipment they support to prevent tampering.
Required Evidence: Physical inspection of utility enclosures; verification that external HVAC units are fenced or placed out of reach.
Pass/Fail Test: If an external AC condenser unit or generator is accessible to the public without a protective barrier, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Environmental Siting | Tool records “Office is in a modern building” as evidence. | Verify the Floor. Siting a server room in a basement in a flood-prone city is a high risk that GRC tools miss. |
| Power Protection | Platform marks “UPS” as an active asset in the register. | Check the Battery Health. GRC tools don’t tell you the UPS batteries have expired and won’t hold a 5-minute load. |
| Cable Security | SaaS tool assumes compliance if the site is a Tier 3 Data Centre. | Verify the Internal Path. Check if local office patch panels are in an unlocked cupboard in the hallway. |
| Visual Privacy | Tool logs that a “Clear Screen Policy” was read by staff. | Physical walkthrough is required. GRC tools cannot see if a manager’s monitor faces a glass wall in the lobby. |
| Fire Suppression | Tool records “Fire Extinguisher Service” date. | Verify the Type. Standard CO2 extinguishers are insufficient for automated protection of critical processing assets. |
| Interference (EMI) | Tool marks control as ‘Not Applicable’ for cloud-only firms. | Verify the Hybrid Link. On-premise routers and SD-WAN devices still require EMI protection that tools ignore. |
| Hazardous Proximity | Platform identifies the building location via GPS. | Check the Neighbours. GRC tools don’t know if the office shares a wall with a high-risk chemical storage unit. |
About the author
