4. Protection Against Power Failures Verified

Verification Criteria: Equipment is protected from power failures and electrical anomalies using Uninterruptible Power Supplies (UPS) and/or backup generators. Required Evidence: Physical sighting of UPS hardware and logs confirming successful load testing and generator cut-over drills.

5. Protection of Cabling Infrastructure Confirmed

Verification Criteria: Power and telecommunications cabling is protected from interception, interference, or damage through secure conduits or subterranean routing. Required Evidence: Physical inspection of secure cable trunking and floor-to-ceiling conduits in secure areas.

6. Climate and Humidity Control Integrity Validated

Verification Criteria: Environmental monitoring systems are active to maintain temperature and humidity within manufacturer-specified operating ranges. Required Evidence: Historic temperature and humidity logs from the HVAC or environmental monitoring system (e.g. NetBotz).

7. Siting to Prevent Unauthorised Viewing Verified

Verification Criteria: Displays and input devices are sited to prevent the viewing of sensitive information by unauthorised persons ("shoulder surfing"). Required Evidence: Physical walkthrough confirming monitor positioning and the use of privacy filters in high-traffic or public-facing areas.

8. Protection Against Electromagnetic Interference (EMI) Confirmed

Verification Criteria: Equipment is sited or shielded to protect it from electromagnetic interference that could cause data corruption or system failure. Required Evidence: Physical sighting of separation between power lines and data cables (e.g. 50mm+ gap) or use of shielded (STP/FTP) cabling.

9. Combustible Material Management Validated

Verification Criteria: Secure areas housing equipment are free from large quantities of combustible materials (e.g. empty cardboard boxes, paper archives). Required Evidence: Visual inspection of the server room and facilities storage areas; documented "No Storage" policy for secure rooms.

10. Secure Siting of Support Utilities Verified

Verification Criteria: Support utilities (UPS, HVAC, Gas canisters) are secured to the same level as the primary equipment they support to prevent tampering. Required Evidence: Physical inspection of utility enclosures; verification that external HVAC units are fenced or placed out of reach.

ISO 27001 Annex A 7.8 Audit Checklist [+ Templates]

Q: 1. Environmental Risk Assessment for Equipment Siting Verified

Verification Criteria: A documented assessment exists identifying potential environmental threats (e.g. fire, flood, earthquake, civil unrest) for all sites housing critical equipment. Required Evidence: Physical Risk Assessment or Business Impact Analysis (BIA) with site-specific environmental threat mapping.

Q: 2. Protection Against Environmental Threats Confirmed

Verification Criteria: Physical controls are in place to protect equipment from identified environmental hazards, such as fire suppression systems and raised flooring. Required Evidence: Maintenance logs for gas-based fire suppression (e.g. FM200/Inergen) and physical sighting of leak detection sensors.

Q: 3. Restricted Access Siting for Processing Assets Validated

Verification Criteria: Information processing facilities are sited in a manner that minimises public access and avoids unnecessary transit of personnel through secure areas. Required Evidence: Site floor plans showing that the server room or archive is not located on a primary thoroughfare or near public reception.

In this ultimate how to audit guide to ISO 27001 Annex A 7.8 Equipment Siting and Protection, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 7.8 Equipment Siting and Protection Audit Checklist

ISO 27001 Annex A 7.8 Equipment Siting and Protection Audit Checklist

Auditing ISO 27001 Annex A 7.8 Equipment Siting and Protection is the systematic technical verification of the physical and environmental resilience of information processing assets. The Primary Implementation Requirement demands secure placement and environmental hardening, providing the Business Benefit of ensuring continuous availability and operational integrity.

This technical verification tool is designed for lead auditors to establish the environmental and physical resilience of critical information processing assets. Use this checklist to validate compliance with ISO 27001 Annex A 7.8.

1. Environmental Risk Assessment for Equipment Siting Verified

Verification Criteria: A documented assessment exists identifying potential environmental threats (e.g. fire, flood, earthquake, civil unrest) for all sites housing critical equipment.

Required Evidence: Physical Risk Assessment or Business Impact Analysis (BIA) with site-specific environmental threat mapping.

Pass/Fail Test: If the organisation has sited a data centre or server room in a high-risk flood zone or below water pipes without documented mitigation, mark as Non-Compliant.

2. Protection Against Environmental Threats Confirmed

Verification Criteria: Physical controls are in place to protect equipment from identified environmental hazards, such as fire suppression systems and raised flooring.

Required Evidence: Maintenance logs for gas-based fire suppression (e.g. FM200/Inergen) and physical sighting of leak detection sensors.

Pass/Fail Test: If critical ICT equipment is located in a room with standard water sprinklers or lacks fire detection integrated into the central alarm, mark as Non-Compliant.

3. Restricted Access Siting for Processing Assets Validated

Verification Criteria: Information processing facilities are sited in a manner that minimises public access and avoids unnecessary transit of personnel through secure areas.

Required Evidence: Site floor plans showing that the server room or archive is not located on a primary thoroughfare or near public reception.

Pass/Fail Test: If the main server rack is located in an open-plan office or a communal corridor accessible to visitors, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

ISO 27001 Annex A 7.8 Equipment Siting and Protection Audit Checklist

1. Environmental Risk Assessment for Equipment Siting Verified

2. Protection Against Environmental Threats Confirmed

3. Restricted Access Siting for Processing Assets Validated