In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.8 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.8 Equipment Siting and Protection
ISO 27001 Annex A 7.8 requires organizations to site and protect equipment (servers, laptops, network hardware) to reduce risks from physical and environmental threats, unauthorized access, and damage. It is a fundamental physical security control that ensures your hardware isn’t just “present,” but is located in a way that minimizes the chance of it being stolen, tampered with, or destroyed by environmental factors like water or heat.
Core requirements for compliance include:
- Secure Placement: Equipment should be located in restricted-access areas (like locked server rooms) to prevent unauthorized physical contact.
- Environmental Mitigation: You must protect hardware from hazards such as fire, flood, dust, and temperature extremes. For example, servers should not be placed directly under air conditioning units where water leaks could cause a short circuit.
- Visibility Control: Screens and devices that process sensitive data must be positioned to prevent “shoulder surfing” from windows or public areas.
- Cabling Security: Power and telecommunications cables must be protected from accidental or deliberate cutting or interception (e.g., using conduits).
- Managed Access: Access to areas where equipment is sited must be logged and limited to authorized personnel only.
Audit Focus: Auditors will look for “Physical Hygiene”:
- The Walk-Through: They will walk through your office. If they see a server sitting under a desk in a public area or a laptop left unattended in the lobby, you will fail.
- Environmental Checks: They will look at your server room for high-risk items like exposed water pipes, lack of fire suppression, or inadequate cooling.
- Screen Privacy: They will check if ground-floor windows allow passers-by to read what’s on employee monitors.
Do’s and Don’ts of Equipment Siting:
| Hazard | Bad Practice (Audit Fail) | Good Practice (Audit Pass) |
| Water | Server rack under a water pipe / A/C unit. | Install water leak detection; move rack away from pipes. |
| Visibility | Screens facing ground-floor windows. | Install blinds or rotate desks away from public view. |
| Dust / Heat | PC towers left on carpeted floors. | Raise PCs on plinths/desk stands for better airflow. |
| Theft | Laptops left on desks overnight. | Enforce a Clean Desk Policy or use Kensington locks. |
| Unauthorized Access | Comms cabinet left unlocked in a hallway. | Keep all cabinets locked and in restricted areas. |
Table of Contents
- Key Takeaways: ISO 27001 Annex A 7.8 Equipment Siting and Protection
- What is ISO 27001 Annex A 7.8?
- ISO 27001 Annex A 7.8 Free Training Video
- ISO 27001 Annex A 7.8 Explainer Video
- ISO 27001 Annex A 7.8 Podcast
- How to implement ISO 27001 Annex A 7.8
- Do’s and Don’ts of Equipment Siting
- How to comply
- Top 3 ISO 27001 Annex A 7.8 mistakes and how to avoid them
- Fast Track Compliance with the ISO 27001 Toolkit
- ISO 27001 Controls and Attribute Values
What is ISO 27001 Annex A 7.8?
The focus for this ISO 27001 Control is your equipment and where you put it. As one of the ISO 27001 controls this is making sure that it is protected in situ.
ISO 27001 Annex A 7.8 Equipment Siting and Protection is an ISO 27001 control that looks to protect equipment by siting it securely and protecting it.
ISO 27001 Annex A 7.8 Purpose
The purpose of ISO 27001 Annex A 7.8 equipment siting and protection is to reduce the risks from physical and environmental threats, and from unauthorised access and damage.
ISO 27001 Annex A 7.8 Definition
The ISO 27001 standard defines equipment siting and protection as:
Equipment should be sited securely and protected.
ISO 27001:2022 Annex A 7.8 Equipment Siting and Protection
ISO 27001 Annex A 7.8 Free Training Video
In the video ISO 27001 Equipment Siting and Protection Explained – ISO27001:2022 Annex A 7.8 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.8 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.8 Equipment Siting And Protection, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.8 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.8 Equipment Siting And Protection. The podcast explores what it is, why it is important and the path to compliance.
How to implement ISO 27001 Annex A 7.8
What we are talking about here is equipment. The physical things that we have. This control is about being sensible and protecting them and taking appropriate precautions. Where we put stuff is important because it protects it from damage and the wrong people accessing it. We are considering examples here that may be common sense to many but not always. Here are some common examples.
Servers
If you have a server you want to make sure that it is in a dedicated server room with appropriate environmental controls and physical security controls in place. It is not great to have a server you rely on placed next to a desk and used to rest your coffee cup on. Or to have a server under an air conditioning unit that slowly drips water on it. Or in your mates garage.
Networks
Where we have network points, yes some people still do, then ideally we don’t want them in public areas and where they are in public areas they either connect to separate public networks or they are really really hard just to plug any old device into.
Environmental Factors
Environmental factors to consider will be dependant on where you work, and here we can think about working in a more industrial environment where as an example if it were dusty then we would implement dust protection, keyboard membranes and the like to safeguard our equipment.
ISO 27001 Physical Security Policy
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.
Do’s and Don’ts of Equipment Siting
| Hazard | Bad Practice (Don’t) | Good Practice (Do) |
| Water | Server rack under a water pipe / A/C unit. | Install Water Leak Detection rope; move rack. |
| Visibility | Screens facing ground-floor windows. | Blinds on windows / Rotate desks. |
| Dust | PC towers on the carpet floor. | Raise PCs on plinths/desk stands. |
| Sunlight | Direct sun on servers (overheating). | Blackout blinds / Windowless room. |
| Theft | Laptops left on desks overnight. | Clean Desk Policy / Kensington Locks. |
How to comply
To comply with ISO 27001 Annex A 7.8 you are going to
- Use common sense in your approach to where you put stuff
- Be practical
- Ensure you follow and meet all laws and regulations such as health and safety laws
- Test the controls that you have to make sure they are working
Top 3 ISO 27001 Annex A 7.8 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 7.8 are
1. Equipment is NOT where it should not be
This is the biggest mistake people make. Putting things in places that they should not be. Work computers with full access in public areas and lobbies, servers under desks or at people’s homes, old equipment just lying around on desks.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Have you checked and walked the floor and visually seen that equipment is where you expect it to be? Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Fast Track Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.8 (Equipment siting and protection), the requirement is to site equipment securely and protect it from physical and environmental threats, as well as unauthorized access. This is a common-sense, physical security control that focuses on where your hardware is located and how it’s safeguarded.
While SaaS compliance platforms often try to sell you “automated site monitoring” or complex physical asset trackers, they cannot actually move a server away from a dripping AC unit or install blackout blinds to stop “window surfing”, they are merely a place to host your documentation. The High Table ISO 27001 Toolkit is the logical choice because it provides the governance layer that defines these rules, allowing you to manage your equipment siting effectively without a recurring subscription fee.
1. Ownership: You Own Your Siting Policy Forever
SaaS platforms act as a middleman for your compliance evidence. If you define your equipment siting rules and store your office walkthrough logs inside their proprietary system, you are essentially renting your own physical security standards.
- The Toolkit Advantage: You receive the Physical and Environmental Security Policy in a fully editable Word format. This document is yours forever. You maintain permanent ownership of your standards (such as plinth requirements for floor-standing PCs), ensuring you are always ready for an audit without an ongoing “rental” fee.
2. Simplicity: Governance for Real-World Hardware
Annex A 7.8 is about siting equipment properly. You don’t need a complex new software interface to manage what your office or facility managers already do (or should be doing).
- The Toolkit Advantage: Your team already knows that servers shouldn’t be used as coffee tables. What they need is the governance layer to prove to an auditor that these actions are formal, consistent, and documented. The Toolkit provides pre-written policies and “Do’s and Don’ts” guides that formalize your existing office management work into an auditor-ready framework, without forcing your team to learn a new software platform.
3. Cost: A One-Off Fee vs. The “Physical Facility” Tax
Many compliance SaaS platforms charge more based on the number of “physical locations” or “hardware assets” you track. For a control that applies to every office, desk, and server rack in your company, these monthly costs can scale aggressively.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you have one small office or a global network of facilities, the cost of your Equipment Siting Documentation remains the same. You save your budget for actual physical protections (like window blinds or water leak detection) rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Office Strategy
SaaS tools often mandate specific ways to report on and monitor physical equipment siting. If their system doesn’t match your lean office setup or modern co-working model, the tool becomes a bottleneck.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic and fully editable. You can tailor the Siting Procedures to match exactly how you operate, whether you have high-density data centers or a remote-first team with small home-office requirements. You maintain total freedom to evolve your physical workspace without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Annex A 7.8, the auditor wants to see that you have a formal policy for equipment siting and proof that you follow it (e.g., site walkthrough logs and secure location standards). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical Security | Protection |
| Integrity | Asset management | |||
| Availability |
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
