ISO 27001 Equipment Siting And Protection
The focus for this ISO 27001 Control is your equipment and where you put it. As one of the ISO 27001 controls this is making sure that it is protected in situ.
Table of Contents
What is ISO 27001 Annex A 7.8?
ISO 27001 Annex A 7.8 Equipment Siting and Protection is an ISO 27001 control that looks to protect equipment by siting it securely and protecting it.
ISO 27001 Annex A 7.8 Purpose
The purpose of ISO 27001 Annex A 7.8 equipment siting and protection is to reduce the risks from physical and environmental threats, and from unauthorised access and damage.
ISO 27001 Annex A 7.8 Definition
The ISO 27001 standard defines equipment siting and protection as:
Equipment should be sited securely and protected.
ISO 27001:2022 Annex A 7.8 Equipment Siting and Protection
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
How to implement ISO 27001 Annex A 7.8
What we are talking about here is equipment. The physical things that we have. This control is about being sensible and protecting them and taking appropriate precautions. Where we put stuff is important because it protects it from damage and the wrong people accessing it. We are considering examples here that may be common sense to many but not always. Here are some common examples.
Servers
If you have a server you want to make sure that it is in a dedicated server room with appropriate environmental controls and physical security controls in place. It is not great to have a server you rely on placed next to a desk and used to rest your coffee cup on. Or to have a server under an air conditioning unit that slowly drips water on it. Or in your mates garage.
Networks
Where we have network points, yes some people still do, then ideally we don’t want them in public areas and where they are in public areas they either connect to separate public networks or they are really really hard just to plug any old device into.
Environmental Factors
Environmental factors to consider will be dependant on where you work, and here we can think about working in a more industrial environment where as an example if it were dusty then we would implement dust protection, keyboard membranes and the like to safeguard our equipment.
ISO 27001 Physical Security Policy
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.
Watch the ISO 27001 Annex A 7.8 Tutorial
In the video ISO 27001 Equipment Siting and Protection Explained – ISO27001:2022 Annex A 7.8 I show you how to implement it and how to pass the audit.
How to comply
To comply with ISO 27001 Annex A 7.8 you are going to
- Use common sense in your approach to where you put stuff
- Be practical
- Ensure you follow and meet all laws and regulations such as health and safety laws
- Test the controls that you have to make sure they are working
Top 3 Mistakes People Make
The top 3 mistakes people make for ISO 27001 Annex A 7.8 are
1. Equipment is NOT where it should not be
This is the biggest mistake people make. Putting things in places that they should not be. Work computers with full access in public areas and lobbies, servers under desks or at people’s homes, old equipment just lying around on desks.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Have you checked and walked the floor and visually seen that equipment is where you expect it to be? Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical Security | Protection |
| Integrity | Asset management | |||
| Availability |
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.