In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.8 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.8 Equipment Siting and Protection
ISO 27001 Annex A 7.8 requires organizations to site and protect equipment (servers, laptops, network hardware) to reduce risks from physical and environmental threats, unauthorised access, and damage. It is a fundamental physical security control that ensures your hardware isn’t just “present,” but is located in a way that minimises the chance of it being stolen, tampered with, or destroyed by environmental factors like water or heat.
Core requirements for compliance include:
- Secure Placement: Equipment should be located in restricted-access areas (like locked server rooms) to prevent unauthorized physical contact.
- Environmental Mitigation: You must protect hardware from hazards such as fire, flood, dust, and temperature extremes. For example, servers should not be placed directly under air conditioning units where water leaks could cause a short circuit.
- Visibility Control: Screens and devices that process sensitive data must be positioned to prevent “shoulder surfing” from windows or public areas.
- Cabling Security: Power and telecommunications cables must be protected from accidental or deliberate cutting or interception (e.g., using conduits).
- Managed Access: Access to areas where equipment is sited must be logged and limited to authorized personnel only.
Audit Focus: Auditors will look for “Physical Hygiene”:
- The Walk-Through: They will walk through your office. If they see a server sitting under a desk in a public area or a laptop left unattended in the lobby, you will fail.
- Environmental Checks: They will look at your server room for high-risk items like exposed water pipes, lack of fire suppression, or inadequate cooling.
- Screen Privacy: They will check if ground-floor windows allow passers-by to read what’s on employee monitors.
Do’s and Don’ts of Equipment Siting:
| Hazard Factor | Bad Practice (Audit Fail) | Good Practice (Audit Pass) | ISO 27001:2022 Control |
|---|---|---|---|
| Water | Server rack under a water pipe or A/C unit. | Install water leak detection; move rack away from pipes. | 7.8 (Equipment Siting) |
| Visibility | Screens facing ground-floor windows. | Install blinds or rotate desks away from public view. | 7.8 & 7.10 (Storage Media) |
| Dust / Heat | PC towers left on carpeted floors. | Raise PCs on plinths/desk stands for better airflow. | 7.8 (Equipment Siting) |
| Theft | Laptops left on desks overnight. | Enforce a Clean Desk Policy or use Kensington locks. | 7.9 (Off-premises assets) |
| Unauthorized Access | Comms cabinet left unlocked in a hallway. | Keep all cabinets locked and in restricted areas. | 7.8 (Equipment Siting) |
Table of Contents
- What is ISO 27001 Annex A 7.8?
- ISO 27001 Annex A 7.8 Free Training Video
- ISO 27001 Annex A 7.8 Explainer Video
- ISO 27001 Annex A 7.8 Podcast
- ISO 27001 Annex A 7.8 Implementation Guidance
- How to implement ISO 27001 Annex A 7.8
- Do’s and Don’ts of Equipment Siting
- How to comply
- Top 3 ISO 27001 Annex A 7.8 mistakes and how to avoid them
- Applicability of ISO 27001 Annex A 7.8 across different business models.
- Fast Track ISO 27001 Annex A 7.8 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 7.8 FAQ
- ISO 27001 Controls and Attribute Values
What is ISO 27001 Annex A 7.8?
The focus for this ISO 27001 Control is your equipment and where you put it. As one of the ISO 27001 controls this is making sure that it is protected in situ.
ISO 27001 Annex A 7.8 Equipment Siting and Protection is an ISO 27001 control that looks to protect equipment by siting it securely and protecting it.
ISO 27001 Annex A 7.8 Purpose
The purpose of ISO 27001 Annex A 7.8 equipment siting and protection is to reduce the risks from physical and environmental threats, and from unauthorised access and damage.
ISO 27001 Annex A 7.8 Definition
The ISO 27001 standard defines equipment siting and protection as:
Equipment should be sited securely and protected.
ISO 27001:2022 Annex A 7.8 Equipment Siting and Protection
ISO 27001 Annex A 7.8 Free Training Video
In the video ISO 27001 Equipment Siting and Protection Explained – ISO27001:2022 Annex A 7.8 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.8 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.8 Equipment Siting And Protection, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.8 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.8 Equipment Siting And Protection. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 7.8 Implementation Guidance
What we are talking about here is equipment. The physical things that we have. This control is about being sensible and protecting them and taking appropriate precautions. Where we put stuff is important because it protects it from damage and the wrong people accessing it. We are considering examples here that may be common sense to many but not always. Here are some common examples.
Servers
If you have a server you want to make sure that it is in a dedicated server room with appropriate environmental controls and physical security controls in place. It is not great to have a server you rely on placed next to a desk and used to rest your coffee cup on. Or to have a server under an air conditioning unit that slowly drips water on it. Or in your mates garage.
Networks
Where we have network points, yes some people still do, then ideally we don’t want them in public areas and where they are in public areas they either connect to separate public networks or they are really really hard just to plug any old device into.
Environmental Factors
Environmental factors to consider will be dependant on where you work, and here we can think about working in a more industrial environment where as an example if it were dusty then we would implement dust protection, keyboard membranes and the like to safeguard our equipment.
ISO 27001 Physical Security Policy
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.
How to implement ISO 27001 Annex A 7.8
Implementing ISO 27001 Annex A 7.8 requires a strategic approach to the physical placement and shielding of hardware assets. This technical guide outlines the action-result workflow for siting equipment to mitigate risks from environmental hazards, unauthorised physical access, and visual eavesdropping.
1. Conduct an Environmental Risk and Siting Assessment
Perform a site survey to identify the optimal location for critical equipment, ensuring the environment is stable and protected from external threats.
- Identify high-risk zones prone to fire, flooding, or extreme temperature fluctuations.
- Evaluate the proximity of equipment to water pipes, HVAC units, and heavy machinery that could cause electromagnetic interference (EMI).
- Document the siting rationale in a formal Risk Assessment to serve as audit evidence.
- Verify that the chosen location supports redundant power and telecommunications feeds.
2. Provision Physical Protection and Secure Enclosures
Apply physical barriers to hardware to prevent unauthorised tampering and protect against accidental damage or environmental fallout.
- Install server racks with integrated locking mechanisms and tamper-evident seals.
- Deploy industrial-grade conduits for cabling to prevent physical tapping or accidental disconnection.
- Utilise fireproof and waterproof enclosures for critical backup media or small-form-factor devices.
- Bolting down public-facing kiosks or terminals to prevent unauthorised removal or relocation.
3. Implement Visual Privacy and Anti-Shoulder Surfing Controls
Configure the physical orientation of equipment to ensure that sensitive information displayed on screens remains confidential from unauthorised observers.
- Angle monitors away from windows, public corridors, and high-traffic office areas.
- Provision privacy screen filters for all mobile devices and workstations positioned in open-plan environments.
- Enforce strict “Clear Screen” policies to complement physical positioning.
- Utilise non-reflective glass or partitions in secure areas to prevent visual interception from outside the room.
4. Configure Environmental Monitoring and Suppression Systems
Establish automated systems to detect and suppress environmental threats before they impact the integrity or availability of the equipment.
- Install smoke, heat, and moisture sensors linked to a central monitoring dashboard.
- Provision gas-based fire suppression systems (e.g., FM-200 or Novec 1230) in server rooms to prevent water damage to electronics.
- Maintain redundant HVAC (Heating, Ventilation, and Air Conditioning) units to ensure consistent climate control.
- Deploy leak detection cables beneath raised floors in data processing facilities.
5. Restrict Physical Access via Secure Area Perimeters
Integrate equipment siting within a tiered physical security framework to ensure only authorised personnel can interact with the hardware.
- Locate critical processing facilities within a defined “Secure Area” protected by biometric or card-access control systems.
- Restrict logical access ports (USB, Ethernet) on physically accessible hardware via physical locks or disabling software.
- Formalise a Register of Entrants (ROE) to track all physical access to sensitive equipment rooms.
- Revoke physical access rights immediately upon a change in staff role or termination of employment.
Do’s and Don’ts of Equipment Siting
| Hazard | Bad Practice (Don’t) | Good Practice (Do) |
| Water | Server rack under a water pipe / A/C unit. | Install Water Leak Detection rope; move rack. |
| Visibility | Screens facing ground-floor windows. | Blinds on windows / Rotate desks. |
| Dust | PC towers on the carpet floor. | Raise PCs on plinths/desk stands. |
| Sunlight | Direct sun on servers (overheating). | Blackout blinds / Windowless room. |
| Theft | Laptops left on desks overnight. | Clean Desk Policy / Kensington Locks. |
How to comply
To comply with ISO 27001 Annex A 7.8 you are going to
- Use common sense in your approach to where you put stuff
- Be practical
- Ensure you follow and meet all laws and regulations such as health and safety laws
- Test the controls that you have to make sure they are working
Top 3 ISO 27001 Annex A 7.8 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 7.8 are
1. Equipment is NOT where it should not be
This is the biggest mistake people make. Putting things in places that they should not be. Work computers with full access in public areas and lobbies, servers under desks or at people’s homes, old equipment just lying around on desks.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Have you checked and walked the floor and visually seen that equipment is where you expect it to be? Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 7.8 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Applies to common-sense office layout and hardware protection. The goal is to ensure that basic physical risks, such as water leaks or unauthorized visitors, do not lead to hardware damage or data exposure. |
|
| Tech Startups | Critical for startups with on-site development labs or small server racks. For remote-first startups, this focuses on ensuring staff have clear guidelines for siting equipment in home offices. |
|
| AI Companies | Vital for protecting high-performance GPU clusters and proprietary training data nodes. Focus is on specialized environmental controls and restricted-access siting. |
|
Fast Track ISO 27001 Annex A 7.8 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.8 (Equipment siting and protection), the requirement is to site equipment securely and protect it from physical and environmental threats, as well as unauthorised access. This is a common-sense, physical security control that focuses on where your hardware is located and how it’s safeguarded.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your physical security rules; if you cancel, your documented siting standards and walkthrough history vanish. | Permanent Assets: Fully editable Word/Excel Physical and Environmental Security Policies that you own forever. | A localized “Equipment Siting Standard” defining server rack placement and water leak protection rules. |
| Real-World Utility | Attempts to “automate” physical security via dashboards that cannot move hardware or install blackout blinds. | Governance-First: Formalizes office management and facility siting into an auditor-ready framework. | A completed “Physical Site Walkthrough Log” proving that equipment is protected from windows and environmental hazards. |
| Cost Efficiency | Charges a “Physical Facility Tax” based on the number of locations or hardware assets tracked. | One-Off Fee: A single payment covers your governance documentation for one office or a global network. | Allocating budget to physical safeguards (e.g., UPS plinths or leak detectors) rather than monthly software fees. |
| Operational Freedom | Mandates rigid reporting structures that may not align with modern co-working or lean office models. | 100% Agnostic: Procedures adapt to any environment—high-density data centers or home offices—without limits. | The ability to evolve your workspace strategy without reconfiguring a rigid SaaS compliance module. |
Summary: For Annex A 7.8, the auditor wants to see that you have a formal policy for equipment siting and proof that you follow it (e.g., site walkthrough logs and secure location standards). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 7.8 FAQ
What is ISO 27001 Annex A 7.8?
ISO 27001 Annex A 7.8 is a physical security control that requires organisations to correctly site and protect equipment to reduce risks from environmental threats, unauthorised access, and interference.
- Equipment must be positioned to minimise unauthorised viewing of screens.
- Hardware must be protected from environmental hazards like water, heat, and electromagnetic fields.
- Controls must prevent unauthorised physical access to data processing facilities.
- The goal is to maintain the continued availability and integrity of critical assets.
How do you determine the best location for equipment siting?
Determining the optimal location for equipment involves a risk-based assessment of physical access, environmental stability, and operational requirements.
- Environmental Safety: Avoid areas prone to flooding, fire, or extreme temperatures.
- Access Control: Place critical servers and storage in restricted-access rooms.
- Visual Privacy: Ensure monitors and input devices are angled away from public windows or high-traffic corridors.
- Proximity to Utilities: Ensure easy access to redundant power and telecommunications.
Are screen privacy filters required for ISO 27001?
Yes, screen privacy filters are considered a primary technical control under Annex A 7.8 to prevent visual eavesdropping (shoulder surfing) in public or shared environments.
- Required for laptops used in public spaces like cafes or trains.
- Necessary for workstations positioned in open-plan offices facing corridors.
- Supports the ‘Confidentiality’ requirement of the ISO 27001 CIA triad.
- Reduces the risk of unauthorised data disclosure to visitors or unvetted personnel.
What are the environmental protection requirements for Annex A 7.8?
Environmental protection under Annex A 7.8 mandates that hardware is shielded from external factors that could cause damage or service interruption.
- Fire & Smoke: Use of smoke detectors and non-water-based fire suppression (e.g., gas).
- Water Damage: Avoidance of water pipes above server racks and use of leak detection sensors.
- Climate Control: Redundant HVAC systems to prevent overheating.
- EMI Shielding: Protection against electromagnetic interference from power lines or industrial machinery.
How do you protect equipment from unauthorised physical access?
Unauthorised access is mitigated through a “defence-in-depth” approach involving physical barriers, monitoring, and strict authorisation logs.
- Server racks should be locked and equipped with tamper-evident seals.
- Critical hardware should be located within a “secure area” with biometric or card-access entry.
- CCTV and motion sensors should monitor equipment entry points.
- Unused ports (USB/Ethernet) should be physically blocked or logically disabled.
Can equipment be sited in public-facing areas?
Yes, equipment can be sited in public areas provided that robust mitigating controls are in place to prevent tampering and visual interception.
- Kiosks and reception terminals should be bolted to the floor or wall.
- External ports must be physically locked or hidden behind secure panels.
- The operating system should be locked down to “Kiosk Mode” to prevent unauthorised configuration changes.
- Physical security patrols or CCTV must cover the equipment location.
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical Security | Protection |
| Integrity | Asset management | |||
| Availability |
