Table of Contents
Equipment Siting And Protection ISO 27001
In this ultimate guide to ISO 27001 Annex A 7.8 Equipment Siting And Protection you will learn
- What is ISO 27001 Equipment Siting And Protection
- How to implement the siting of equipment and the required protections for ISO 27001
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
What is ISO 27001 Annex A 7.8?
ISO 27001 Annex A 7.8 Equipment Siting and Protection is an ISO 27001 control that looks to protect equipment by siting it securely and protecting it.
ISO 27001 Equipment Siting And Protection is the physical security controls that protect equipment, the data that is processed and ensure heath and safety law is observed.
ISO 27001 Annex A 7.8 Purpose
The purpose of ISO 27001 Annex A 7.8 equipment siting and protection is to reduce the risks from physical and environmental threats, and from unauthorised access and damage.
ISO 27001 Annex A 7.8 Definition
The ISO 27001 standard defines equipment siting and protection as:
Equipment should be sited securely and protected.
ISO 27001:2022 Annex A 7.8 Equipment Siting and Protection

Implementation Guide
General Guidance
What we are talking about here is equipment. The physical things that we have. This control is about being sensible and protecting them and taking appropriate precautions. Where we put stuff is important because it protects it from damage and the wrong people accessing it. We are considering examples here that may be common sense to many but not always. Here are some common examples.
Servers
If you have a server you want to make sure that it is in a dedicated server room with appropriate environmental controls and physical security controls in place. It is not great to have a server you rely on placed next to a desk and used to rest your coffee cup on. Or to have a server under an air conditioning unit that slowly drips water on it. Or in your mates garage.
Networks
Where we have network points, yes some people still do, then ideally we don’t want them in public areas and where they are in public areas they either connect to separate public networks or they are really really hard just to plug any old device into.
Environmental Factors
Environmental factors to consider will be dependant on where you work, and here we can think about working in a more industrial environment where as an example if it were dusty then we would implement dust protection, keyboard membranes and the like to safeguard our equipment.
Topic specific physical and environmental security policy
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.

Watch the tutorial
Watch the ISO 27001 tutorial on equipment siting and protection.
ISO 27001 Templates
Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.
How to pass the audit
To comply with ISO 27001 Annex A 7.8 you are going to
- Use common sense in your approach to where you put stuff
- Be practical
- Ensure you follow and meet all laws and regulations such as health and safety laws
- Test the controls that you have to make sure they are working
Top 3 Mistakes People Make
The top 3 mistakes people make for ISO 27001 Annex A 7.8 are
1. Equipment is NOT where it should not be
This is the biggest mistake people make. Putting things in places that they should not be. Work computers with full access in public areas and lobbies, servers under desks or at people’s homes, old equipment just lying around on desks.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Have you checked and walked the floor and visually seen that equipment is where you expect it to be? Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Annex A 7.8 Attribute Table
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | Physical Security | Protection |
Integrity | Asset management | |||
Availability |