ISO 27001 Annex A 7.8 Equipment Siting And Protection

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 7.8 Equipment Siting And Protection

Equipment Siting And Protection ISO 27001

In this ultimate guide to ISO 27001 Annex A 7.8 Equipment Siting And Protection you will learn

  • What is ISO 27001 Equipment Siting And Protection
  • How to implement the siting of equipment and the required protections for ISO 27001

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 7.8?

ISO 27001 Annex A 7.8 Equipment Siting and Protection is an ISO 27001 control that looks to protect equipment by siting it securely and protecting it.

ISO 27001 Equipment Siting And Protection is the physical security controls that protect equipment, the data that is processed and ensure heath and safety law is observed.

ISO 27001 Annex A 7.8 Purpose

The purpose of ISO 27001 Annex A 7.8 equipment siting and protection is to reduce the risks from physical and environmental threats, and from unauthorised access and damage.

ISO 27001 Annex A 7.8 Definition

The ISO 27001 standard defines equipment siting and protection as:

Equipment should be sited securely and protected.

ISO 27001:2022 Annex A 7.8 Equipment Siting and Protection
ISO 27001 Toolkit

Implementation Guide

General Guidance

What we are talking about here is equipment. The physical things that we have. This control is about being sensible and protecting them and taking appropriate precautions. Where we put stuff is important because it protects it from damage and the wrong people accessing it. We are considering examples here that may be common sense to many but not always. Here are some common examples.

Servers

If you have a server you want to make sure that it is in a dedicated server room with appropriate environmental controls and physical security controls in place. It is not great to have a server you rely on placed next to a desk and used to rest your coffee cup on. Or to have a server under an air conditioning unit that slowly drips water on it. Or in your mates garage.

Networks

Where we have network points, yes some people still do, then ideally we don’t want them in public areas and where they are in public areas they either connect to separate public networks or they are really really hard just to plug any old device into.

Environmental Factors

Environmental factors to consider will be dependant on where you work, and here we can think about working in a more industrial environment where as an example if it were dusty then we would implement dust protection, keyboard membranes and the like to safeguard our equipment.

Topic specific physical and environmental security policy

To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific Physical and Environmental Security Policy.

ISO 27001 Physical and Environmental Security Policy Template

Watch the tutorial

Watch the ISO 27001 tutorial on equipment siting and protection.

ISO 27001 Templates

Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.

How to pass the audit

To comply with ISO 27001 Annex A 7.8 you are going to

  • Use common sense in your approach to where you put stuff
  • Be practical
  • Ensure you follow and meet all laws and regulations such as health and safety laws
  • Test the controls that you have to make sure they are working

Top 3 Mistakes People Make

The top 3 mistakes people make for ISO 27001 Annex A 7.8 are

1. Equipment is NOT where it should not be

This is the biggest mistake people make. Putting things in places that they should not be. Work computers with full access in public areas and lobbies, servers under desks or at people’s homes, old equipment just lying around on desks.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Have you checked and walked the floor and visually seen that equipment is where you expect it to be? Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Annex A 7.8 Attribute Table

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectPhysical SecurityProtection
IntegrityAsset management
Availability

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools

Share to...