ISO 27001 Equipment Siting and Protection

The focus for this ISO 27001 Control is your equipment and where you put it. As one of the ISO 27001 controls this is making sure that it is protected in situ.

You will learn what the ISO 27001 control 7.8 is, how to simply and easily implement it for ISO 27001 certification and I will show you some common gotchas so you can avoid them.

What is ISO 27001 Annex A 7.8 Equipment Siting And Protection?

ISO 27001 Annex A 7.8 Equipment Siting and Protection is an ISO 27001 control that looks to protect equipment by siting it securely and protecting it.

Purpose

The purpose of Annex A 7.8 is to reduce the risks from physical and environmental threats, and from unauthorised access and damage.

Definition

The ISO 27001 standard defines Annex A 7.8 as:

Equipment should be sited securely and protected.

ISO 27001:2022 Annex A 7.8 Equipment Siting and Protection

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

ISO 27001 Annex A 7.8 Equipment Siting And Protection Implementation Guide

General Guidance

What we are talking about here is equipment. The physical things that we have. This control is about being sensible and protecting them and taking appropriate precautions. Where we put stuff is important because it protects it from damage and the wrong people accessing it. We are considering examples here that may be common sense to many but not always. Here are some common examples.

Servers

If you have a server you want to make sure that it is in a dedicated server room with appropriate environmental controls and physical security controls in place. It is not great to have a server you rely on placed next to a desk and used to rest your coffee cup on. Or to have a server under an air conditioning unit that slowly drips water on it. Or in your mates garage.

Networks

Where we have network points, yes some people still do, then ideally we don’t want them in public areas and where they are in public areas they either connect to separate public networks or they are really really hard just to plug any old device into.

Environmental Factors

Environmental factors to consider will be dependant on where you work, and here we can think about working in a more industrial environment where as an example if it were dusty then we would implement dust protection, keyboard membranes and the like to safeguard our equipment.

Conclusion

The main advice for this control is to be sensible and use common sense.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. Not interested in ISO 27001 templates, then you can skip to the next section.

How to comply with ISO 27001 Annex A 7.8

To comply with ISO 27001 Annex A 7.8 you are going to

  • Use common sense in your approach to where you put stuff
  • Be practical
  • Ensure you follow and meet all laws and regulations such as health and safety laws
  • Test the controls that you have to make sure they are working

Top 3 Mistakes People Make for ISO 27001 Annex A 7.8

The top 3 mistakes people make for ISO 27001 Annex A 7.8 are

1. Equipment is NOT where it should not be

This is the biggest mistake people make. Putting things in places that they should not be. Work computers with full access in public areas and lobbies, servers under desks or at people’s homes, old equipment just lying around on desks.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Have you checked and walked the floor and visually seen that equipment is where you expect it to be? Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

ISO 27001 Controls and Attribute Values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectPhysical SecurityProtection
IntegrityAsset management
Availability