Implementing ISO 27001 Annex A 7.12 Cabling Security
Welcome to another guide from the team at ISO27001.com. Today we are looking at a control that often gets ignored until the very last minute. We are talking about Annex A 7.12 which covers cabling security. If you are a beginner to the standard you might wonder why we care about wires. You might think that cybersecurity is all about firewalls and passwords. While those are important, physical security is the foundation they sit on. If someone cuts your power cables or taps into your internet line, your firewalls will not help you.
As a certification body, we see many organisations fail this control because they simply do not look under the desks. In this article, we will walk you through exactly how to implement this control and what we expect to see during an audit.
Table of contents
Understanding the Requirement
The requirement for Annex A 7.12 is quite simple. You need to protect cables that carry power, data or supporting information services from interception, interference or damage. This applies to cables inside your office and those that leave your secure perimeter.
You have to consider three main risks here. The first is physical damage. This could be accidental, like someone tripping over a loose wire, or environmental, like fire or water damage. The second risk is interference. Power cables can disrupt data cables if they are too close together. The third and most serious risk is interception. A skilled attacker could tap into a copper wire to steal data without you knowing.
Step 1: Map Your Cabling Infrastructure
You cannot secure what you do not know about. Start by walking around your facility. Look at where your internet enters the building. Trace the path to your server room or communications cabinet. Look at how cables run to individual desks. You should document the types of cables you use, such as fibre optic or copper, and note where they run.
Step 2: Physical Protection
Once you know where the cables are, you must protect them. Exposed cables are a major non-conformity. We expect to see cables running through protecting conduit or trunking. If cables run through public areas, they need armoured conduit. This stops rats from chewing them and people from cutting them.
Inside the office, you should use floor boxes or cable spines to get wires from the floor to the desk. Do not leave cables trailing across the floor. This is a health and safety risk as well as a security risk. If you use false floors or suspended ceilings, ensure the access tiles are secure.
Step 3: Segregation of Power and Data
This is a technical requirement that is easy to check. Power cables generate electromagnetic fields that can corrupt the data flowing through network cables. You need to keep them separate. Most modern trunking systems have a divider to keep power on one side and data on the other. Ensure you use these dividers correctly.
If you are running cables in trays above a ceiling, keep a minimum distance between power and copper network cables. Fibre optic cables are immune to this interference, but it is still good practice to keep them tidy and separate.
Step 4: Labeling and Management
We love to see clear labelling. When we look at a patch panel, we want to know what goes where. If a cable is faulty or suspicious, you need to identify it quickly. Label both ends of your network cables. Keep your patch cables tidy. We often see spaghetti cabling in server racks which makes it impossible to trace a fault. Use cable management arms and velcro ties to keep things organised.
What the Auditor Will Look For
When we come to audit you for ISO 27001 certification, we will do a site tour. We will look in your server room and we will look under a random selection of desks. We are looking for loose wires, overloaded power sockets and cables that are easy to unplug. We will check your external walls to see if cables entering the building are protected by heavy-duty conduit.
We will also ask for your floor plans or cabling schematics. We want to see that you know where your infrastructure is. If you rely on a landlord for building management, we will check your contracts to ensure they are responsible for the cabling in communal areas.
Common Pitfalls to Avoid
The most common mistake we see is using telecommunications cabling for sensitive data without encryption. If your cables run through a shared space that you do not control, you must assume someone could tap them. Encrypt the data before it leaves your secure area.
Another pitfall is redundant cabling. If you move offices or change layouts, remove the old cables. Dead cables in a ceiling void can be used to pull new, unauthorised cables through a wall. Keep your infrastructure clean and current.
Conclusion
Implementing Annex A 7.12 does not have to be expensive. It requires good housekeeping and attention to detail. By securing your physical layer, you build a strong base for the rest of your information security management system. If you need more guidance on preparing for your audit, the resources at ISO27001.com are there to support you.