How to Implement ISO 27001 Annex A 7.13 Equipment Maintenance
Welcome to your guide on implementing ISO 27001 Annex A 7.13. As a certification body, we at ISO27001.com often see organisations trip up on the physical side of security. We spend so much time worrying about firewalls and phishing that we forget about the physical hardware keeping the lights on. This control is all about equipment maintenance.
If you are a beginner, do not worry. This control is logical and straightforward. It simply requires you to look after your kit so it remains available and keeps your information secure. Here is what you need to know to implement this control and pass your audit.
Table of contents
What is Annex A 7.13?
In the ISO 27001:2022 standard, Annex A 7.13 deals with equipment maintenance. The goal is simple. You must ensure that your equipment is maintained correctly to ensure availability and integrity. If a server fails because the fan clogged up with dust, that is an availability issue. If a firewall fails due to old hardware, your security is compromised.
This control applies to assets that support your information security. This usually includes servers, laptops, uninterruptible power supplies (UPS), cabling, air conditioning units in server rooms, and fire suppression systems.
Why This Control Matters
You might think this sounds like a job for the facilities team rather than the information security team. However, the two are linked. If your air conditioning fails, your servers overheat. If your servers overheat, they shut down. When they shut down, your business stops. That is a security incident.
Furthermore, maintenance itself introduces risk. When you bring in a third party to fix a printer or a server, you are giving them access to your premises and potentially your data. This control asks you to manage those risks.
Step-by-Step Implementation
Implementing this does not have to be hard. You likely do much of this already. You just need to formalise it. Here is the process we recommend at ISO27001.com.
Identify Critical Equipment
Start with your asset register. Pick out the equipment that is critical to your operations. You do not need a maintenance schedule for a £5 computer mouse. You do need one for your main server, your backup generator, and the environmental controls in your data centre.
Follow Manufacturer Guidelines
The standard requires you to maintain equipment in accordance with the supplier’s recommended service intervals and specifications. Read the manuals. If the manufacturer says the UPS battery needs testing every six months, put it in your calendar. If the server warranty requires an annual check, schedule it.
Authorised Maintenance Personnel Only
Only allow authorised personnel to carry out repairs and servicing. This might be your internal IT staff or a certified external contractor. If you use an external provider, make sure there is a contract in place. We will check for this.
Managing Data Risks During Maintenance
This is the part that catches many people out. Sending equipment away for repair is a huge data risk. Imagine your CEO drops their laptop. The screen breaks, but the hard drive is fine. You send it to a local repair shop. That shop now has the hard drive with all your company data.
Before you send equipment off-site, you must protect the data. Remove the hard drive if possible. If you cannot remove the drive, you should wipe the data or ensure it is fully encrypted. If the equipment is being retired rather than repaired, you must sanitise the media securely.
If a technician comes to your site to fix a server, do not leave them alone. Supervise them to ensure they only access what they need to fix.
What We Expect as Your Certification Body
When we come to audit you, we are looking for evidence. We cannot just take your word for it. We need to see that the process is working. Here is a checklist of what an auditor from ISO27001.com will likely ask for.
Maintenance Logs
We will ask to see records of the maintenance you have performed. If you say you test your fire alarms weekly, show us the log book with the dates and signatures. If you serviced the AC unit, show us the service report from the contractor.
Fault Logs
Keep a record of equipment faults. When something breaks, log it. Note down what happened, when it happened, and what you did to fix it. This helps you spot trends. If the same server fails three times in a month, you have a bigger problem to solve.
Service Contracts
If you rely on third parties, we want to see the agreements. Do they have a Service Level Agreement (SLA)? If your server goes down, how fast have they agreed to fix it? This links back to your business continuity planning.
Common Pitfalls to Avoid
We see the same mistakes often. The most common one is ignoring “supporting utilities.” You might service the servers perfectly, but if you ignore the air conditioning unit cooling them, you are non-compliant. Another common error is lacking records. Doing the work is great, but without a written record, it did not happen in the eyes of an auditor.
Finally, ensure you supervise external engineers. Do not let a stranger wander into your server room unaccompanied just because they are wearing a high-visibility jacket.
Summary
To implement Annex A 7.13 successfully, you need a schedule. Identify your critical kit, follow the manufacturer instructions, and keep clear records of all service work. Be mindful of data on devices leaving your building. If you follow these steps and keep your evidence ready, you will satisfy your auditor.
If you need more templates or guidance on this control, visit us at ISO27001.com. We are here to help you get certified.