What are supporting utilities in ISO 27001?

Supporting utilities are essential services like electricity, water, and gas that sustain information systems. You must protect these against failures to ensure continuous availability. Documentation should reside in SharePoint to prove genuine oversight.

How do I monitor utility equipment?

Monitor utilities by scheduling manual inspections and automated alerts for system failures. Use Jira to track the resolution of any detected faults. This ensures maintenance remains an active part of your daily operations.

Why avoid SaaS tools for utility compliance?

SaaS tools cannot physically verify the status of a generator or water valve. They provide a false sense of security through dashboards. Auditors require maintenance logs and service reports within your native repositories.

ISO 27001:2022 Annex A 7.11 Guide

What is ISO 27001 Annex A 7.11 Supporting Utilities in ISO 27001?

Annex A 7.11 requires the protection of supporting utilities like electricity and water. These systems must be managed through documented processes integrated into SharePoint. This ensures availability and protects information assets from utility failure. Reliability depends on manual maintenance records and internal logs rather than automated software dashboards.

Auditor’s Eye: The Shortcut Trap

Many organisations rely on SaaS compliance dashboards that show a green tick for utility policies. These platforms cannot verify fuel levels in a diesel generator. Auditors prefer seeing actual service reports stored in SharePoint. Relying on “Black Box” software decouples security from daily facility management. We want to see your Jira history for hardware repairs. A digital dashboard tick is not evidence of physical equipment resilience.

ISO 27001:2013 Reference	ISO 27001:2022 Reference	Nature of Change
Annex A 11.2.2	Annex A 7.11	The core requirement for utility protection remains identical. It emphasises resilience against environmental threats.

How to Implement ISO 27001 Annex A 7.11 (Step-by-Step)

Maintain supporting utilities by integrating checks into existing operational tools. This method ensures that compliance remains a cultural habit. Use SharePoint and Confluence to house all technical documentation and maintenance logs. Frame implementation as an operational requirement: not a one-off software setup.

Identify all primary and secondary utility dependencies for your site.
Create a risk-based maintenance schedule within your Jira environment.
Assign responsibility for utility monitoring to specific staff members.
Perform regular tests of backup power systems and telecommunication failovers.
Upload all external contractor service reports to a version-controlled SharePoint folder.

ISO 27001 Annex A 7.11 Supporting Utilities Audit Evidence Checklist

Auditors look for records that prove continuous human oversight and operational intent. Your evidence should demonstrate that utility systems are actively managed and tested. Keep all records in your internal document repositories.

Current utility maps showing isolation points for water and gas.
UPS and generator maintenance logs with clear timestamps in Confluence.
Contracts with utility providers specifying expected uptime and support levels.
Management meeting minutes discussing recent utility performance or outages.
Jira tickets showing the investigation of any utility-related alerts.

Relational Mapping

Control A 7.11 connects to several other ISO 27001 requirements:

Clause 8.1 (Operational Planning): Directs the scheduling of utility maintenance.
Annex A 7.5 (Environmental Threats): Protects utilities from fire or flood.
Annex A 8.14 (Redundancy): Ensures backup systems are available if primary utilities fail.

Auditor Interview

Auditor: How do you manage the risk of a total power failure?

Manager: We use an Uninterruptible Power Supply and a diesel generator. We track their maintenance via Jira tasks.

Auditor: Where is the evidence of your last generator load test?

Manager: The test report is stored in our Confluence facilities library. You can see the manager sign-off there.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Relying on a SaaS platform while hardware is neglected.	Begin recording manual inspection results in SharePoint.
Expired Maintenance	Utility equipment service dates have passed without action.	Set automated recurring Jira alerts for maintenance renewals.
Single Point of Failure	No redundancy exists for critical telecommunication lines.	Implement a secondary provider and record the contract.

Frequently Asked Questions

What is ISO 27001 Annex A 7.11?

The Bottom Line: It is the requirement to protect utilities like power and water. These services are vital for maintaining information security and availability. You must document your management of these services in internal tools like SharePoint. This proves to auditors that you own the physical infrastructure.

How do I monitor supporting utilities?

The Bottom Line: Monitor utilities through physical inspections and technical alerting systems. Use Jira to manage the response to any issues found. Record all maintenance and service activities in your central Confluence wiki. This provides a clear audit trail of operational compliance.

Is a SaaS dashboard enough for utility compliance?

The Bottom Line: No. SaaS platforms cannot verify the physical condition of your infrastructure. Auditors require evidence from your own repositories like SharePoint or Jira. Showing local maintenance records is the only way to prove genuine management oversight of utilities.

LA CASA DE CERTIFICACIÓN