ISO 27001 Annex A 7.11 is a simple control. It asks you to check important services like power and internet. You need to plan what you will do if these services fail. This ISO 27001 control helps keep you safe from a break in your utilities, such as power or water.
Table of contents
What is ISO 27001 Annex A 7.11?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Supporting Utilities”.
What is the ISO 27001 Annex A 7.11 control objective?
The formal definition and control objective in the standard is: “Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.“
What is the purpose of ISO 27001 Annex A 7.11?
The purpose of ISO 27001 Annex A 7.11 is “to ensure the identification and understanding of the protection needs of information in accordance with its importance to the organisation.“
Is ISO 27001 Annex A 7.11 Mandatory?
ISO 27001 Annex A control 7.11 (Supporting Utilities in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.11 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Supporting utilities are things your company uses, like gas or electricity. Though this physical control mainly covers big server rooms, you should also think about your own devices.
This control mostly looks at availability. It asks if you can keep your service running if the power goes out.
You cannot fully control this area, but you can put some measures in place and show proof of them.
The standard can seem too complex. If you are a small company, parts of this will not apply to you.
Operate and Maintain Equipment
To meet this control, you should use any equipment that manages your utilities just as the manufacturer tells you to. This means proper use and getting professional maintenance. Professional maintenance includes testing and inspection, though this is likely required by law anyway, usually for health and safety reasons.
Internet of Things (IoT)
The control wisely suggests not connecting supporting equipment to the internet unless you absolutely need to. This is due to the growing use of smart devices, known as the Internet of Things (IoT).
Emergency Supporting Controls
Finally, the control gives advice on emergency supporting controls. This means items like emergency lights, ways to communicate, cut-off switches, and emergency exits. As said before, this is often too much for a small company and is already handled by your cloud provider.
The best advice is this: If you have a server room or data facility, hire experts to advise and install these systems. This is not something you should do yourself, as many laws govern this area that you cannot handle. On a practical note, you should cover power backup (UPS) and alternative network connections in your business continuity plan.
