What is equipment maintenance in ISO 27001?

The Bottom Line: It is a documented process ensuring hardware reliability and security. Organisations must maintain equipment according to supplier specifications. Use SharePoint to store these records. This prevents system failures that compromise information availability or integrity.

How do I manage maintenance records?

The Bottom Line: Use your existing document management system like SharePoint or Confluence. Avoid external SaaS tools for these records. Internal repositories provide better version control and management oversight. This approach proves to auditors that maintenance is a daily operational habit.

Why is SaaS compliance software risky for maintenance?

The Bottom Line: SaaS platforms often decouple security from physical operations. They provide a false sense of security through dashboards. Auditors require evidence of actual human intervention and hardware oversight. Internal Jira workflows show real-world maintenance actions better than a software dashboard.

ISO 27001:2022 Annex A 7.13 Guide

What is ISO 27001 Annex A 7.13 Equipment Maintenance in ISO 27001?

ISO 27001 Annex A 7.13 ensures equipment remains operational and secure. This documented process requires regular maintenance of hardware assets. Organisations manage these activities using internal SharePoint lists or Jira maintenance workflows. It ensures availability and integrity by following manufacturer specifications and internal service schedules.

Auditor’s Eye: The Shortcut Trap

Reliance on automated SaaS platforms leads to surface-level compliance. These portals provide a generic dashboard tick. They do not prove that a technician actually serviced your UPS. Auditors prefer seeing maintenance logs within your native document repositories. SharePoint version history proves your team owns the process. A SaaS platform often hides the lack of real management involvement. Authentic evidence requires records integrated into your daily organisational tools.

2013 Reference	2022 Reference	Key Focus
Annex A 11.2.4	Annex A 7.13	Manufacturer specifications. Secure disposal of faulty parts. Documented maintenance logs.

How to Implement ISO 27001 Annex A 7.13 (Step-by-Step)

Implement equipment maintenance by integrating requirements into existing business tools. This approach ensures a cultural change: not a software installation. Lead with the core requirement of manufacturer compliance. Use your primary repositories for all records.

Identify all hardware assets in your SharePoint asset register.
Link manufacturer service manuals to each asset entry.
Create recurring maintenance tasks in Jira for automated reminders.
Assign specific roles for internal inspections and contractor management.
Log every service action and repair in a central Confluence wiki.
Review maintenance performance during quarterly management reviews.

ISO 27001 Annex A 7.13 Equipment Maintenance Audit Evidence Checklist

Focus on manual records and internal document versions. These prove human oversight and intent. Auditors look for consistency between schedules and actual logs.

Documented maintenance policy with clear SharePoint version history.
Service logs showing dates and names of technicians.
Jira tickets documenting the resolution of hardware faults.
Signed contractor reports stored in your internal repositories.
Meeting minutes that record management decisions on hardware life-cycles.

Relational Mapping

Control A 7.13 connects to several core ISO 27001 requirements:

Clause 8.1 (Operational Planning): Directs the scheduling of maintenance.
Annex A 5.9 (Inventory of Assets): Provides the list of equipment to maintain.
Annex A 7.11 (Supporting Utilities): Covers the maintenance of power and cooling.

Auditor Interview: Process Management

Auditor: How do you track your server maintenance?

Manager: We use Jira tickets for all scheduled hardware tasks.

Auditor: How do you ensure contractors follow your rules?

Manager: Contractors must upload their reports to our SharePoint site before we close the ticket.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Relying on a SaaS “green tick” without internal logs.	Move maintenance evidence to SharePoint or Confluence.
Missing Manufacturer Specs	Maintenance performed without following supplier guidelines.	Attach manufacturer manuals to Jira maintenance tasks.
Lack of Oversight	Maintenance logs are never reviewed by management.	Include hardware health in monthly meeting agendas.

Frequently Asked Questions

What is ISO 27001 Annex A 7.13?

The Bottom Line: It is the requirement to maintain hardware according to manufacturer specifications. This ensures the availability and integrity of information. You must document all service activities in your internal management systems. This provides a clear audit trail of operational security.

How do I document equipment maintenance?

The Bottom Line: Record all maintenance in internal tools like SharePoint or Jira. Use these systems to track dates, actions, and approvals. Avoid third-party SaaS platforms that isolate these records. Internal documentation proves genuine management ownership to an auditor.

Does this control apply to remote workers?

The Bottom Line: Yes, it applies to all organisational equipment. Laptops and mobile devices require regular health checks and updates. Document these remote maintenance procedures in your central Confluence wiki. Track remote hardware servicing within your standard IT workflows.

LA CASA DE CERTIFICACIÓN