ISO 27001 Annex A 7.13 is about maintaining your equipment following all guidance. This keeps it working and keeps your data private and safe.
The main idea for this control is simple: You should maintain equipment as the maker suggests. This stops equipment from breaking or getting damaged.
Equipment maintenance means you must care for your devices. This lowers the chance of them failing or having security problems over time.
Table of contents
What is ISO 27001 Annex A 7.13?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Equipment Maintenance”.
What is the ISO 27001 Annex A 7.13 control objective?
The formal definition and control objective in the standard is: “Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.“
What is the purpose of ISO 27001 Annex A 7.13?
The purpose of ISO 27001 Annex A 7.13 is “to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations caused by lack of maintenance.“
Is ISO 27001 Annex A 7.13 Mandatory?
ISO 27001 Annex A control 7.13 (Equipment Maintenance in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.13 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You need to maintain equipment so that it continues to work correctly. If you skip maintenance, the chance of a device failing or being compromised will rise. To meet this control, you simply follow the manufacturer’s maintenance instructions for all your equipment.
While you cannot fully control all aspects of this task, you can put some measures and evidence in place.
Manufacturer’s Guides
To satisfy the control, you must operate and maintain all equipment according to the manufacturer’s directions. This usually means using suitable professional maintenance. Professional work should include checking and testing, though this is often already a legal health and safety requirement.
Using Experts
If you have a server room or a technical facility, you should bring in expert outside companies to advise on and look after the equipment. You should not do this work yourself. Many laws cover this maintenance, and they are beyond your daily scope.
Controlling Access
Things you can manage yourself include site access. You need to control how people can enter the site or connect from far away, and how you supervise their work. You can easily set up a system to watch for problems and record how you respond to issues.
Fire Safety
Do not forget fire safety. You must maintain all fire safety items, such as alarms and extinguishers. Forgetting these things can cause problems during an audit.
