If you are navigating the transition from the old ISO 27001:2013 standard to the updated 2022 version, you have likely noticed that the Annex A controls have undergone a significant facelift. One of the specific areas that has moved is the control regarding equipment maintenance. In the 2013 version, this sat under the somewhat clunky label of Control 11.2.4. In the new ISO 27001:2022 structure, it has been rebranded and repositioned as Annex A 7.13.
At first glance, maintenance might seem like a task for the facilities team rather than the IT security team. However, the 2022 update makes it very clear that poorly maintained equipment is a massive security risk. Let’s dive into what exactly has changed and how you can stay compliant.
Table of contents
The Structural Evolution: From 11.2.4 to 7.13
The most immediate change is where this control lives. The 2013 version was organised into 14 different domains. The 2022 version has simplified this into just four “themes”: Organisational, People, Physical, and Technological. Annex A 7.13 now sits firmly within the Physical theme.
While the core requirement, ensuring equipment is maintained to ensure its availability and integrity, remains familiar, the context has shifted. The 2022 version is designed to be more integrated. It isn’t just about fixing a broken server; it is about the preventative measures that ensure your security remains “always on.”
What is Annex A 7.13 Equipment Maintenance?
The essence of Annex A 7.13 is to ensure that all equipment supporting your Information Security Management System (ISMS) is kept in good working order. This includes everything from the servers in your data centre to the CCTV cameras on your perimeter and the air conditioning units keeping your hardware cool.
The 2022 standard requires that maintenance is carried out according to the supplier’s recommended service intervals and specifications. It also emphasises that only authorised personnel should carry out this maintenance. According to Hightable.io, a common pitfall during audits is failing to document the “who” and “when” of maintenance, especially when third-party contractors are involved.
Key Changes You Need to Address
There are a few nuances in the 2022 version that differ from the 2013 approach. Here is what you need to look out for:
- Attribute Tagging: The 2022 version introduces attributes. Annex A 7.13 is tagged as a “Preventative” control. This means the auditor is looking for your proactive schedules, not just your records of fixing things after they break.
- Focus on Availability: While the 2013 version touched on this, the 2022 version places a heavier emphasis on “Availability” as a core pillar of security. If your security hardware fails due to lack of maintenance, you have a security breach.
- Third-Party Risks: There is a stronger nudge toward ensuring that when external technicians come on-site to maintain equipment, they are supervised and their access is logged.
Practical Steps for Your Transition
So, how do you move your existing processes into alignment with the new A 7.13? It is less about reinventing the wheel and more about tightening the spokes.
First, you should update your asset register to include maintenance schedules. If you have a piece of hardware that is critical to your data security, you need to know exactly when it was last serviced. Second, you need to ensure your “Physical and Environmental Security” policy reflects these new numbering conventions and attribute focuses.
As Hightable.io highlights, the transition is an excellent time to move away from messy spreadsheets and toward a more automated maintenance log. Auditors love to see a clear, chronological history of maintenance activities that proves you are following the manufacturer’s guidelines.
Why Does Equipment Maintenance Matter for Modern Security?
You might wonder why a digital-first standard cares so much about physical maintenance. The reality is that modern AI-driven security and cloud-based systems still rely on physical infrastructure. If a cooling system fails or an uninterruptible power supply (UPS) hasn’t been tested, your sophisticated digital defences could go dark in seconds.
Annex A 7.13 reminds us that information security is a chain, and that chain is only as strong as its weakest physical link. By keeping your hardware in peak condition, you are protecting the integrity of the data that lives inside it.
Summary of the Change
In short, the jump from 11.2.4 (2013) to 7.13 (2022) is a move toward a more organised, attribute-driven approach to physical security. It moves maintenance out of the “general office tasks” bucket and places it squarely in the “risk management” bucket. By focusing on preventative schedules and strict documentation, you can easily satisfy the new requirements and ensure your business stays resilient against physical hardware failures.