ISO 27001 Annex A 7.8 is an important control. This rule helps you protect your equipment by placing it in a secure spot. The main goal of this ISO 27001 control is to ensure your equipment is safe where you put it. You must check that your equipment is protected right where it sits.
Table of contents
What is ISO 27001 Annex A 7.8?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Equipment Siting and Protection”.
What is the ISO 27001 Annex A 7.8 control objective?
The formal definition and control objective in the standard is: “Equipment should be sited securely and protected.“
What is the purpose of ISO 27001 Annex A 7.8?
The purpose of ISO 27001 Annex A 7.8 is “to reduce the risks from physical and environmental threats, and from unauthorised access and damage.“
Is ISO 27001 Annex A 7.8 Mandatory?
ISO 27001 Annex A control 7.8 (Equipment Siting and Protection in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.8 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
This control asks you to be sensible by protecting your equipment and taking the right steps to keep it safe. Where you place things is key because it stops damage and keeps the wrong people from accessing it. You may find some of these examples obvious, but they are still important to follow.
Servers
If you have a server, you must ensure it is in a separate room. This room needs good climate control and strong physical security. For example, it is never a good idea to keep a critical server next to a desk where someone might set a coffee cup on it. You also do not want the server sitting under an air conditioning unit that could drip water on it. Placing it in your friend’s garage is also not a good option.
Networks
If you use physical network points (yes, some people still do), you should avoid putting them in public areas. If you must have them in a public area, they should either connect to a separate public network, or you must make it very difficult for someone to plug just any device into them.
Environmental Factors
The environmental factors you need to think about depend on your work location. If you work in a factory or industrial area, you might need special dust protection. For example, you may need to use keyboard covers to keep your equipment safe from dust.
