How do you protect equipment from environmental threats?

Protect equipment by avoiding basement locations for servers to prevent flood damage. Ensure cooling systems are sufficient for the hardware load. Document your maintenance schedules in Jira or SharePoint. Auditors want to see internal records showing active environmental management and regular hardware checks.

Why avoid SaaS platforms for Annex A 7.8 evidence?

SaaS compliance tools often decouple security data from your actual physical environment. They provide generic checklists that hide the reality of your site. Using SharePoint or Jira proves the process is part of your daily operations. This provides authentic evidence that you own the siting process.

ISO 27001:2022 Annex A 7.8 Guide

Q: What is equipment siting and protection in ISO 27001?

Equipment siting is the practice of placing hardware in secure locations to prevent damage and unauthorised viewing. Effective siting protects screens from public windows and keeps servers away from water sources. You must record these siting decisions in your internal asset management systems for auditor review.

What is ISO 27001 Annex A 7.8 Equipment Siting and Protection in ISO 27001?

Annex A 7.8 requires siting equipment to reduce environmental risks and unauthorised access. This process involves documenting hardware locations in internal asset registers like SharePoint. It ensures hardware remains protected from hazards and visual interference. Effective management integrates these siting decisions into existing facilities and IT change workflows.

Auditor’s Eye: The Shortcut Trap

Many firms rely on SaaS compliance dashboards that show a green tick for siting. These platforms lack the local context of your physical office. Auditors prefer seeing siting plans and risk assessments in your own SharePoint folders. We look for Jira tickets showing the history of hardware moves. Reliance on “Black Box” software often leads to surface-level compliance. This decoupling of security from daily operations creates a major audit risk. Prove your ownership by using native document repositories.

ISO 27001:2013 Reference	ISO 27001:2022 Reference	Key Focus Areas
Annex A 11.2.1	Annex A 7.8	Environmental resilience and physical access controls for hardware.

How to Implement ISO 27001 Annex A 7.8 (Step-by-Step)

Start by identifying all critical hardware. Use your existing SharePoint asset register. Frame the implementation as a cultural change in how you manage facilities. Do not install separate compliance software. Follow these clinical steps to ensure protection.

List all hardware in a SharePoint asset register with clear locations.
Identify environmental risks like water pipes or direct sunlight in Confluence.
Draft siting rules that protect screens from public viewing.
Use Jira workflows to manage and approve any equipment moves.
Audit these locations monthly and record findings in internal meeting minutes.

ISO 27001 Annex A 7.8 Equipment Siting and Protection Audit Evidence Checklist

Focus on manual records and internal document versions. These prove human oversight. Auditors want to see how your team manages these risks daily.

An asset register with specific room and rack locations in SharePoint.
Documented risk assessments for all equipment rooms in Confluence.
Jira tickets showing the audit trail for hardware moves.
Records of physical site inspections with dated findings.
Version-controlled floor plans showing secure hardware zones.

Relational Mapping

Control A 7.8 connects to several other ISO 27001 areas:

Annex A 7.5: Protecting against environmental threats.
Annex A 7.1: Physical security perimeters.
Clause 8.1: Operational planning and control.

Auditor Interview

Auditor: How do you decide where to place a new server?

User: We follow our siting policy stored in SharePoint. We conduct a risk survey and record it in Confluence.

Auditor: How do you track the physical movement of this equipment?

User: We use Jira tickets for every hardware change. This provides a clear history of approvals and locations.

Common Non-Conformities

Failure Type	Description	Corrective Action
Automated Complacency	Relying on a SaaS dashboard while hardware is in high-risk zones.	Move siting evidence to internal repositories like SharePoint.
Visual Vulnerability	Screens are visible from public windows or corridors.	Reposition hardware and document the change in Jira.
Environmental Hazards	Hardware is placed under water pipes or in damp areas.	Conduct a physical survey and update the Confluence risk log.

Frequently Asked Questions

What is ISO 27001 Annex A 7.8?

The Bottom Line: It is the practice of placing hardware in secure locations to prevent damage and unauthorised viewing. Effective siting protects screens from public windows and keeps servers away from water sources. You must record these siting decisions in your internal asset management systems for auditor review.

How do I document equipment protection?

The Bottom Line: Use your internal SharePoint asset register. Include specific fields for room numbers and rack positions. Attach risk assessments to each location entry. This proves to auditors that you actively monitor where your sensitive equipment is stored.

Does Annex A 7.8 cover home working?

The Bottom Line: Yes, siting rules apply to home environments. Staff must ensure screens are not visible to unauthorised persons. You should publish home working guidelines in your internal Confluence wiki. This shows you have extended your controls to the remote workforce.

LA CASA DE CERTIFICACIÓN