When you are navigating the transition from ISO 27001:2013 to the 2022 update, it is easy to focus all your energy on the digital side of things, cloud security, encryption, and coding. However, the physical environment where your hardware “lives” is just as critical. In the 2022 revision, the requirements for where and how you place your equipment have been moved and refined under Annex A 7.8: Equipment Siting and Protection.
Table of contents
The Structural Shift: From 11.2.1 to 7.8
In the older ISO 27001:2013 standard, the rules for protecting your hardware were found under Control 11.2.1. It sat within the “Physical and Environmental Security” domain. For many organisations, this was a straightforward facilities checklist: keep the servers off the floor and away from the windows.
With the arrival of ISO 27001:2022, this requirement has been rebranded as Annex A 7.8 and moved into the Physical Controls theme. According to experts at Hightable.io, this transition is part of a broader move to make the standard more intuitive. By placing it in the Physical theme, the standard emphasizes that equipment siting isn’t just a technical IT task; it’s an organizational commitment to protecting the physical integrity of your information processing facilities.
What Exactly is New in Annex A 7.8?
The core objective remains familiar: reduce risks from environmental threats, hazards, and opportunities for unauthorised access. However, the 2022 version brings some subtle but powerful changes to the table. One of the most significant additions is a clearer focus on segregation.
As noted by Hightable.io, the 2022 update introduces a specific requirement that IT equipment owned and controlled by your organisation should be clearly segregated from equipment that you do not own or control. This is a direct response to the modern reality of co-working spaces and shared data centres. If you are sharing a rack or a room, you need to prove that your “perimeter” is distinct from your neighbour’s.
Key Refinements in Implementation Guidance
If you are mapping your old 11.2.1 controls to the new 7.8 requirements, you will notice that the guidance is now more detailed regarding modern environmental risks. Key areas of focus include:
- Siting for Maintenance: The 2022 version is more explicit about placing equipment in a way that allows for easy maintenance without compromising the security of other surrounding assets.
- Visual Protection: There is a stronger emphasis on positioning monitors and printers so that sensitive information cannot be easily viewed by unauthorised passers-by a rule that bridges the gap between physical siting and “Clear Desk/Clear Screen” policies.
- Environmental Monitoring: While the 2013 version mentioned environmental threats, the 2022 update expects more proactive monitoring of conditions like temperature and humidity that could lead to equipment failure.
- Industrial Environments: The guidance now specifically mentions that if equipment is in an industrial setting, special protections (like keyboard membranes or dust filters) should be used.
The Role of Control Attributes
A major innovation of the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 7.8, the control is officially tagged as a Preventive control. This metadata helps you categorise the control’s function within your broader risk treatment plan.
By using these attributes, you can clearly demonstrate to an auditor that your equipment siting isn’t just about “convenience.” It is a Preventive measure designed to maintain Availability and Confidentiality. This level of granular reporting was much harder to achieve under the 2013 domain structure.
What Will an Auditor Look For?
When you sit down for your transition audit, the auditor will be looking for a risk-based justification for your equipment placement. They won’t just check if the door has a lock; they will look at the logic behind your floor plan. Expect them to ask:
- “Show me how your critical servers are protected from environmental hazards like pipes or external windows.”
- “How have you segregated your own IT hardware from guest or third-party equipment?”
- “What is your process for monitoring the temperature and humidity in this room?”
- “Are your printers and screens positioned to prevent ‘shoulder surfing’ by unauthorised visitors?”
Why the Transition to 7.8 Matters
The update to Annex A 7.8 reflects a world where hardware is often more portable and environments are more shared. In 2013, the “server room” was a static concept. In 2026, your equipment might be in a hybrid cloud facility or a shared hub. ISO 27001:2022 ensures that your physical assets are protected by modern, enforceable standards that account for these new complexities.
As suggested by Hightable.io, the best way to move forward is to conduct a fresh “site-siting” audit. Don’t rely on your old diagrams from 2013. Look at your current office and data centre layouts through the lens of 7.8, focusing specifically on segregation and environmental monitoring. This proactive step doesn’t just satisfy the requirements of the new standard, it builds a foundation of physical resilience for your entire organisation.