Skip to main content
← All controls
A.7.5 / A.7.11 / PE-13 / PE-14 / PE-15 ISO/IEC 27001:2022 Annex A ISO 27001

A.7.5 / A.7.11 — Are environmental threats (fire, water, power loss) and supporting utilities protected?

Demonstrate that environmental threats and critical utility systems supporting information processing facilities are identified, monitored, and mitigated through appropriate detection, suppression, redundancy, and protective infrastructure controls.

Description

What this control does

This control addresses physical protection of information processing facilities and supporting infrastructure from environmental hazards including fire, flood, extreme weather, and utility failures. It requires organizations to implement detection and suppression systems (fire alarms, sprinklers), drainage and flood barriers, climate control, redundant power supplies (UPS, generators), and utility monitoring. Protection extends to locations housing critical IT assets, telecommunications equipment, backup media storage, and network infrastructure to ensure environmental conditions do not compromise availability, integrity, or confidentiality of information systems.

Control objective

What auditing this proves

Demonstrate that environmental threats and critical utility systems supporting information processing facilities are identified, monitored, and mitigated through appropriate detection, suppression, redundancy, and protective infrastructure controls.

Associated risks

Risks this control addresses

  • Fire originating from electrical faults, external sources, or equipment failure destroys servers, storage systems, or backup media containing critical or regulated data
  • Water damage from plumbing failures, roof leaks, HVAC condensation, or flooding renders IT equipment inoperable and causes permanent data loss on physical media
  • Prolonged power outages exceeding UPS capacity cause uncontrolled system shutdowns, data corruption, and extended service unavailability
  • HVAC system failure leads to overheating of server rooms causing thermal shutdown, hardware damage, and service disruption
  • Lightning strikes or power surges damage unprotected equipment, network devices, and storage arrays resulting in hardware failure and data loss
  • Inadequate humidity control causes electrostatic discharge damaging sensitive components or excessive moisture promoting corrosion and short circuits
  • Natural disasters (earthquakes, hurricanes, tornadoes) structurally compromise facilities or disable utility infrastructure for extended periods without adequate fail-over

Testing procedure

How an auditor verifies this control

  1. Obtain facility floor plans and inventory all locations housing information processing equipment, telecommunications infrastructure, backup media storage, and network operations centers
  2. Review fire detection and suppression system documentation including sensor placement diagrams, suppression agent specifications (gas, water, chemical), maintenance records, and last inspection dates
  3. Physically inspect server rooms and data centers to verify presence and operational status of smoke detectors, heat sensors, fire extinguishers, sprinkler systems or clean-agent suppression, and emergency shutoff controls
  4. Examine power infrastructure including UPS systems, generators, fuel storage, automatic transfer switches, and redundant power feeds; review capacity specifications, runtime calculations, and load testing records from the past 12 months
  5. Review HVAC system specifications, temperature and humidity monitoring logs, alarm thresholds, and maintenance records to verify climate control capabilities and environmental monitoring
  6. Test environmental monitoring systems by requesting recent alert logs, verifying alarm escalation procedures, and confirming 24/7 monitoring or automated response capabilities
  7. Inspect water detection systems, floor drainage, raised floor configurations, and physical barriers protecting equipment from plumbing infrastructure and external water sources
  8. Review utility service level agreements, redundancy arrangements with providers, documented maximum tolerable outage durations, and evidence of failover testing for power, water, and telecommunications services
Evidence required Auditors collect facility diagrams with equipment locations marked, fire and water detection system specifications and maintenance logs, UPS and generator capacity reports with load test results, environmental monitoring system screenshots showing temperature/humidity trends and alert thresholds, photographs of physical protections (raised floors, cable management, equipment spacing, suppression systems), utility redundancy contracts or service level agreements, and incident records documenting environmental events and response actions within the audit period.
Pass criteria All critical information processing facilities have documented and operational fire detection/suppression, water detection and drainage, climate control with monitoring and alerting, and power redundancy (UPS with documented runtime plus generator or dual-feed) appropriate to the criticality of hosted systems, with maintenance records confirming regular testing within manufacturer-recommended intervals.