A.7.8 / A.7.13 — Are equipment siting, protection and maintenance schedules documented and applied?
Demonstrate that equipment siting decisions are documented with risk rationale, physical protection measures are implemented and verifiable, and maintenance activities occur according to documented schedules with records of completion.
Description
What this control does
This control requires organizations to document and implement formal procedures for the physical placement, environmental protection, and preventive maintenance of information processing equipment. It addresses location risk assessments (distance from hazards, public access, environmental controls), physical protective measures (locked rooms, fire suppression, temperature/humidity monitoring), and scheduled maintenance activities to prevent equipment failure. Proper equipment siting reduces exposure to environmental threats and unauthorized physical access, while maintenance schedules ensure operational reliability and early detection of hardware degradation that could lead to data loss or service interruption.
Control objective
What auditing this proves
Demonstrate that equipment siting decisions are documented with risk rationale, physical protection measures are implemented and verifiable, and maintenance activities occur according to documented schedules with records of completion.
Associated risks
Risks this control addresses
- Equipment placed in publicly accessible or uncontrolled areas enables theft, tampering, or unauthorized physical access to sensitive data
- Failure to maintain environmental controls (temperature, humidity, power quality) causes premature hardware failure and unplanned service outages
- Lack of scheduled maintenance results in undetected component degradation, leading to sudden catastrophic failures and data loss
- Equipment sited near water sources, fire hazards, or flood zones suffers environmental damage without warning
- Absence of fire suppression or detection systems allows small incidents to destroy critical infrastructure
- Unmaintained equipment produces operational anomalies that mask indicators of compromise during security incidents
- Poor cable management and equipment layout obstructs emergency response and increases risk of accidental disconnection
Testing procedure
How an auditor verifies this control
- Obtain the current equipment inventory for critical information processing systems, including servers, network devices, and storage arrays, with documented physical locations.
- Review the equipment siting and protection policy or standard to identify documented criteria for location selection, environmental requirements, and physical security controls.
- Select a representative sample of at least five critical equipment items spanning different facility areas and equipment types.
- Conduct physical walkthroughs to verify each sampled equipment location matches documentation and assess implemented physical protections (locks, access controls, environmental monitoring, fire suppression).
- Obtain maintenance schedules for sampled equipment, including manufacturer recommendations, organizational policies, and service contracts.
- Review maintenance logs and work orders from the past 12 months to verify completion of scheduled activities (cleaning, firmware updates, component replacements, environmental checks).
- Interview facilities and IT operations staff to confirm responsibility assignments for equipment monitoring, environmental control testing, and maintenance execution.
- Test evidence of deviation handling by reviewing incident records or change requests related to emergency maintenance, environmental alarms, or equipment relocations.