Skip to content
AuditFront
A.7.11 ISO 27001

ISO 27001 A.7.11: Supporting utilities

What This Control Requires

Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

In Plain Language

Your servers do not run on good intentions. They need reliable power, cooling, network connectivity, and sometimes water (for cooling systems and fire suppression). When any of these fail, equipment goes down, data gets corrupted, and business stops. Power is the most critical dependency. A sudden outage causes immediate shutdowns and potential data corruption. A surge can fry hardware. But cooling failures are a close second - a server room without air conditioning becomes an oven in minutes, and overheating equipment will shut itself down or, worse, fail permanently. This control is about identifying every utility your information processing facilities depend on and making sure you have redundancy, monitoring, and emergency procedures in place for each one. Auditors will ask about your UPS capacity, whether your generator has been tested under load recently, and whether you have redundant cooling and network links.

How to Implement

Map out every supporting utility your information processing facilities depend on: electrical power, cooling and air conditioning, telecommunications links, water supply (for cooling and fire suppression), and gas supply (for gas-based fire suppression). For each one, assess the risk of failure and the impact on operations. For power, implement layered protection. Install UPS systems sized to run critical equipment for at least 15-30 minutes - long enough for generators to kick in or for an orderly shutdown. Deploy backup generators with automatic transfer switches that activate within seconds. Use power distribution units with surge protection and monitoring. For critical data centres, get dual power feeds from separate utility sources. Test UPS and generators under load regularly, not just on paper. For cooling: install redundant cooling units (N+1 minimum, 2N for critical data centres), monitor temperature and humidity with automated alerts, use hot aisle/cold aisle containment for efficient cooling, define clear escalation procedures for cooling failures, and stick to a preventive maintenance schedule. For telecommunications: get redundant network connections from different carriers, route cables through physically diverse paths, maintain a backup link (cellular or satellite) for critical connections, test failover regularly, and monitor link status with automated alerting. Set up maintenance schedules for everything. UPS batteries degrade over time and need regular testing and replacement. Generators need servicing. Cooling systems need maintenance. Fire suppression needs inspection. Keep service contracts with qualified providers for critical utilities. Write emergency procedures for each type of utility failure. Cover who to call, what immediate actions to take (like orderly system shutdown for extended power loss), escalation for different failure durations, and how to communicate with affected stakeholders.

Evidence Your Auditor Will Request

  • Supporting utilities inventory and dependency analysis
  • UPS and backup generator specifications and testing records
  • Redundant cooling system configuration and monitoring records
  • Utility maintenance schedules and service records
  • Emergency procedures for utility failure scenarios

Common Mistakes

  • UPS batteries are not tested regularly and fail when needed
  • Backup generator has not been tested under full load conditions
  • Single points of failure in power or cooling without redundancy
  • No redundant telecommunications links for critical facilities
  • Utility maintenance is deferred leading to preventable failures

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 A1.1 Equivalent
NIS2 Art.21(2)(c) Related

Frequently Asked Questions

How long should UPS systems sustain the load?
For server rooms and data centres, aim for 15-30 minutes minimum. That gives generators time to start or lets you do an orderly shutdown. For desktop UPS units, 5-10 minutes is enough for people to save their work. The key thing to remember is that batteries degrade - a UPS that gave you 30 minutes when new might only manage 10 minutes after three years. Test actual runtime regularly and replace batteries before they fail when you need them most.
How often should backup generators be tested?
Run a no-load test monthly to confirm the generator starts and operates. Do a full-load test at least annually to prove it can actually sustain the required power output - starting is not the same as running under full production load. Test the automatic transfer switch during full-load tests. Some organisations test under load quarterly or even monthly, which is ideal. Keep fuel supplies topped up and test fuel quality periodically, because stale diesel can prevent a generator from starting at the worst possible moment.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment