Skip to content
AuditFront
A.7.8 ISO 27001

ISO 27001 A.7.8: Equipment siting and protection

What This Control Requires

Equipment shall be sited securely and protected.

In Plain Language

Where you physically place your equipment matters more than most people think. A server rack under a water pipe, a workstation screen facing a window onto the street, a network switch in an unlocked cupboard next to the kitchen - these are all siting failures that create real risk. Good equipment siting considers environmental hazards (heat, water, dust, vibration), physical access risk, whether information on screens can be observed, and whether the necessary utilities (power, network, cooling) are available and reliable. Getting this right reduces equipment failures, prevents physical damage, and stops casual information leakage. This covers everything: servers, network gear, workstations, printers, storage devices, telecoms equipment, and supporting infrastructure like UPS systems and cabling.

How to Implement

Walk through your facilities and assess where every piece of information processing equipment is placed. Look for obvious risks and create an equipment placement policy that sets standards for different equipment types. For servers and network equipment: install in dedicated rooms with proper environmental controls, use standard racks with cable management, keep equipment away from external walls and windows where possible, leave adequate spacing for airflow and maintenance, make sure there are no water pipes running overhead (raised floors help), and provide power conditioning and UPS. For workstations: position screens so they cannot be read from windows, corridors, or public areas. Put printers that handle sensitive output in restricted areas, not next to the front desk. In high-risk areas, secure equipment to desks with cable locks. Keep equipment away from direct sunlight and heat sources. Make sure there is decent ventilation. For telecoms equipment: lock distribution frames and patch panels in cabinets or dedicated rooms. Protect outdoor equipment against tampering and weather. Route cables where they will not be damaged or easily tapped. Label equipment for maintenance purposes, but do not put labels that tell an intruder what everything does. Sort out power protection for critical equipment. UPS systems handle short interruptions. Surge protectors go on everything. Data centres need generator backup with automatic transfer switches. Use redundant power feeds where you can. Test power protection regularly - a UPS with dead batteries is not protecting anything. Protect against environmental threats. Maintain proper temperature and humidity ranges. Route cables so people do not trip over them or damage them with chairs. Use dust filters in dusty environments. Put weatherproof enclosures on outdoor equipment. Keep the area around equipment clean and free of flammable materials. Set up maintenance schedules. Clean equipment and ventilation systems regularly. Inspect power connections, cables, and environmental controls. Verify alarms and monitoring. Document everything - auditors want to see maintenance records, not just the equipment itself.

Evidence Your Auditor Will Request

  • Equipment placement and siting policy or guidelines
  • Environmental control specifications for equipment rooms
  • UPS and power protection system specifications and testing records
  • Equipment maintenance schedules and records
  • Assessment records showing screen positioning prevents unauthorized viewing

Common Mistakes

  • Critical equipment is located in areas vulnerable to environmental hazards
  • Server equipment lacks adequate power protection or UPS
  • Screens are visible from public areas or windows
  • Equipment rooms lack appropriate environmental controls
  • Maintenance of physical infrastructure is neglected

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 A1.1 Related
SOC 2 CC6.4 Partial overlap

Frequently Asked Questions

What environmental conditions are recommended for server rooms?
ASHRAE recommends 18-27C and 40-60% relative humidity for data centres. In practice, aim for a consistent range within those limits rather than bouncing between the extremes. Monitor temperature at multiple points - including hot aisle and cold aisle if you have that setup. Make sure cooling capacity exceeds your current heat load with room for growth, because adding more servers to an already-maxed-out cooling system is a recipe for a meltdown. Set up alerts for anything outside the acceptable range.
How should we protect equipment in shared or public spaces?
Use cable locks or secure mounting to stop equipment walking away. Turn screens away from public view and fit privacy screens where observation is possible. Disable or restrict USB ports. Enable chassis intrusion detection if your hardware supports it. Cover the area with CCTV. For network and telecoms gear in shared spaces, use locked enclosures - an unlocked network switch in a corridor is an open invitation.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment