UnixTime

Research Note

ISO 27001 A.7.11 - Supporting Utilities

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and bu...

On this page

Requirement

Requirement lens

This control asks whether information processing facilities are protected from power, cooling, telecommunications, water, and other utility failures that could interrupt operations.

“Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.”

Plain-language meaning

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and building management systems can all affect availability.

The organization should identify which utilities are required, test and inspect them, monitor for failures, and provide redundancy where risk and business continuity requirements justify it.

Why this matters

No utility usually means no availability. A server room without cooling can fail quickly. A power failure without UPS or generator capacity can shut down critical services. Loss of water may close a site even if computers still work. A failed telecommunications link can make a service unavailable even when the facility itself is fine.

Implementation guidance

Implementer focus

Map critical information processing facilities to their utility dependencies, then verify whether utility resilience matches the required availability.

1. Identify required supporting utilities

Typical utilities include:

  • electricity;
  • heating, ventilation, and air conditioning;
  • telecommunications and network connectivity;
  • clean running water;
  • fire protection systems;
  • emergency lighting;
  • fuel for generators;
  • building management systems;
  • environmental monitoring systems.

Use Risk Assessment and A.5.30 ICT Readiness for Business Continuity to decide where redundancy is needed.

Facility/service Utility dependency Risk question
Server room Power and cooling How long can it operate if public power fails?
Network room Power and telecommunications Is there redundant connectivity where needed?
Office site Water and electricity Would health/safety closure stop business operations?
Fire protection Water or suppression supply Is protection sufficient for the environment?
Building management system Network, software, and backups Is the system protected like other in-scope IT?

3. Provide resilience where required

Controls may include:

  • uninterruptible power supply;
  • standby generator;
  • redundant power feeds;
  • redundant telecommunications links;
  • power conditioning for sensitive equipment;
  • environmental alarms;
  • emergency lighting;
  • HVAC redundancy;
  • generator fuel management;
  • maintenance contracts and supplier agreements.

UPS/generator capacity should cover the required operating period or the time defined in continuity requirements. It should also include dependent loads such as cooling, not only servers.

4. Inspect, test, and maintain utilities

Utilities should be inspected and tested regularly.

Testing should verify:

  • UPS runtime and battery condition;
  • generator start and load capacity;
  • fuel availability;
  • HVAC capacity and alarm response;
  • telecommunications failover;
  • emergency lighting;
  • fire protection supply;
  • environmental alarm operation;
  • maintenance completion.

5. Treat in-scope building management systems as IT systems

If building management systems are in ISMS scope, they should receive appropriate IT/security controls such as malware protection, backups, vulnerability management, access control, logging, and audit.

Audit guidance

Auditor focus

Do not accept “we have a UPS” as sufficient. Check capacity, tested runtime, cooling dependency, maintenance records, alarm response, and documented continuity requirements.

Auditors should verify:

  • supporting utilities are identified;
  • critical facilities have mapped utility dependencies;
  • required utility service levels are documented;
  • external utility/provider agreements are considered where relevant;
  • utilities are inspected, tested, and maintained;
  • UPS/generator capacity matches documented requirements;
  • cooling requirements are included in power resilience planning;
  • alarms detect utility failures;
  • emergency lighting is available where needed;
  • redundant utility connections are implemented or risk-assessed as not required;
  • building management systems in scope are treated as IT systems.

Audit testing should include reviewing records and asking how the organization knows the selected utility resilience is sufficient.

Evidence examples

Evidence quality

Strong evidence proves utilities are mapped, tested, maintained, monitored, and aligned to availability and continuity requirements.

Evidence What it proves
Supporting utility dependency register Required utilities are identified
Utility inspection and test log Utilities are regularly tested
UPS/generator capacity records Runtime and load capacity are verified
HVAC maintenance and alarm records Cooling is maintained and monitored
Telecommunications redundancy records Connectivity resilience is considered
Emergency lighting test records Safe operation during power failure is considered
Supplier/service agreements External utility/provider responsibilities are understood
BMS security review In-scope building systems are protected like IT systems

Strong evidence

  • Utility dependencies are mapped to critical information processing facilities.
  • UPS/generator tests include load, runtime, and cooling requirements.
  • Maintenance follows manufacturer recommendations.
  • Alarms detect utility failures and have response procedures.
  • Redundant links or feeds are implemented where justified.
  • Continuity requirements define required operating duration.
  • Building management systems in scope have backups, access controls, patching, and monitoring.

Weak evidence

  • UPS exists but runtime has not been tested.
  • Generator exists but cooling load is excluded.
  • Utility inspection records are missing.
  • Telecommunications resilience is assumed but not tested.
  • Alarms exist but no one knows who responds.
  • BMS is networked but not patched, backed up, or audited.
  • Continuity plan assumes power availability without evidence.

Common failures

Implementation watchouts

A.7.11 fails when utility resilience is assumed from installed equipment instead of tested capacity and documented requirements.

Failure Why it matters
UPS installed but not load-tested Runtime may fail during real outage
Cooling not included in power planning Server room overheats even if servers stay powered
Generator not maintained or fuel-managed Backup power may not start or last
No redundant telecoms decision One cable/provider can take down critical services
Alarms not linked to response Utility failures are detected too late
BMS treated as facilities-only Malware, access, patching, or backup gaps can disrupt facilities
Water and site closure ignored Office availability can fail for non-IT reasons

Exam traps

Exam focus

A.7.11 is about supporting utilities for information processing facilities, not only electricity.

Trap Correct interpretation
Supporting utilities means only power It also includes cooling, telecoms, water, fire protection, emergency lighting, and related systems
UPS existence proves compliance Capacity, runtime, maintenance, testing, and cooling load matter
Generator protects everything automatically Scope, load, fuel, maintenance, and tested runtime must match requirements
Public utilities are reliable enough by default Risk assessment should consider utility disruption
BMS is not an IT security concern In-scope BMS should be protected like other IT systems

KB-ready summary

Mentor takeaway

A.7.11 protects availability by ensuring critical information processing facilities have the utilities they need, and that those utilities are tested, monitored, maintained, and aligned with continuity requirements.

  • Identify required utilities.
  • Map utilities to critical facilities and services.
  • Test UPS, generators, cooling, telecoms, emergency lighting, and alarms.
  • Include cooling and dependent loads in power calculations.
  • Treat in-scope building management systems like IT systems.
  • Audit for tested capacity, not just installed equipment.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Supporting utilities
  • Availability
  • Audit

Note Metadata

Aliases: A.7.11, Supporting Utilities

Source: 04 Annex A Physical Controls/A.7.11 Supporting Utilities.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.