Requirement
Requirement lens
This control asks whether information processing facilities are protected from power, cooling, telecommunications, water, and other utility failures that could interrupt operations.
“Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.”
Plain-language meaning
Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and building management systems can all affect availability.
The organization should identify which utilities are required, test and inspect them, monitor for failures, and provide redundancy where risk and business continuity requirements justify it.
Why this matters
No utility usually means no availability. A server room without cooling can fail quickly. A power failure without UPS or generator capacity can shut down critical services. Loss of water may close a site even if computers still work. A failed telecommunications link can make a service unavailable even when the facility itself is fine.
Implementation guidance
Implementer focus
Map critical information processing facilities to their utility dependencies, then verify whether utility resilience matches the required availability.
1. Identify required supporting utilities
Typical utilities include:
- electricity;
- heating, ventilation, and air conditioning;
- telecommunications and network connectivity;
- clean running water;
- fire protection systems;
- emergency lighting;
- fuel for generators;
- building management systems;
- environmental monitoring systems.
2. Link utility needs to business requirements
Use Risk Assessment and A.5.30 ICT Readiness for Business Continuity to decide where redundancy is needed.
| Facility/service | Utility dependency | Risk question |
|---|---|---|
| Server room | Power and cooling | How long can it operate if public power fails? |
| Network room | Power and telecommunications | Is there redundant connectivity where needed? |
| Office site | Water and electricity | Would health/safety closure stop business operations? |
| Fire protection | Water or suppression supply | Is protection sufficient for the environment? |
| Building management system | Network, software, and backups | Is the system protected like other in-scope IT? |
3. Provide resilience where required
Controls may include:
- uninterruptible power supply;
- standby generator;
- redundant power feeds;
- redundant telecommunications links;
- power conditioning for sensitive equipment;
- environmental alarms;
- emergency lighting;
- HVAC redundancy;
- generator fuel management;
- maintenance contracts and supplier agreements.
UPS/generator capacity should cover the required operating period or the time defined in continuity requirements. It should also include dependent loads such as cooling, not only servers.
4. Inspect, test, and maintain utilities
Utilities should be inspected and tested regularly.
Testing should verify:
- UPS runtime and battery condition;
- generator start and load capacity;
- fuel availability;
- HVAC capacity and alarm response;
- telecommunications failover;
- emergency lighting;
- fire protection supply;
- environmental alarm operation;
- maintenance completion.
5. Treat in-scope building management systems as IT systems
If building management systems are in ISMS scope, they should receive appropriate IT/security controls such as malware protection, backups, vulnerability management, access control, logging, and audit.
Audit guidance
Auditor focus
Do not accept “we have a UPS” as sufficient. Check capacity, tested runtime, cooling dependency, maintenance records, alarm response, and documented continuity requirements.
Auditors should verify:
- supporting utilities are identified;
- critical facilities have mapped utility dependencies;
- required utility service levels are documented;
- external utility/provider agreements are considered where relevant;
- utilities are inspected, tested, and maintained;
- UPS/generator capacity matches documented requirements;
- cooling requirements are included in power resilience planning;
- alarms detect utility failures;
- emergency lighting is available where needed;
- redundant utility connections are implemented or risk-assessed as not required;
- building management systems in scope are treated as IT systems.
Audit testing should include reviewing records and asking how the organization knows the selected utility resilience is sufficient.
Evidence examples
Evidence quality
Strong evidence proves utilities are mapped, tested, maintained, monitored, and aligned to availability and continuity requirements.
| Evidence | What it proves |
|---|---|
| Supporting utility dependency register | Required utilities are identified |
| Utility inspection and test log | Utilities are regularly tested |
| UPS/generator capacity records | Runtime and load capacity are verified |
| HVAC maintenance and alarm records | Cooling is maintained and monitored |
| Telecommunications redundancy records | Connectivity resilience is considered |
| Emergency lighting test records | Safe operation during power failure is considered |
| Supplier/service agreements | External utility/provider responsibilities are understood |
| BMS security review | In-scope building systems are protected like IT systems |
Strong evidence
- Utility dependencies are mapped to critical information processing facilities.
- UPS/generator tests include load, runtime, and cooling requirements.
- Maintenance follows manufacturer recommendations.
- Alarms detect utility failures and have response procedures.
- Redundant links or feeds are implemented where justified.
- Continuity requirements define required operating duration.
- Building management systems in scope have backups, access controls, patching, and monitoring.
Weak evidence
- UPS exists but runtime has not been tested.
- Generator exists but cooling load is excluded.
- Utility inspection records are missing.
- Telecommunications resilience is assumed but not tested.
- Alarms exist but no one knows who responds.
- BMS is networked but not patched, backed up, or audited.
- Continuity plan assumes power availability without evidence.
Common failures
Implementation watchouts
A.7.11 fails when utility resilience is assumed from installed equipment instead of tested capacity and documented requirements.
| Failure | Why it matters |
|---|---|
| UPS installed but not load-tested | Runtime may fail during real outage |
| Cooling not included in power planning | Server room overheats even if servers stay powered |
| Generator not maintained or fuel-managed | Backup power may not start or last |
| No redundant telecoms decision | One cable/provider can take down critical services |
| Alarms not linked to response | Utility failures are detected too late |
| BMS treated as facilities-only | Malware, access, patching, or backup gaps can disrupt facilities |
| Water and site closure ignored | Office availability can fail for non-IT reasons |
Exam traps
Exam focus
A.7.11 is about supporting utilities for information processing facilities, not only electricity.
| Trap | Correct interpretation |
|---|---|
| Supporting utilities means only power | It also includes cooling, telecoms, water, fire protection, emergency lighting, and related systems |
| UPS existence proves compliance | Capacity, runtime, maintenance, testing, and cooling load matter |
| Generator protects everything automatically | Scope, load, fuel, maintenance, and tested runtime must match requirements |
| Public utilities are reliable enough by default | Risk assessment should consider utility disruption |
| BMS is not an IT security concern | In-scope BMS should be protected like other IT systems |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.5 Protecting Against Physical and Environmental Threats
- A.7.8 Equipment Siting and Protection
- A.5.29 Information Security During Disruption
- A.5.30 ICT Readiness for Business Continuity
- Risk Assessment
- Statement of Applicability
- Supporting Utility Dependency Register
- Supporting Utility Inspection and Test Log
- UPS and Generator Capacity Test Record
- Building Management System Security Review
- A.7.11 Audit Evidence Pack
- A.7.11 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.11 protects availability by ensuring critical information processing facilities have the utilities they need, and that those utilities are tested, monitored, maintained, and aligned with continuity requirements.
- Identify required utilities.
- Map utilities to critical facilities and services.
- Test UPS, generators, cooling, telecoms, emergency lighting, and alarms.
- Include cooling and dependent loads in power calculations.
- Treat in-scope building management systems like IT systems.
- Audit for tested capacity, not just installed equipment.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Supporting utilities
- Availability
- Audit
Note Metadata
Aliases: A.7.11, Supporting Utilities
Source: 04 Annex A Physical Controls/A.7.11 Supporting Utilities.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.13 - Equipment Maintenance
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.8 - Equipment Siting and Protection
- A.7 Physical Controls MOC
- A.7.11 Audit Evidence Pack
- AQ-ISO27001-A.7.11 Supporting Utilities
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- ISO 27001 A.8.6 - Capacity Management
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.11 Supporting Utilities
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-025 - Supporting Utilities
- ISO 27002 Annex A Control Interpretation Map
- A.7.11 Audit Checklist
- Building Management System Security Review
- Cabling Route and Protection Register
- Capacity Management Plan
- Supporting Utility Dependency Register
- Supporting Utility Inspection and Test Log
- UPS and Generator Capacity Test Record
- Annex A Controls MOC