UnixTime

Research Note

ISO 27001 A.7.12 - Cabling Security

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they...

On this page

Requirement

Requirement lens

This control asks whether power, data, and supporting service cables are protected from interception, interference, and damage.

“Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.”

Plain-language meaning

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they can cause outages, interference, safety issues, interception, or tampering.

Why this matters

Weak cabling can create availability, integrity, confidentiality, and safety risks. Loose cables can be damaged or disconnected. Unclear labels can lead to incorrect connections. Power and data in the same conduit can create interference. Exposed communications cables can be tapped or damaged.

Implementation guidance

Implementer focus

Treat cabling as infrastructure that needs design, documentation, protection, labelling, and inspection.

1. Protect cables from physical damage

Controls may include:

  • proper cable trays, conduits, trunking, or raised-floor routing;
  • avoiding loose cables on floors or walls;
  • strain relief for connectors;
  • protection against pulling, crushing, bending, water, heat, and pests;
  • secure routing through controlled areas;
  • regular inspection of cable condition.

2. Protect cables from interference

Power and data cables should be routed and segregated where required to reduce interference.

Examples:

Situation Risk Control
Power and data in same conduit Interference affecting data Segregated conduits/routes
Industrial environment Electrical noise or damage Shielding, separation, specialist installation
Loose patch cables Disconnection or inaccurate connection Cable management and labelling

3. Protect cables from interception and tampering

Where communications cables carry sensitive or critical information, consider:

  • locked equipment rooms;
  • locked communications boxes;
  • protected conduits;
  • controlled access to patch panels;
  • tamper-evident inspection;
  • encryption for sensitive transmissions;
  • provider discussions for external junction boxes or street cabinets.

4. Maintain cabling documentation

Documentation should show power and communications routes, patching, labels, colour coding, cabinets, rooms, and external provider handoff points.

Audit guidance

Auditor focus

Walk the cable routes. Documentation is useful, but the audit finding often comes from exposed, loose, unlabelled, or poorly segregated cables.

Auditors should verify:

  • cabling is properly routed and protected;
  • connectors are protected from damage;
  • power and data cabling are segregated where required;
  • cables are labelled or colour-coded;
  • network cabling between rooms, floors, or buildings is protected;
  • patch panels and communications cabinets are locked where needed;
  • external telecommunications junctions are considered in risk assessment;
  • encryption or other transmission controls are used where interception risk justifies them.

Evidence examples

Evidence quality

Strong evidence combines cabling diagrams, labelling, controlled access, inspection records, and walkthrough confirmation.

Evidence What it proves
Cabling diagrams Routes and weak points are known
Cable labelling/colour coding standard Connections are controlled
Cabling inspection checklist Physical condition is reviewed
Locked cabinet/access records Patch panels and terminations are protected
Risk assessment for exposed/external routes Interception and tampering risks are considered
Provider correspondence External telecoms risks are addressed

Strong evidence

  • Cable routes are documented and match the site.
  • Power and data segregation is implemented where needed.
  • Patch panels and communications rooms are access-controlled.
  • Exposed or external cable routes are risk-assessed.
  • Inspection records identify and correct poor routing or damage.

Weak evidence

  • Loose cables run across floors or walls.
  • Patch panels are unlocked or unlabelled.
  • Cable diagrams are missing or stale.
  • Power and data cables are mixed without assessment.
  • External junction boxes are ignored.
  • Encryption is assumed to compensate for physical exposure without risk analysis.

Common failures

Implementation watchouts

Cabling security fails when cabling is treated as a one-time installation task and never inspected again.

Failure Why it matters
Unprotected loose cabling Damage, outage, and safety incidents
Poor labelling Incorrect connections and slow fault tracing
Unlocked patch panels Tampering, unauthorized connections, interception
Power/data interference Loss of integrity or availability
Unassessed external junctions Provider infrastructure becomes a weak point
No cable-route documentation Faults and weak points are hard to find

Exam traps

Exam focus

A.7.12 is not just tidy cabling. It protects power and data cabling against interception, interference, and damage.

Trap Correct interpretation
Cabling is only an availability issue Interception and tampering can affect confidentiality and integrity
Labels are cosmetic Labelling reduces incorrect connections and fault-tracing failures
Encryption replaces physical cabling protection Encryption can help, but physical protection and routing still matter
External provider junctions are out of scope They should be considered where they create risk
Power and data can always share routes Segregation may be needed to avoid interference

KB-ready summary

Mentor takeaway

A.7.12 protects the physical paths that power and data rely on. Good evidence shows routed, labelled, protected, segregated, and inspected cabling.

  • Protect cabling from physical damage.
  • Segregate power and data where interference is plausible.
  • Lock and control patch panels and terminations.
  • Document cable routes and labels.
  • Consider external telecoms weak points.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Cabling
  • Audit

Note Metadata

Aliases: A.7.12, Cabling Security

Source: 04 Annex A Physical Controls/A.7.12 Cabling Security.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.