UnixTime

Research Note

ISO 27001 A.7.13 - Equipment Maintenance

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep m...

On this page

Requirement

Requirement lens

This control asks whether equipment is maintained correctly to preserve availability, integrity, and confidentiality.

“Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.”

Plain-language meaning

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep maintenance and fault records, and protect confidential information during maintenance.

Why this matters

Poor maintenance can cause sudden failures, outages, data integrity issues, and confidentiality exposure. Maintenance can also introduce risk if unauthorized technicians access equipment, confidential information is visible, or equipment is modified during repair.

Implementation guidance

Implementer focus

Maintenance is both reliability control and access control. Track what must be maintained, who may maintain it, and how information is protected during the work.

1. Define maintenance requirements

Maintenance procedures should include:

  • supplier-recommended intervals and specifications;
  • cleaning requirements such as filters, drives, printers, and vents;
  • fault reporting and escalation;
  • approved maintainers;
  • maintenance records;
  • post-maintenance testing;
  • tamper or unauthorized modification checks.

2. Control maintenance access

External maintainers should be authorized, identified, and accompanied where required.

Controls may include:

  • work orders;
  • access approval;
  • escorting;
  • maintenance windows;
  • confidentiality agreements;
  • disabling or masking sensitive displays;
  • removing or protecting storage media where needed.

3. Protect information during maintenance

Before maintenance, decide whether confidential data needs to be removed, encrypted, masked, powered down, or otherwise protected.

Fault and maintenance records help decide when equipment should be replaced before sudden failure.

Audit guidance

Auditor focus

Test whether maintenance happened as planned, whether only authorized people performed it, and whether confidential information was protected.

Auditors should verify:

  • maintenance procedures exist;
  • maintenance intervals align to supplier recommendations or risk decisions;
  • maintenance records match the procedure;
  • fault reporting and rectification logs exist;
  • only authorized and qualified personnel perform maintenance;
  • external maintainers are accompanied where required;
  • confidential information is not exposed;
  • equipment is checked after maintenance for tampering or unauthorized modification.

Evidence examples

Evidence quality

Strong evidence shows planned maintenance, fault reporting, authorized maintenance access, information protection, and post-maintenance checks.

Evidence What it proves
Equipment maintenance register Maintenance requirements are known
Maintenance procedure Maintenance process is defined
Work orders/service records Maintenance occurred
Fault and rectification log Defects are reported and resolved
Maintainer authorization records Maintainers are approved
Escort/access records External access is controlled
Post-maintenance test/tamper checks Equipment is verified after work

Strong evidence

  • Maintenance is scheduled and recorded.
  • Faults and repairs are tracked.
  • Maintainers are authorized and qualified.
  • External maintainers are escorted where required.
  • Confidential information is removed or protected.
  • Post-maintenance checks look for unauthorized changes.

Weak evidence

  • Maintenance happens only when equipment fails.
  • No fault log exists.
  • External technicians work unsupervised in secure areas.
  • Confidential data remains visible or accessible during maintenance.
  • No post-maintenance verification occurs.

Common failures

Implementation watchouts

A.7.13 fails when maintenance is treated as purely technical service work with no security procedure.

Failure Why it matters
No maintenance schedule Failures are discovered during operations
No fault reporting mechanism Recurring defects are not managed
Uncontrolled maintainer access Confidentiality and tampering risks increase
No post-maintenance checks Unauthorized changes may remain
Data not protected before repair Confidential information may be exposed
Supplier recommendations ignored Availability and warranty risks increase

Exam traps

Exam focus

A.7.13 is not only availability. Maintenance can affect integrity and confidentiality too.

Trap Correct interpretation
Maintenance is an IT operations issue only It is an ISMS control when it affects information security
Correct operation means no maintenance is needed Equipment can fail suddenly without preventive maintenance
External maintenance access is harmless Maintainers may see data or modify equipment
Repair completion is enough Post-maintenance testing and tamper checks may be required
Maintenance only protects availability It also protects integrity and confidentiality

KB-ready summary

Mentor takeaway

A.7.13 keeps equipment reliable and secure by requiring planned maintenance, authorized maintainers, fault records, data protection, and post-maintenance checks.

  • Maintain equipment according to defined requirements.
  • Use authorized and qualified maintainers.
  • Protect confidential information during maintenance.
  • Keep fault and repair records.
  • Verify equipment after maintenance.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Equipment maintenance
  • Audit

Note Metadata

Aliases: A.7.13, Equipment Maintenance

Source: 04 Annex A Physical Controls/A.7.13 Equipment Maintenance.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.