Requirement
Requirement lens
This control asks whether equipment is maintained correctly to preserve availability, integrity, and confidentiality.
“Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.”
Plain-language meaning
Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep maintenance and fault records, and protect confidential information during maintenance.
Why this matters
Poor maintenance can cause sudden failures, outages, data integrity issues, and confidentiality exposure. Maintenance can also introduce risk if unauthorized technicians access equipment, confidential information is visible, or equipment is modified during repair.
Implementation guidance
Implementer focus
Maintenance is both reliability control and access control. Track what must be maintained, who may maintain it, and how information is protected during the work.
1. Define maintenance requirements
Maintenance procedures should include:
- supplier-recommended intervals and specifications;
- cleaning requirements such as filters, drives, printers, and vents;
- fault reporting and escalation;
- approved maintainers;
- maintenance records;
- post-maintenance testing;
- tamper or unauthorized modification checks.
2. Control maintenance access
External maintainers should be authorized, identified, and accompanied where required.
Controls may include:
- work orders;
- access approval;
- escorting;
- maintenance windows;
- confidentiality agreements;
- disabling or masking sensitive displays;
- removing or protecting storage media where needed.
3. Protect information during maintenance
Before maintenance, decide whether confidential data needs to be removed, encrypted, masked, powered down, or otherwise protected.
4. Record faults and trends
Fault and maintenance records help decide when equipment should be replaced before sudden failure.
Audit guidance
Auditor focus
Test whether maintenance happened as planned, whether only authorized people performed it, and whether confidential information was protected.
Auditors should verify:
- maintenance procedures exist;
- maintenance intervals align to supplier recommendations or risk decisions;
- maintenance records match the procedure;
- fault reporting and rectification logs exist;
- only authorized and qualified personnel perform maintenance;
- external maintainers are accompanied where required;
- confidential information is not exposed;
- equipment is checked after maintenance for tampering or unauthorized modification.
Evidence examples
Evidence quality
Strong evidence shows planned maintenance, fault reporting, authorized maintenance access, information protection, and post-maintenance checks.
| Evidence | What it proves |
|---|---|
| Equipment maintenance register | Maintenance requirements are known |
| Maintenance procedure | Maintenance process is defined |
| Work orders/service records | Maintenance occurred |
| Fault and rectification log | Defects are reported and resolved |
| Maintainer authorization records | Maintainers are approved |
| Escort/access records | External access is controlled |
| Post-maintenance test/tamper checks | Equipment is verified after work |
Strong evidence
- Maintenance is scheduled and recorded.
- Faults and repairs are tracked.
- Maintainers are authorized and qualified.
- External maintainers are escorted where required.
- Confidential information is removed or protected.
- Post-maintenance checks look for unauthorized changes.
Weak evidence
- Maintenance happens only when equipment fails.
- No fault log exists.
- External technicians work unsupervised in secure areas.
- Confidential data remains visible or accessible during maintenance.
- No post-maintenance verification occurs.
Common failures
Implementation watchouts
A.7.13 fails when maintenance is treated as purely technical service work with no security procedure.
| Failure | Why it matters |
|---|---|
| No maintenance schedule | Failures are discovered during operations |
| No fault reporting mechanism | Recurring defects are not managed |
| Uncontrolled maintainer access | Confidentiality and tampering risks increase |
| No post-maintenance checks | Unauthorized changes may remain |
| Data not protected before repair | Confidential information may be exposed |
| Supplier recommendations ignored | Availability and warranty risks increase |
Exam traps
Exam focus
A.7.13 is not only availability. Maintenance can affect integrity and confidentiality too.
| Trap | Correct interpretation |
|---|---|
| Maintenance is an IT operations issue only | It is an ISMS control when it affects information security |
| Correct operation means no maintenance is needed | Equipment can fail suddenly without preventive maintenance |
| External maintenance access is harmless | Maintainers may see data or modify equipment |
| Repair completion is enough | Post-maintenance testing and tamper checks may be required |
| Maintenance only protects availability | It also protects integrity and confidentiality |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.8 Equipment Siting and Protection
- A.7.11 Supporting Utilities
- A.7.14 Secure Disposal or Re-Use of Equipment
- A.5.37 Documented Operating Procedures
- Risk Assessment
- Equipment Maintenance Register
- Maintenance Access and Tamper Check Record
- A.7.13 Audit Evidence Pack
- A.7.13 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.13 keeps equipment reliable and secure by requiring planned maintenance, authorized maintainers, fault records, data protection, and post-maintenance checks.
- Maintain equipment according to defined requirements.
- Use authorized and qualified maintainers.
- Protect confidential information during maintenance.
- Keep fault and repair records.
- Verify equipment after maintenance.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Equipment maintenance
- Audit
Note Metadata
Aliases: A.7.13, Equipment Maintenance
Source: 04 Annex A Physical Controls/A.7.13 Equipment Maintenance.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- ISO 27001 A.5.37 - Documented Operating Procedures
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.8 - Equipment Siting and Protection
- A.7 Physical Controls MOC
- A.7.13 Audit Evidence Pack
- AQ-ISO27001-A.7.13 Equipment Maintenance
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.13 Equipment Maintenance
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-026 - Cabling, Maintenance, and Equipment Disposal
- ISO 27002 Annex A Control Interpretation Map
- A.7.13 Audit Checklist
- Equipment Maintenance Register
- Maintenance Access and Tamper Check Record
- Repair Dispatch Data Protection Checklist
- Annex A Controls MOC