Requirement
Requirement lens
This control asks whether equipment is physically located and protected so it is not easily damaged, interfered with, misused, or viewed by unauthorized people.
“Equipment shall be sited securely and protected.”
Plain-language meaning
The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.
This includes servers, network equipment, connection panels, workstations, terminals, communications equipment, remote equipment, industrial equipment, and any other equipment used to process, store, transmit, or display information.
Why this matters
Equipment can fail or leak information because of ordinary physical conditions: heat, water, dust, vibration, unstable racks, spilled drinks, unlocked cupboards, exposed screens, poor cable rooms, or equipment placed near a window.
The control is practical: equipment should be in the right location, protected from realistic hazards, protected from unauthorized access, and included in inventories, risk assessments, and security scope.
Implementation guidance
Implementer focus
Start from the equipment inventory and ask: where is it, what can damage it, who can reach it, what can it display, and who is responsible for it?
1. Identify equipment requiring protection
Examples include:
- servers and storage devices;
- network switches, routers, firewalls, wireless access points, and patch panels;
- communications devices;
- workstations, laptops, shared terminals, and kiosks;
- printers, scanners, and fax machines;
- industrial or operational technology equipment;
- remote or branch equipment;
- equipment displaying confidential information.
2. Site equipment away from avoidable hazards
Avoid placing equipment where damage, theft, viewing, or interference is likely.
| Risk area | Example concern |
|---|---|
| Window or public-facing area | Theft, screen viewing, burglary access |
| Water source or pipework | Leaks, flooding, condensation |
| High heat or poor ventilation | Availability loss and hardware failure |
| Dust, chemicals, moisture, vibration | Industrial equipment degradation |
| Unstable racks or messy workspace | Accidental damage or service interruption |
| Public corridor or shared room | Unauthorized access or tampering |
3. Protect equipment from unauthorized access and use
Controls may include:
- locked rooms or equipment cupboards;
- rack locks and cable management;
- controlled access to communications rooms and patch panels;
- secure mounting or desk locks where appropriate;
- visitor and contractor supervision;
- rules against eating, drinking, or smoking near sensitive equipment;
- clear ownership for shared and remote equipment.
4. Manage environmental and interference risks
Assess realistic environmental risks such as:
- moisture;
- vibration;
- heat;
- dust;
- chemicals;
- electrical interference;
- electromagnetic interference;
- local issues such as magnets or equipment placed too close to interference sources.
Special testing or shielding is only justified where risk is plausible and material. Do not over-engineer niche controls without a risk basis.
5. Protect displayed information
Equipment that displays confidential information should be positioned and configured to reduce unauthorized viewing.
Examples:
- position screens away from public paths and windows;
- use privacy filters where needed;
- apply A.7.7 Clear Desk and Clear Screen rules;
- lock unattended equipment;
- restrict viewing angles in reception, shared offices, and secure processing areas.
6. Include remote and networked equipment
Remote equipment can need more security attention because it may sit outside the organization’s direct physical control.
Implementation should define:
- what remote equipment exists;
- who owns and maintains it;
- which network boundaries are the organization’s responsibility;
- how the equipment is inventoried;
- how it is risk-assessed;
- how it is physically protected;
- how incidents or faults are reported.
Audit guidance
Auditor focus
Audit by looking at where equipment is actually placed, what hazards are nearby, who can reach it, and whether the risk assessment matches reality.
Auditors should verify:
- equipment is included in inventory and risk assessment;
- equipment siting considers damage, interference, unauthorized access, and unauthorized viewing;
- network and communications equipment is protected from inappropriate access;
- environmental hazards such as heat, moisture, dust, chemicals, vibration, water, fire, and interference are considered;
- equipment near windows, public areas, adjacent hazards, or unstable storage is assessed;
- remote and networked equipment is included in scope and responsibility boundaries;
- staff are trained in proper equipment use and protection;
- rules exist for eating, drinking, smoking, and general housekeeping near equipment.
Site walkthroughs are important. Look for screens visible from outside protected areas, equipment near windows, open network cupboards, unstable racks, drinks near devices, cable rooms used as storage, or water/fire hazards in adjacent areas.
Evidence examples
Evidence quality
Strong evidence connects equipment inventory, physical siting decisions, environmental controls, staff rules, and walkthrough evidence.
| Evidence | What it proves |
|---|---|
| Equipment inventory | Equipment is known and accountable |
| Equipment siting assessment | Location risks were considered |
| Equipment protection inspection records | Physical protections are reviewed |
| Network/communications room access records | Critical equipment access is controlled |
| Environmental monitoring or maintenance records | Heat, humidity, power, and other conditions are managed |
| Remote equipment register | Remote equipment is in scope |
| Staff training or awareness records | Users know how to protect equipment |
| Housekeeping rules | Eating, drinking, smoking, and messy environments are controlled |
Strong evidence
- Equipment inventory maps equipment to location, owner, and protection needs.
- Risk assessments include environmental, access, viewing, and interference risks.
- Network equipment and patch panels are locked or otherwise access-controlled.
- Remote equipment is inventoried and included in ISMS scope/risk assessment.
- Walkthroughs confirm equipment is not exposed to obvious hazards.
- Staff rules are communicated and enforced.
Weak evidence
- Equipment exists but location risk is not assessed.
- Network switches or patch panels are in unlocked cupboards.
- Screens showing sensitive information face public or visitor areas.
- Remote equipment is missing from inventory and scope.
- Environmental risks are assumed to be facilities-only.
- Staff routinely place drinks, food, magnets, or storage near equipment.
Common failures
Implementation watchouts
A.7.8 fails when equipment location is decided for convenience only and the security team never walks the site.
| Failure | Why it matters |
|---|---|
| Equipment near windows or public areas | Increases theft, viewing, and burglary exposure |
| Unlocked network cupboards | Allows tampering, unauthorized connections, or outages |
| Remote equipment not inventoried | Leaves unmanaged assets outside scope |
| Environmental hazards ignored | Heat, water, dust, vibration, or chemicals can destroy availability |
| Screens visible to passers-by | Confidential information can be observed or photographed |
| Poor housekeeping around equipment | Spills, clutter, and unstable storage cause accidental damage |
| No staff awareness | Users damage or expose equipment through ordinary behavior |
Exam traps
Exam focus
A.7.8 is about where equipment is placed and how it is protected. Do not reduce it to asset inventory or server room access only.
| Trap | Correct interpretation |
|---|---|
| Equipment protection means only server room locks | It also includes workstations, screens, network devices, remote equipment, and environmental risks |
| Environmental threats are only A.7.5 | A.7.5 covers site/environmental threats broadly; A.7.8 applies those concerns to equipment siting and protection |
| Clear screen fully covers visible screens | A.7.7 defines rules; A.7.8 also considers where screens are positioned |
| Remote equipment is out of scope | Remote/networked equipment should be inventoried, scoped, risk-assessed, and protected |
| Electromagnetic shielding is always required | Only consider specialized controls when risk is plausible and relevant |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.3 Securing Offices Rooms and Facilities
- A.7.5 Protecting Against Physical and Environmental Threats
- A.7.7 Clear Desk and Clear Screen
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5.15 Access Control
- A.6.7 Remote Working
- Risk Assessment
- Equipment Siting and Protection Assessment
- Equipment Protection Inspection Checklist
- Remote Equipment Register
- A.7.8 Audit Evidence Pack
- A.7.8 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.8 requires equipment to be placed and protected based on realistic physical, environmental, access, viewing, and interference risks.
- Know what equipment exists and where it is.
- Site equipment away from avoidable hazards.
- Lock or restrict access to communications and network equipment.
- Protect screens and terminals from unauthorized viewing.
- Include remote equipment in inventory, scope, and risk assessment.
- Audit through walkthroughs, not just document review.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Equipment
- Environmental protection
- Audit
Note Metadata
Aliases: A.7.8, Equipment Siting and Protection
Source: 04 Annex A Physical Controls/A.7.8 Equipment Siting and Protection.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.13 - Equipment Maintenance
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- A.7.8 Audit Evidence Pack
- AQ-ISO27001-A.7.8 Equipment Siting and Protection
- ISO 27001 A.8.1 - User End Point Devices
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.8 Equipment Siting and Protection
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-023 - Equipment Siting and Protection
- EXAM-025 - Supporting Utilities
- ISO 27002 Annex A Control Interpretation Map
- A.7.8 Audit Checklist
- Equipment Maintenance Register
- Equipment Protection Inspection Checklist
- Equipment Siting and Protection Assessment
- Remote Equipment Register
- Supporting Utility Dependency Register
- Annex A Controls MOC