UnixTime

Research Note

ISO 27001 A.7.8 - Equipment Siting and Protection

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

On this page

Requirement

Requirement lens

This control asks whether equipment is physically located and protected so it is not easily damaged, interfered with, misused, or viewed by unauthorized people.

“Equipment shall be sited securely and protected.”

Plain-language meaning

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

This includes servers, network equipment, connection panels, workstations, terminals, communications equipment, remote equipment, industrial equipment, and any other equipment used to process, store, transmit, or display information.

Why this matters

Equipment can fail or leak information because of ordinary physical conditions: heat, water, dust, vibration, unstable racks, spilled drinks, unlocked cupboards, exposed screens, poor cable rooms, or equipment placed near a window.

The control is practical: equipment should be in the right location, protected from realistic hazards, protected from unauthorized access, and included in inventories, risk assessments, and security scope.

Implementation guidance

Implementer focus

Start from the equipment inventory and ask: where is it, what can damage it, who can reach it, what can it display, and who is responsible for it?

1. Identify equipment requiring protection

Examples include:

  • servers and storage devices;
  • network switches, routers, firewalls, wireless access points, and patch panels;
  • communications devices;
  • workstations, laptops, shared terminals, and kiosks;
  • printers, scanners, and fax machines;
  • industrial or operational technology equipment;
  • remote or branch equipment;
  • equipment displaying confidential information.

2. Site equipment away from avoidable hazards

Avoid placing equipment where damage, theft, viewing, or interference is likely.

Risk area Example concern
Window or public-facing area Theft, screen viewing, burglary access
Water source or pipework Leaks, flooding, condensation
High heat or poor ventilation Availability loss and hardware failure
Dust, chemicals, moisture, vibration Industrial equipment degradation
Unstable racks or messy workspace Accidental damage or service interruption
Public corridor or shared room Unauthorized access or tampering

3. Protect equipment from unauthorized access and use

Controls may include:

  • locked rooms or equipment cupboards;
  • rack locks and cable management;
  • controlled access to communications rooms and patch panels;
  • secure mounting or desk locks where appropriate;
  • visitor and contractor supervision;
  • rules against eating, drinking, or smoking near sensitive equipment;
  • clear ownership for shared and remote equipment.

4. Manage environmental and interference risks

Assess realistic environmental risks such as:

  • moisture;
  • vibration;
  • heat;
  • dust;
  • chemicals;
  • electrical interference;
  • electromagnetic interference;
  • local issues such as magnets or equipment placed too close to interference sources.

Special testing or shielding is only justified where risk is plausible and material. Do not over-engineer niche controls without a risk basis.

5. Protect displayed information

Equipment that displays confidential information should be positioned and configured to reduce unauthorized viewing.

Examples:

  • position screens away from public paths and windows;
  • use privacy filters where needed;
  • apply A.7.7 Clear Desk and Clear Screen rules;
  • lock unattended equipment;
  • restrict viewing angles in reception, shared offices, and secure processing areas.

6. Include remote and networked equipment

Remote equipment can need more security attention because it may sit outside the organization’s direct physical control.

Implementation should define:

  • what remote equipment exists;
  • who owns and maintains it;
  • which network boundaries are the organization’s responsibility;
  • how the equipment is inventoried;
  • how it is risk-assessed;
  • how it is physically protected;
  • how incidents or faults are reported.

Audit guidance

Auditor focus

Audit by looking at where equipment is actually placed, what hazards are nearby, who can reach it, and whether the risk assessment matches reality.

Auditors should verify:

  • equipment is included in inventory and risk assessment;
  • equipment siting considers damage, interference, unauthorized access, and unauthorized viewing;
  • network and communications equipment is protected from inappropriate access;
  • environmental hazards such as heat, moisture, dust, chemicals, vibration, water, fire, and interference are considered;
  • equipment near windows, public areas, adjacent hazards, or unstable storage is assessed;
  • remote and networked equipment is included in scope and responsibility boundaries;
  • staff are trained in proper equipment use and protection;
  • rules exist for eating, drinking, smoking, and general housekeeping near equipment.

Site walkthroughs are important. Look for screens visible from outside protected areas, equipment near windows, open network cupboards, unstable racks, drinks near devices, cable rooms used as storage, or water/fire hazards in adjacent areas.

Evidence examples

Evidence quality

Strong evidence connects equipment inventory, physical siting decisions, environmental controls, staff rules, and walkthrough evidence.

Evidence What it proves
Equipment inventory Equipment is known and accountable
Equipment siting assessment Location risks were considered
Equipment protection inspection records Physical protections are reviewed
Network/communications room access records Critical equipment access is controlled
Environmental monitoring or maintenance records Heat, humidity, power, and other conditions are managed
Remote equipment register Remote equipment is in scope
Staff training or awareness records Users know how to protect equipment
Housekeeping rules Eating, drinking, smoking, and messy environments are controlled

Strong evidence

  • Equipment inventory maps equipment to location, owner, and protection needs.
  • Risk assessments include environmental, access, viewing, and interference risks.
  • Network equipment and patch panels are locked or otherwise access-controlled.
  • Remote equipment is inventoried and included in ISMS scope/risk assessment.
  • Walkthroughs confirm equipment is not exposed to obvious hazards.
  • Staff rules are communicated and enforced.

Weak evidence

  • Equipment exists but location risk is not assessed.
  • Network switches or patch panels are in unlocked cupboards.
  • Screens showing sensitive information face public or visitor areas.
  • Remote equipment is missing from inventory and scope.
  • Environmental risks are assumed to be facilities-only.
  • Staff routinely place drinks, food, magnets, or storage near equipment.

Common failures

Implementation watchouts

A.7.8 fails when equipment location is decided for convenience only and the security team never walks the site.

Failure Why it matters
Equipment near windows or public areas Increases theft, viewing, and burglary exposure
Unlocked network cupboards Allows tampering, unauthorized connections, or outages
Remote equipment not inventoried Leaves unmanaged assets outside scope
Environmental hazards ignored Heat, water, dust, vibration, or chemicals can destroy availability
Screens visible to passers-by Confidential information can be observed or photographed
Poor housekeeping around equipment Spills, clutter, and unstable storage cause accidental damage
No staff awareness Users damage or expose equipment through ordinary behavior

Exam traps

Exam focus

A.7.8 is about where equipment is placed and how it is protected. Do not reduce it to asset inventory or server room access only.

Trap Correct interpretation
Equipment protection means only server room locks It also includes workstations, screens, network devices, remote equipment, and environmental risks
Environmental threats are only A.7.5 A.7.5 covers site/environmental threats broadly; A.7.8 applies those concerns to equipment siting and protection
Clear screen fully covers visible screens A.7.7 defines rules; A.7.8 also considers where screens are positioned
Remote equipment is out of scope Remote/networked equipment should be inventoried, scoped, risk-assessed, and protected
Electromagnetic shielding is always required Only consider specialized controls when risk is plausible and relevant

KB-ready summary

Mentor takeaway

A.7.8 requires equipment to be placed and protected based on realistic physical, environmental, access, viewing, and interference risks.

  • Know what equipment exists and where it is.
  • Site equipment away from avoidable hazards.
  • Lock or restrict access to communications and network equipment.
  • Protect screens and terminals from unauthorized viewing.
  • Include remote equipment in inventory, scope, and risk assessment.
  • Audit through walkthroughs, not just document review.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Equipment
  • Environmental protection
  • Audit

Note Metadata

Aliases: A.7.8, Equipment Siting and Protection

Source: 04 Annex A Physical Controls/A.7.8 Equipment Siting and Protection.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.