ISO 27001 Control 7.8: Equipment Siting and Protection
Equipment siting and protection is a foundational physical security control that prevents unauthorized access, environmental damage, and infrastructure failures. Control 7.8 requires you to strategically locate IT assets away from environmental hazards and secure them against tampering. For SMBs managing multiple office locations, this control ensures your infrastructure remains resilient and compliant.
What this means
Control 7.8 mandates that all equipment—servers, networking devices, workstations, and backup systems—must be positioned and safeguarded to prevent three categories of threats: environmental (water, fire, temperature extremes), unauthorized physical access (theft, tampering, modification), and infrastructure vulnerabilities (power surges, cable damage). This applies to both on-premises and third-party hosted equipment under your control.
How to comply
- 1.Conduct a site survey to identify environmental risks (flooding zones, fire hazards, extreme temperatures) and relocate critical equipment away from high-risk areas
- 2.Implement physical access controls such as locked server rooms, cages, or cabinets with restricted key/card access
- 3.Establish redundant power infrastructure including UPS systems, surge protection, and backup power to protect against outages
- 4.Route power and network cabling away from potential damage sources and use cable management systems to prevent accidental disconnection
- 5.Install environmental monitoring (temperature, humidity, water detection) in equipment rooms with automated alerts
- 6.Document equipment locations, environmental conditions, and access controls in your asset inventory
- 7.Review third-party hosting facilities to verify they meet siting and protection standards equivalent to your own controls
Evidence auditors look for
- Floor plans showing server room location away from exterior walls, water lines, and high-traffic areas
- Physical access logs and badge/key card records demonstrating restricted entry to equipment areas
- UPS specifications and maintenance records showing backup power capacity and testing
- Environmental monitoring dashboards with temperature and humidity readings within acceptable ranges
- Cable management photographs and documentation showing organized, protected routing
- Data center certifications or audit reports from third-party hosting providers confirming siting controls
- Equipment inventory spreadsheet cross-referenced with location and environmental risk assessment
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch simplifies Control 7.8 compliance by automating equipment inventory tracking, environmental monitoring alerts, and siting documentation in a single dashboard—eliminating manual spreadsheets and ensuring your team responds to environmental threats in real time.
See how GRCWatch handles this control automatically
Start free trial