In today’s digital age, keeping the lights on is an imperative, and that’s what this ISO27001 Annex A control is all about. How do you ensure the smooth operation of the critical infrastructure that keeps your IT systems humming? Everything from electricity and air conditioning to telecommunications and water supply can be considered as critical to keeping the lights on, and ensuring information security.
What does the standard require?
The standard states that “Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.” (A7.11 – Supporting utilities).
For the context of this ISO27001 control, supporting utilities is a term which means heating, ventilation, water, and power (i.e. gas and electricity).
Note that this control is stressing the importance of pro-active protection from power failures and other disruptions. Also, note that this control focuses on processing facilities, specifically emphasising the physical aspects of information security.
Why is this required?
Depending upon where you are in the world, power-outages and disruptions can be a regular or infrequent occurrence. IT infrastructure isn’t a fan of suddenly having their power switched off, mid-way processing data! When this happens, power outages corrupt files, result in data loss, and compromise the integrity of the information.
When a burst water main resulted in water contamination, an office had to close their site down for over a week. Although this was a health and safety issue, the information processing facilities were closed, and resulted in business disruption for the week, and beyond (because the HVAC systems needed to be flushed through).
What the auditor is looking for
The auditor will be looking for both physical and operational evidence, which could include the following measures;
Uninterruptible Power Supplies (UPS) for critical infrastructure.
Generators for the main information facilities..
Supplier Register.
Supplier Agreements (A5.20 - Addressing information security within supplier agreements).
Maintenance certificates (e.g. for HVAC, UPS and generators).
Risk Register (which includes consideration for Climate Change).
Resilience and redundancy within the infrastructure (both technical and physical).
Climate Control systems (to monitor and regulate temperature variations).
Protection of telecoms and power (e.g. ensuring they are protected from the elements.)
Business Continuity Plans (A5.24 - Information security incident management planning and preparation)
Audit reports.
Incident Logs.
What do you need to do?
First, identify what supporting facilities you use, and complete a risk assessment on them. As stated above, this could include electricity, gas, water, and telecoms. Part of the risk assessment is to understand what the impact would be, but also what controls are in place.
For example, do you have dual-power supplies within the technical infrastructure? Perhaps you have dual power feeds into the building, to manage the risk that an errant road worker doesn’t dig up the power to your building?!
Once you have identified the risks, you can prioritise any utilities which need to be improved. For example, you might decide to purchase and install a UPS for critical systems. Purchasing generators is beyond most budgets, but if you are looking at using outsourced services, such as Cloud, then generators would be part of the conversation.
Q & A
Do I need to buy Generator?
The need for a generator would depend on the type of business you have and the criticality of your services. For example, if you work in a hospital, or manufacturing, then outages of any kind could be highly problematic. As stated above, you need to understand the risks you face, and put in place appropriate controls that manage the risk to an acceptable level.
What do I need to do if we are in rented facilities?
You should speak to the person responsible for facilities and establish what’s in place. Most offices will have a redundancy for utilities such as power and water. If this is something you cannot influence, then acknowledge it as a risk and give priority to contingency plans (which you clearly have control over) and test these plans to ensure they work as intended.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This ISO27001 control is not technical and simply requires careful risk assessment of your utilities. Once completed, you will need to select the most appropriate controls to implement.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.