If data is the life blood of your business, then ISO27001 sees that cabling are the arteries that pump data around your business! If these arteries become blocked, or severed then it could be the end of your business. This is why we need to take special care and attention to protect cabling and ensure it’s operating as expected and required.
What does the standard require?
The standard states that “Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.” (A7.12 – Cabling Security).
This ISO27001 control is not only asking you to look at the cabling that transmits data, as it clearly states that is cabling that carries power too. It also asks that you look to protect information services from three possible threats or vulnerabilities;
Interception - e.g. “Man in the middle” attacks.
Interference - e.g. signal interference from other cables.
Damage – e.g. due to a lack of planning, cables could be at risk from accidental or deliberate loss.
Why is this required?
Network outages can be caused by many things, including damaged data or power cables. This kind of issue could lead to system failure and therefore affect your business. Even poorly installed cabling can cause intermittent errors and failures, which may go unnoticed or unreported for months. Again, this could interrupt, and lead to business failure.
Anyone working within the technology sector will, at some point, have entered a server room, where the cable-management is less than ideal. We have seen cable management that resembles, what we could only describe as a ‘rats nest’ of tangled cables, all of which are unlabelled and different colours.
Why is this an issue? Imagine the scenario that you need to re-install a piece of equipment which sits in the middle of one of these racks. How are you going to know which cable goes to which server? There is a high risk that anything you disconnect is going to have business impact. At the very least, it will take you a very long time to trace the cable from start to finish.
Finally, we need to consider the genuine risk of “MiiM” attacks. “Man in the Middle” attacks are now more associated with wireless technologies, but ‘wire tapping’, or listening in on open lines of communication can still be a risk for some businesses and organisations. Of course, some may read this and think that this sounds like something from a James Bond movie. But industrial espionage and attempts to infiltrate communication are still actual risks for many organisations.
What the auditor is looking for
The auditor will be looking for both physical and operational evidence, which could include the following measures;
Good cable management in server rooms.
Power and data cable runs are segregated
Cables are installed to ensure security (e.g. they are buried underground).
Cable labelling
Inspection and maintenance contracts and certificates
Operational Documentation showing cable design and implementation.
Risk Register (which includes consideration for Climate Change).
Audit reports.
Incident Logs.
What do you need to do?
Complete a site security risk assessment and be on the lookout for visible signs of good (and bad) cable management. Consider all the aspects outlined above that the auditor will look for and ensure you identify them too. You should log and record any issues on your risk register and report them to the management review team (MRT).
Remember that cable management extends beyond the comms or server room. If you find network or power cables are a tangled mess, under people’s desk, then this needs to be addressed too. These cables could cause fire or simply become a tripping hazard.
If you find that cable management is not in place, then this is something you should look to address. It will require some time and effort and possibly some disruption to the business, but this is a very visible sign of your businesses approach to security.
Q & A
What can I do to secure cables that are above the ground?
If you have cables which are above ground, you might use cable trays, shorter cable runs, and raised flooring or dropped ceilings.
Who should manage cabling?
Ordinarily this would be managed by the IT team or facilities team. But either way, both should be made aware of what cables are in use and how these interact.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This ISO27001 control is not technical and simply requires careful risk assessment of your cabling infrastructure. Once completed, you will need to select the most appropriate controls to implement.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.
Comments