top of page
Search

ISO27001:2022 - A7.13 – Equipment maintenance




This ISO27001 requirement focuses our attention on the maintenance of equipment, which is necessary to run our businesses. Equipment that is not maintained could fail us, leading to a data breach.   Therefore, this control aims to prevent the loss, damage, or compromise of information that may result from inadequate equipment maintenance.


 

What does the standard require?

The standard states that “Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.” (A7.13 – Equipment maintenance).

 

Information Security is focused on the ‘CIA triad’; Confidentiality, Integrity and Availability, and that is what this control is concerned with. Note also that it is necessary to maintain equipment correctly to ensure availability, integrity, and confidentiality of information.

 

Why is this required?

If you do not maintain the equipment, there is a stronger likelihood that the equipment will fail, which could lead to a data breach, or an outage which could affect availability of data or your services and products.

 

If equipment isn’t maintained with the latest security patches, then it is vulnerable to cyberattack which could result in reputational damage and financial losses too.

 

We worked with a client who used an older system to manage the production line in its manufacturing plant. Software for the system had reached its “end of life”, and no further security patches were provided by the manufacturer. This represented a considerable risk to the plant, as any outages would result in significant costs to the business. 


Although there were no issues at the time of our working with them, they recognised that this was a risk that needed to be dealt with correctly.  Within 12 months, the system was updated, production improved and the risk was contained.

 

What the auditor is looking for

The ISO27001 auditor will look for both physical and operational evidence, which could include the following measures;  

 

  • Equipment is installed and operating correctly.

  • Equipment is maintained by a suitably qualified individual.

  • Inspection and maintenance certificates.

  • Supplier agreements (A5.20 - Addressing information security within supplier agreements).

  • Monitoring and logs (A8.16 - Monitoring Activities)

  • Patch Management processes (A8.8 - Management of technical vulnerabilities)

  • Awareness, Education and Training has taken place.

  • A Risk Register.

  • Audit reports.

  • Incident Logs.

 

What do you need to do?

Complete a site security risk assessment and identify any equipment in need of maintenance. Keep in mind that this includes equipment meant to monitor or provide environmental controls.   Record any issues identified in your audit report and discuss them at the management review meeting. Discuss the risks associated with the equipment and agree on what the treatment plan will be.

 

You may need to work with your business to develop processes to maintain and operate the equipment effectively and efficiently. Once these processes are in place, ensure that relevant personnel know what to do to maintain the equipment, or who to contact should a problem arise. This awareness, education and training must become part of your onboarding process and ongoing competency training.

 

Although normally associated with networks, systems, and applications, it is important to monitor equipment so that early indicators of issues can be escalated and addressed as soon as possible. By monitoring equipment, you can calibrate the equipment to improve performance and prevent an incident occurring.

 

Note that sometimes equipment has aged and has not been maintained because suppliers are difficult to find, or expensive.  Addressing this risk may take some time, but it should be part of your plan to replace the equipment if it is of importance to your business.


 

Q & A

Do we have to use external providers, or can we use in-house staff?

Yes, you can use in-house teams, but it depends on the skills set of these people. If you have equipment that regularly needs maintenance and calibration, then it makes perfect sense to train your in-house teams to maintain the equipment. 

 

You must be careful, however, to ensure that by maintaining the equipment, you do not break any contracts and agreements with the provider. For example, someone may be very good with technology, but opening a laptops case will void any agreement licences with that provider.

 

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This ISO27001 control is not technical and simply requires careful risk assessment of processes associated to equipment maintenance.  Speak to the people in your business who use the equipment, not just the IT function.  Ask them questions about the length of time that a piece of equipment has been in use.  Ask them if there are any issues with it, and how it is being maintained. This will help you identify any risks and issues that need to be addressed.

 

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.

 

 

4 views

Comments


bottom of page