Protection from Utility Failures
Make sure key equipment is safe from power and utility failures to avoid data loss.
Plain language
This control is about protecting your critical equipment from utility failures, like power outages or water supply issues. These failures can disrupt your operations and lead to data loss, which is why it's important to have measures in place to prevent them.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Why it matters
Failure to protect against power and other utility disruptions can halt operations, cause data loss or corruption, and damage servers and network equipment.
Operational notes
Regularly test UPS/generator systems and verify automatic failover for critical equipment so services switch safely during power or other utility outages.
Implementation tips
- The IT manager should ensure that backup power systems, like generators or uninterruptible power supplies (UPS), are installed and operational. This can be done by contacting a reliable vendor to purchase and set up the necessary backup systems according to the manufacturer's guidelines, ensuring continuity during power outages.
- Facilities management should inspect and maintain utilities equipment regularly. Schedule routine checks and maintenance following the manufacturer’s recommendations to ensure equipment is functioning correctly and can handle unexpected utility disruptions.
- The procurement team should evaluate utility providers to ensure they can meet current and future business needs. This may involve reviewing service agreements and discussing redundancy options, like having multiple utility providers for better reliability.
- Security personnel should ensure emergency procedures are in place, including emergency lighting and accessible shut-off switches for utilities near exits. Train staff on these procedures to ensure quick and effective response in case of emergencies.
- Senior management should ensure that any utility systems connected to your network are secured and only online when necessary. Implement secure access controls, like secure passwords or firewalls, to protect against unauthorised access, as advised by ISO 27002:2022 and relevant Australian regulations like the Privacy Act 1988.
Audit / evidence tips
-
AskRequest maintenance logs for backup power systems and other critical utilities equipment.
GoodUp-to-date logs with regularly scheduled maintenance entries following manufacturer recommendations.
-
AskAsk for emergency procedures documentation, including training records.
GoodComprehensive emergency procedures documented, with evidence of recent staff training sessions.
-
AskRequest documents or plans showing utility provider evaluations and redundancy measures.
GoodDocumented evaluations that consider multiple provider options and redundancy, with decisions based on thorough comparisons.
-
AskRequest network security configurations related to utility systems.
GoodNetwork configurations that demonstrate careful restriction of access and robust protection against external threats.
-
AskAsk for records of utility capacity reviews and upgrades to support business growth.
GoodRecords showing regular assessments and adjustments to utility capacity, aligning with business growth forecasts.
Cross-framework mappings
How Annex A 7.11 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1438 | Annex A 7.11 addresses resilience of information processing facilities against power and utility failures | |
| ISM-1580 | ISM-1580 requires online services with high availability needs to automatically transition between availability zones to maintain service... | |
| handshake Supports (1) expand_less | ||
| ISM-1123 | Annex A 7.11 requires information processing facilities to be protected from power failures and other supporting utility disruptions | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.