Proper Maintenance of Equipment
Ensure all equipment is regularly maintained to prevent failures and protect data.
Plain language
This control is about taking care of your organisation's equipment so it works well, protects sensitive information, and doesn't disrupt your business. If you neglect regular maintenance, equipment might fail unexpectedly, causing data loss or security breaches.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
Why it matters
Neglecting equipment maintenance can lead to downtime, compromised data integrity, and increased risk of security breaches.
Operational notes
Schedule preventative maintenance, log servicing and faults, track performance, and include patching/AV checks to keep devices reliable.
Implementation tips
- The IT manager should ensure equipment maintenance schedules based on the supplier's recommendations are created and followed. This involves setting calendar reminders and organising with technicians for regular check-ups.
- Procurement should confirm that only authorised service providers are used for maintenance tasks. Authorisation can involve conducting background checks and having contracts that include confidentiality agreements.
- An office manager needs to keep detailed records of all maintenance activities. This involves logging dates, issues found, and actions taken in a centralised digital or physical logbook.
- The HR department should supervise maintenance personnel during their visits. This involves coordinating with the IT team to ensure that outsiders are accompanied at all times while on-site.
- An external consultant or internal auditor should verify equipment returned to operation after maintenance. This includes checking that it functions correctly and hasn’t been tampered with before using it again.
Audit / evidence tips
-
AskRequest maintenance logs and schedules for critical equipment.
-
AskSee the contracts or agreements with service providers.
-
AskRequest records of audits or inspections post-maintenance.
-
AskInquire about the supervision process for maintenance personnel.
-
AskSee evidence of action taken for equipment faults or failures.
Cross-framework mappings
How Annex A 7.13 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-0305 | ISM-0305 requires maintenance and repairs of IT equipment to be performed on-site by an appropriately cleared technician to manage securi... | |
| ISM-1801 | ISM-1801 requires organisations to restart network devices at least monthly as a preventative maintenance activity to sustain reliable op... | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0211 | ISM-0211 requires a cable register to be maintained and regularly verified so that organisations can track physical cabling and ensure it... | |
| ISM-0298 | Annex A 7.13 mandates correct maintenance of equipment to ensure the availability, integrity, and confidentiality of information | |
| ISM-0307 | Annex A 7.13 requires equipment to be maintained correctly to preserve the availability, integrity and confidentiality of information | |
| ISM-0310 | ISM-0310 requires that IT equipment maintained or repaired off site is handled only at facilities approved for the equipment’s sensitivit... | |
| ISM-1598 | ISM-1598 requires inspection of IT equipment after maintenance/repair to ensure integrity of the approved configuration and identify unau... | |
| handshake Supports (6) expand_less | ||
| ISM-0206 | ISM-0206 requires organisations to establish and maintain processes and procedures for cable labelling | |
| ISM-0290 | ISM-0290 requires high assurance IT equipment to be administered and operated in an evaluated configuration in accordance with ASD guidance | |
| ISM-0306 | Annex A 7.13 mandates correct maintenance of equipment for preserving information security | |
| ISM-1079 | Annex A 7.13 requires proper equipment maintenance to ensure security | |
| ISM-1913 | Annex A 7.13 mandates correct equipment maintenance for information security | |
| ISM-1982 | ISM-1982 requires organisations to replace networked IT equipment when vendor support ends to reduce exposure from unpatchable vulnerabil... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.